OP 23 September, 2021 - 02:29 PM
(This post was last modified: 30 June, 2022 - 03:13 PM by Wispie. Edited 6 times in total.)
Reply
Synopsis:
Show ContentSpoiler:
Evasion Techniques and Breaching Defenses (PEN-300) is an advanced penetration testing course. It builds on the knowledge and techniques taught in Penetration Testing with Kali Linux, teaching students to perform advanced penetration tests against mature organizations with an established security function.
As a general rule, it will not specifically deal with the act of evading a blue team but rather focus on bypassing security mechanisms that are designed to block attacks. This course is one of the replacements for the Cracking the Perimeter (CTP) course — retired October 15, 2020.
As a general rule, it will not specifically deal with the act of evading a blue team but rather focus on bypassing security mechanisms that are designed to block attacks. This course is one of the replacements for the Cracking the Perimeter (CTP) course — retired October 15, 2020.
TABLE OF CONTENTS (long list):
Show ContentSpoiler:
1 Evasion Techniques and Breaching Defenses: General Course Information ............................. 16
1.1 About The PEN-300 Course ........................................................................................................ 16
1.2 Provided Material .......................................................................................................................... 17
1.2.1 PEN-300 Course Materials ..................................................................................................... 17
1.2.2 Access to the Internal VPN Lab Network ............................................................................ 17
1.2.3 The Offensive Security Student Forum ................................................................................ 18
1.2.4 Live Support and RocketChat ................................................................................................ 18
1.2.5 OSEP Exam Attempt ................................................................................................................ 18
1.3 Overall Strategies for Approaching the Course ...................................................................... 19
1.3.1 Welcome and Course Information Emails .......................................................................... 19
1.3.2 Course Materials ...................................................................................................................... 19
1.3.3 Course Exercises ...................................................................................................................... 20
1.4 About the PEN-300 VPN Labs .................................................................................................... 20
1.4.1 Control Panel ............................................................................................................................ 20
1.4.2 Reverts ....................................................................................................................................... 20
1.4.3 Client Machines ........................................................................................................................ 21
1.4.4 Kali Virtual Machine ................................................................................................................. 21
1.4.5 Lab Behavior and Lab Restrictions ....................................................................................... 21
1.5 About the OSEP Exam ................................................................................................................. 22
1.6 Wrapping Up .................................................................................................................................. 22
2 Operating System and Programming Theory ................................................................................... 23
2.1 Programming Theory ................................................................................................................... 23
2.1.1 Programming Language Level .............................................................................................. 23
2.1.2 Programming Concepts ......................................................................................................... 25
2.2 Windows Concepts ...................................................................................................................... 26
2.2.1 Windows On Windows ............................................................................................................ 26
2.2.2 Win32 APIs ................................................................................................................................ 27
2.2.3 Windows Registry .................................................................................................................... 28
2.3 Wrapping Up .................................................................................................................................. 29
3 Client Side Code Execution With Office ............................................................................................. 30
3.1 Will You Be My Dropper ............................................................................................................... 30
3.1.1 Staged vs Non-staged Payloads ........................................................................................... 31
3.1.2 Building Our Droppers ............................................................................................................. 31
3.1.2.1 Exercise ............................................................................................................................. 34
3.1.3 HTML Smuggling ..................................................................................................................... 34
3.1.3.1 Exercises .......................................................................................................................... 38
3.2 Phishing with Microsoft Office ................................................................................................... 38
3.2.1 Installing Microsoft Office ...................................................................................................... 38
3.2.1.1 Exercise ............................................................................................................................. 40
3.2.2 Introduction to VBA ................................................................................................................. 40
3.2.2.1 Exercises .......................................................................................................................... 48
3.2.3 Let PowerShell Help Us ........................................................................................................... 48
3.2.3.1 Exercises .......................................................................................................................... 51
3.3 Keeping Up Appearances ............................................................................................................ 52
3.3.1 Phishing PreTexting ................................................................................................................. 52
3.3.2 The Old Switcheroo ................................................................................................................. 54
3.3.2.1 Exercises .......................................................................................................................... 58
3.4 Executing Shellcode in Word Memory ...................................................................................... 58
3.4.1 Calling Win32 APIs from VBA ................................................................................................ 58
3.4.1.1 Exercises .......................................................................................................................... 60
3.4.2 VBA Shellcode Runner ............................................................................................................ 61
3.4.2.1 Exercise ............................................................................................................................. 66
3.5 PowerShell Shellcode Runner .................................................................................................... 66
3.5.1 Calling Win32 APIs from PowerShell ................................................................................... 67
3.5.1.1 Exercises .......................................................................................................................... 69
3.5.2 Porting Shellcode Runner to PowerShell ............................................................................. 70
3.5.2.1 Exercises .......................................................................................................................... 73
3.6 Keep That PowerShell in Memory ............................................................................................. 74
3.6.1 Add-Type Compilation ............................................................................................................ 74
3.6.1.1 Exercises .......................................................................................................................... 77
3.6.2 Leveraging UnsafeNativeMethods ....................................................................................... 77
3.6.2.1 Exercises .......................................................................................................................... 85
3.6.3 DelegateType Reflection ......................................................................................................... 85
3.6.3.1 Exercises .......................................................................................................................... 90
3.6.4 Reflection Shellcode Runner in PowerShell ........................................................................ 90
3.6.4.1 Exercises .......................................................................................................................... 94
3.7 Talking To The Proxy ................................................................................................................... 94
3.7.1 PowerShell Proxy-Aware Communication .......................................................................... 94
3.7.1.1 Exercises .......................................................................................................................... 96
3.7.2 Fiddling With The User-Agent ................................................................................................ 96
3.7.2.1 Exercises .......................................................................................................................... 97
3.7.3 Give Me A SYSTEM Proxy ...................................................................................................... 97
3.7.3.1 Exercise ........................................................................................................................... 101
3.8 Wrapping Up ................................................................................................................................ 101
4 Client Side Code Execution With Windows Script Host ................................................................ 102
4.1 Creating a Basic Dropper in Jscript ........................................................................................ 102
4.1.1 Execution of Jscript on Windows ....................................................................................... 103
4.1.1.1 Exercises ........................................................................................................................ 104
4.1.2 Jscript Meterpreter Dropper ................................................................................................ 104
4.1.2.1 Exercises ........................................................................................................................ 107
4.2 Jscript and C# ............................................................................................................................. 107
4.2.1 Introduction to Visual Studio ............................................................................................... 107
4.2.1.1 Exercises ........................................................................................................................ 112
4.2.2 DotNetToJscript ..................................................................................................................... 112
4.2.2.1 Exercises ........................................................................................................................ 116
4.2.3 Win32 API Calls From C# ..................................................................................................... 117
4.2.3.1 Exercise ........................................................................................................................... 119
4.2.4 Shellcode Runner in C# ......................................................................................................... 119
4.2.4.1 Exercise ........................................................................................................................... 121
4.2.5 Jscript Shellcode Runner ...................................................................................................... 122
4.2.5.1 Exercises ........................................................................................................................ 123
4.2.5.2 Extra Mile ........................................................................................................................ 123
4.2.6 SharpShooter .......................................................................................................................... 123
4.2.6.1 Exercises ........................................................................................................................ 125
4.3 In-memory PowerShell Revisited ............................................................................................. 125
4.3.1 Reflective Load ....................................................................................................................... 125
4.3.1.1 Exercises ........................................................................................................................ 129
4.4 Wrapping Up ................................................................................................................................ 129
5 Process Injection and Migration ........................................................................................................ 131
5.1 Finding a Home for Our Shellcode .......................................................................................... 131
5.1.1 Process Injection and Migration Theory ........................................................................... 131
5.1.2 Process Injection in C# ......................................................................................................... 135
5.1.2.1 Exercises ........................................................................................................................ 140
5.1.2.2 Extra Mile ........................................................................................................................ 140
5.2 DLL Injection ................................................................................................................................ 140
5.2.1 DLL Injection Theory .............................................................................................................. 141
5.2.2 DLL Injection with C# ............................................................................................................ 142
5.2.2.1 Exercise ........................................................................................................................... 146
5.3 Reflective DLL Injection ............................................................................................................. 146
5.3.1 Reflective DLL Injection Theory ........................................................................................... 146
5.3.2 Reflective DLL Injection in PowerShell ............................................................................... 146
5.3.2.1 Exercises ........................................................................................................................ 148
5.4 Process Hollowing ..................................................................................................................... 148
5.4.1 Process Hollowing Theory ................................................................................................... 148
5.4.2 Process Hollowing in C# ...................................................................................................... 150
5.4.2.1 Exercises ........................................................................................................................ 157
5.5 Wrapping Up ................................................................................................................................ 157
6 Introduction to Antivirus Evasion ...................................................................................................... 158
6.1 Antivirus Software Overview .................................................................................................... 158
6.2 Simulating the Target Environment ........................................................................................ 158
6.3 Locating Signatures in Files ..................................................................................................... 159
6.3.1.1 Exercise ........................................................................................................................... 166
6.4 Bypassing Antivirus with Metasploit ....................................................................................... 166
6.4.1 Metasploit Encoders ............................................................................................................. 166
6.4.1.1 Exercise ........................................................................................................................... 171
6.4.2 Metasploit Encryptors ........................................................................................................... 171
6.4.2.1 Exercises ........................................................................................................................ 173
6.5 Bypassing Antivirus with C# ..................................................................................................... 173
6.5.1 C# Shellcode Runner vs Antivirus ....................................................................................... 173
6.5.1.1 Exercises ........................................................................................................................ 176
6.5.2 Encrypting the C# Shellcode Runner .................................................................................. 176
6.5.2.1 Exercises ........................................................................................................................ 179
6.6 Messing with Our Behavior ....................................................................................................... 179
6.6.1 Simple Sleep Timers .............................................................................................................. 179
6.6.1.1 Exercises ........................................................................................................................ 182
6.6.2 Non-emulated APIs ................................................................................................................ 183
6.6.2.1 Exercises ........................................................................................................................ 185
6.7 Office Please Bypass Antivirus ................................................................................................ 186
6.7.1 Bypassing Antivirus in VBA .................................................................................................. 186
6.7.1.1 Exercises ........................................................................................................................ 190
6.7.2 Stomping On Microsoft Word .............................................................................................. 190
6.7.2.1 Exercises ........................................................................................................................ 200
6.8 Hiding PowerShell Inside VBA .................................................................................................. 200
6.8.1 Detection of PowerShell Shellcode Runner ...................................................................... 200
6.8.1.1 Exercises ........................................................................................................................ 201
6.8.2 Dechaining with WMI ............................................................................................................ 202
6.8.2.1 Exercises ........................................................................................................................ 204
6.8.3 Obfuscating VBA .................................................................................................................... 205
6.8.3.1 Exercises ........................................................................................................................ 211
6.8.3.2 Extra Mile Exercise ....................................................................................................... 212
6.9 Wrapping Up ................................................................................................................................ 212
7 Advanced Antivirus Evasion ............................................................................................................... 213
7.1 Intel Architecture and Windows 10 ......................................................................................... 213
7.1.1 WinDbg Introduction ............................................................................................................. 216
7.1.1.1 Exercises ........................................................................................................................ 221
7.2 Antimalware Scan Interface ..................................................................................................... 221
7.2.1 Understanding AMSI ............................................................................................................. 222
7.2.2 Hooking with Frida ................................................................................................................. 224
7.2.2.1 Exercises ........................................................................................................................ 229
7.3 Bypassing AMSI With Reflection in PowerShell ................................................................... 229
7.3.1 What Context Mom? .............................................................................................................. 229
7.3.1.1 Exercises ........................................................................................................................ 236
7.3.2 Attacking Initialization ........................................................................................................... 236
7.3.2.1 Exercise ........................................................................................................................... 237
7.4 Wrecking AMSI in PowerShell .................................................................................................. 237
7.4.1 Understanding the Assembly Flow ..................................................................................... 237
7.4.1.1 Exercises ........................................................................................................................ 238
7.4.2 Patching the Internals ........................................................................................................... 239
7.4.2.1 Exercises ........................................................................................................................ 244
7.4.2.2 Extra Mile Exercise ....................................................................................................... 244
7.5 UAC Bypass vs Microsoft Defender ........................................................................................ 244
7.5.1 FodHelper UAC Bypass ......................................................................................................... 244
7.5.1.1 Exercises ........................................................................................................................ 248
7.5.2 Improving Fodhelper ............................................................................................................. 248
7.5.2.1 Exercises ........................................................................................................................ 250
7.6 Bypassing AMSI in JScript ........................................................................................................ 251
7.6.1 Detecting the AMSI API Flow ............................................................................................... 251
7.6.1.1 Exercise ........................................................................................................................... 253
7.6.2 Is That Your Registry Key? ................................................................................................... 253
7.6.2.1 Exercises ........................................................................................................................ 258
7.6.3 I Am My Own Executable ...................................................................................................... 259
7.6.3.1 Exercises ........................................................................................................................ 263
7.7 Wrapping Up ................................................................................................................................ 263
8 Application Whitelisting ....................................................................................................................... 264
8.1 Application Whitelisting Theory and Setup ............................................................................ 264
8.1.1 Application Whitelisting Theory .......................................................................................... 264
8.1.2 AppLocker Setup and Rules ................................................................................................. 266
8.1.2.1 Exercises ........................................................................................................................ 271
8.2 Basic Bypasses ........................................................................................................................... 271
8.2.1 Trusted Folders ...................................................................................................................... 271
8.2.1.1 Exercises ........................................................................................................................ 273
8.2.2 Bypass With DLLs .................................................................................................................. 273
8.2.2.1 Exercises ........................................................................................................................ 276
8.2.2.2 Extra Mile ........................................................................................................................ 276
8.2.3 Alternate Data Streams ........................................................................................................ 276
8.2.3.1 Exercises ........................................................................................................................ 277
8.2.4 Third Party Execution ............................................................................................................ 278
8.2.4.1 Exercise ........................................................................................................................... 278
8.3 Bypassing AppLocker with PowerShell .................................................................................. 278
8.3.1 PowerShell Constrained Language Mode ......................................................................... 278
8.3.1.1 Exercises ........................................................................................................................ 280
8.3.2 Custom Runspaces ............................................................................................................... 280
8.3.2.1 Exercises ........................................................................................................................ 283
8.3.3 PowerShell CLM Bypass ....................................................................................................... 283
8.3.3.1 Exercises ........................................................................................................................ 288
8.3.4 Reflective Injection Returns ................................................................................................. 288
8.3.4.1 Exercise ........................................................................................................................... 289
8.4 Bypassing AppLocker with C# ................................................................................................. 289
8.4.1 Locating a Target ................................................................................................................... 289
8.4.2 Reverse Engineering for Load .............................................................................................. 290
8.4.2.1 Exercises ........................................................................................................................ 297
8.4.3 Give Me Code Exec ................................................................................................................ 298
8.4.3.1 Exercise ........................................................................................................................... 299
8.4.4 Invoking the Target Part 1 .................................................................................................... 299
8.4.4.1 Exercises ........................................................................................................................ 305
8.4.5 Invoking the Target Part 2 .................................................................................................... 305
8.4.5.1 Exercises ........................................................................................................................ 308
8.4.5.2 Extra Mile ........................................................................................................................ 308
8.5 Bypassing AppLocker with JScript ......................................................................................... 308
8.5.1 JScript and MSHTA ............................................................................................................... 308
8.5.1.1 Exercises ........................................................................................................................ 310
8.5.2 XSL Transform ....................................................................................................................... 311
8.5.2.1 Exercises ........................................................................................................................ 312
8.5.2.2 Extra Mile ........................................................................................................................ 312
8.6 Wrapping Up ................................................................................................................................ 312
9 Bypassing Network Filters .................................................................................................................. 314
9.1 DNS Filters ................................................................................................................................... 316
9.1.1.1 Exercises ........................................................................................................................ 321
9.1.2 Dealing with DNS Filters ....................................................................................................... 321
9.1.2.1 Exercise ........................................................................................................................... 323
9.2 Web Proxies ................................................................................................................................. 323
9.2.1 Bypassing Web Proxies ........................................................................................................ 325
9.2.1.1 Exercises ........................................................................................................................ 328
9.3 IDS and IPS Sensors .................................................................................................................. 328
9.3.1 Case Study: Bypassing Norton HIPS with Custom Certificates ................................... 330
9.3.1.1 Exercises ........................................................................................................................ 337
9.4 Full Packet Capture Devices ..................................................................................................... 337
9.5 HTTPS Inspection ....................................................................................................................... 337
9.6 Domain Fronting ......................................................................................................................... 338
9.6.1 Domain Fronting with Azure CDN ....................................................................................... 345
9.6.1.1 Exercise ........................................................................................................................... 358
9.6.1.2 Extra Mile ........................................................................................................................ 359
9.6.2 Domain Fronting in the Lab .................................................................................................. 359
9.6.2.1 Exercises ........................................................................................................................ 364
9.6.2.2 Extra Mile ........................................................................................................................ 364
9.7 DNS Tunneling ............................................................................................................................ 364
9.7.1 How DNS Tunneling Works .................................................................................................. 364
9.7.2 DNS Tunneling with dnscat2 ............................................................................................... 366
9.7.2.1 Exercises ........................................................................................................................ 371
9.8 Wrapping Up ................................................................................................................................ 371
10 Linux Post-Exploitation .................................................................................................................... 372
10.1 User Configuration Files ............................................................................................................ 372
10.1.1 VIM Config Simple Backdoor .......................................................................................... 373
10.1.1.1 Exercises ........................................................................................................................ 377
10.1.1.2 Extra Mile ........................................................................................................................ 377
10.1.2 VIM Config Simple Keylogger ......................................................................................... 377
10.1.2.1 Exercises ........................................................................................................................ 380
10.2 Bypassing AV ............................................................................................................................... 380
10.2.1 Kaspersky Endpoint Security .......................................................................................... 380
10.2.2 Antiscan.me ........................................................................................................................ 387
10.2.2.1 Exercises ........................................................................................................................ 393
10.2.2.2 Extra Mile ........................................................................................................................ 393
10.3 Shared Libraries .......................................................................................................................... 394
10.3.1 How Shared Libraries Work on Linux ............................................................................ 394
10.3.2 Shared Library Hijacking via LD_LIBRARY_PATH ....................................................... 395
10.3.2.1 Exercises ........................................................................................................................ 401
10.3.2.2 Extra Mile ........................................................................................................................ 402
10.3.3 Exploitation via LD_PRELOAD ......................................................................................... 402
10.3.3.1 Exercises ........................................................................................................................ 407
10.4 Wrapping Up ................................................................................................................................ 407
11 Kiosk Breakouts ................................................................................................................................ 408
11.1 Kiosk Enumeration ..................................................................................................................... 408
11.1.1 Kiosk Browser Enumeration ............................................................................................ 411
11.1.1.1 Exercises ........................................................................................................................ 414
11.2 Command Execution ................................................................................................................. 414
11.2.1 Exploring the Filesystem .................................................................................................. 415
11.2.2 Leveraging Firefox Profiles .............................................................................................. 420
11.2.3 Enumerating System Information .................................................................................. 422
11.2.4 Scratching the Surface ..................................................................................................... 426
11.2.4.1 Exercises ........................................................................................................................ 430
11.2.4.2 Extra Mile ........................................................................................................................ 430
11.3 Post-Exploitation ......................................................................................................................... 430
11.3.1 Simulating an Interactive Shell ....................................................................................... 430
11.3.1.1 Exercises ........................................................................................................................ 432
11.3.1.2 Extra Mile ........................................................................................................................ 432
11.4 Privilege Escalation .................................................................................................................... 432
11.4.1 Thinking Outside the Box ................................................................................................. 434
11.4.2 Root Shell at the Top of the Hour ................................................................................... 440
11.4.3 Getting Root Terminal Access ........................................................................................ 443
11.4.3.1 Exercises ........................................................................................................................ 447
11.5 Windows Kiosk Breakout Techniques .................................................................................... 447
11.5.1.1 Exercises ........................................................................................................................ 456
11.6 Wrapping Up ................................................................................................................................ 457
12 Windows Credentials ....................................................................................................................... 458
12.1 Local Windows Credentials ...................................................................................................... 458
12.1.1 SAM Database ................................................................................................................... 458
12.1.1.1 Exercises ........................................................................................................................ 462
12.1.2 Hardening the Local Administrator Account ................................................................ 462
12.1.2.1 Exercises ........................................................................................................................ 465
12.2 Access Tokens ............................................................................................................................ 466
12.2.1 Access Token Theory ....................................................................................................... 466
12.2.1.1 Exercise ........................................................................................................................... 469
12.2.2 Elevation with Impersonation ......................................................................................... 469
12.2.2.1 Exercises ........................................................................................................................ 484
12.2.3 Fun with Incognito ............................................................................................................. 485
12.2.3.1 Exercise ........................................................................................................................... 486
12.3 Kerberos and Domain Credentials .......................................................................................... 486
12.3.1 Kerberos Authentication .................................................................................................. 486
12.3.2 Mimikatz .............................................................................................................................. 489
12.3.2.1 Exercises ........................................................................................................................ 493
12.4 Processing Credentials Offline ................................................................................................. 493
12.4.1 Memory Dump ................................................................................................................... 493
12.4.1.1 Exercises ........................................................................................................................ 496
12.4.2 MiniDumpWriteDump ....................................................................................................... 496
12.4.2.1 Exercises ........................................................................................................................ 501
12.5 Wrapping Up ................................................................................................................................ 501
13 Windows Lateral Movement .......................................................................................................... 502
13.1 Remote Desktop Protocol ......................................................................................................... 503
13.1.1 Lateral Movement with RDP ............................................................................................ 503
13.1.1.1 Exercises ........................................................................................................................ 509
13.1.2 Reverse RDP Proxying with Metasploit ......................................................................... 509
13.1.2.1 Exercise ........................................................................................................................... 512
13.1.3 Reverse RDP Proxying with Chisel ................................................................................. 512
13.1.3.1 Exercise ........................................................................................................................... 515
13.1.4 RDP as a Console .............................................................................................................. 515
13.1.4.1 Exercise ........................................................................................................................... 517
13.1.5 Stealing Clear Text Credentials from RDP .................................................................... 517
13.1.5.1 Exercises ........................................................................................................................ 521
13.2 Fileless Lateral Movement ........................................................................................................ 521
13.2.1 Authentication and Execution Theory ........................................................................... 521
13.2.2 Implementing Fileless Lateral Movement in C# .......................................................... 523
13.2.2.1 Exercises ........................................................................................................................ 527
13.3 Wrapping Up ................................................................................................................................ 527
14 Linux Lateral Movement ................................................................................................................. 528
14.1 Lateral Movement with SSH ..................................................................................................... 528
14.1.1 SSH Keys ............................................................................................................................. 529
14.1.2 SSH Persistence ................................................................................................................ 532
14.1.2.1 Exercises ........................................................................................................................ 533
14.1.3 SSH Hijacking with ControlMaster ................................................................................. 534
14.1.4 SSH Hijacking Using SSH-Agent and SSH Agent Forwarding .................................. 536
14.1.4.1 Exercises ........................................................................................................................ 540
14.2 DevOps ......................................................................................................................................... 540
14.2.1 Introduction to Ansible ..................................................................................................... 541
14.2.2 Enumerating Ansible ......................................................................................................... 542
14.2.3 Ad-hoc Commands ........................................................................................................... 542
14.2.4 Ansible Playbooks ............................................................................................................. 543
14.2.5 Exploiting Playbooks for Ansible Credentials .............................................................. 545
14.2.6 Weak Permissions on Ansible Playbooks ..................................................................... 548
14.2.7 Sensitive Data Leakage via Ansible Modules ............................................................... 550
14.2.7.1 Exercises ........................................................................................................................ 552
14.2.8 Introduction to Artifactory ............................................................................................... 552
14.2.9 Artifactory Enumeration ................................................................................................... 555
14.2.10 Compromising Artifactory Backups .............................................................................. 556
14.2.11 Compromising Artifactory’s Database .......................................................................... 557
14.2.12 Adding a Secondary Artifactory Admin Account ......................................................... 559
14.2.12.1 Exercises .................................................................................................................... 561
14.3 Kerberos on Linux ....................................................................................................................... 561
14.3.1 General Introduction to Kerberos on Linux .................................................................. 561
14.3.2 Stealing Keytab Files ......................................................................................................... 564
14.3.2.1 Exercise ........................................................................................................................... 566
14.3.3 Attacking Using Credential Cache Files ........................................................................ 566
14.3.4 Using Kerberos with Impacket ........................................................................................ 568
14.3.4.1 Exercises ........................................................................................................................ 571
14.3.4.2 Extra Mile ........................................................................................................................ 571
14.4 Wrapping Up ................................................................................................................................ 571
15 Microsoft SQL Attacks .................................................................................................................... 572
15.1 MS SQL in Active Directory ....................................................................................................... 572
15.1.1 MS SQL Enumeration ....................................................................................................... 572
15.1.1.1 Exercise ........................................................................................................................... 574
15.1.2 MS SQL Authentication .................................................................................................... 574
15.1.2.1 Exercises ........................................................................................................................ 579
15.1.3 UNC Path Injection ............................................................................................................ 579
15.1.3.1 Exercises ........................................................................................................................ 583
15.1.4 Relay My Hash ................................................................................................................... 583
15.1.4.1 Exercises ........................................................................................................................ 586
15.2 MS SQL Escalation ..................................................................................................................... 586
15.2.1 Privilege Escalation ........................................................................................................... 586
15.2.1.1 Exercises ........................................................................................................................ 589
15.2.2 Getting Code Execution .................................................................................................... 590
15.2.2.1 Exercises ........................................................................................................................ 593
15.2.3 Custom Assemblies .......................................................................................................... 593
15.2.3.1 Exercises ........................................................................................................................ 599
15.3 Linked SQL Servers .................................................................................................................... 599
15.3.1 Follow the Link ................................................................................................................... 600
15.3.1.1 Exercises ........................................................................................................................ 603
15.3.1.2 Extra Mile ........................................................................................................................ 603
15.3.2 Come Home To Me ........................................................................................................... 603
15.3.2.1 Exercises ........................................................................................................................ 605
15.3.2.2 Extra Mile ........................................................................................................................ 605
15.4 Wrapping Up ................................................................................................................................ 605
16 Active Directory Exploitation .......................................................................................................... 606
16.1 AD Object Security Permissions .............................................................................................. 606
16.1.1 Object Permission Theory ............................................................................................... 606
16.1.1.1 Exercises ........................................................................................................................ 609
16.1.2 Abusing GenericAll ............................................................................................................ 609
16.1.2.1 Exercises ........................................................................................................................ 611
16.1.3 Abusing WriteDACL ........................................................................................................... 612
16.1.3.1 Exercises ........................................................................................................................ 614
16.1.3.2 Extra Mile ........................................................................................................................ 614
16.2 Kerberos Delegation ................................................................................................................... 614
16.2.1 Unconstrained Delegation ............................................................................................... 615
16.2.1.1 Exercise ........................................................................................................................... 621
16.2.2 I Am a Domain Controller ................................................................................................. 621
16.2.2.1 Exercises ........................................................................................................................ 625
16.2.3 Constrained Delegation .................................................................................................... 625
16.2.3.1 Exercises ........................................................................................................................ 631
16.2.4 Resource-Based Constrained Delegation ..................................................................... 631
16.2.4.1 Exercises ........................................................................................................................ 637
16.3 Active Directory Forest Theory ................................................................................................ 637
16.3.1 Active Directory Trust in a Forest ................................................................................... 638
16.3.2 Enumeration in the Forest ............................................................................................... 641
16.3.2.1 Exercises ........................................................................................................................ 644
16.4 Burning Down the Forest .......................................................................................................... 644
16.4.1 Owning the Forest with Extra SIDs ................................................................................ 644
16.4.1.1 Exercise ........................................................................................................................... 649
16.4.1.2 Extra Mile ........................................................................................................................ 650
16.4.2 Owning the Forest with Printers ..................................................................................... 650
16.4.2.1 Exercises ........................................................................................................................ 652
16.5 Going Beyond the Forest ........................................................................................................... 652
16.5.1 Active Directory Trust Between Forests ....................................................................... 653
16.5.2 Enumeration Beyond the Forest ..................................................................................... 654
16.5.2.1 Exercises ........................................................................................................................ 657
16.6 Compromising an Additional Forest ....................................................................................... 657
16.6.1 Show Me Your Extra SID .................................................................................................. 657
16.6.1.1 Exercises ........................................................................................................................ 663
16.6.2 Linked SQL Servers in the Forest ................................................................................... 663
16.6.2.1 Exercises ........................................................................................................................ 666
16.6.2.2 Extra Mile Exercise ....................................................................................................... 666
16.7 Wrapping Up ................................................................................................................................ 666
17 Combining the Pieces ...................................................................................................................... 667
17.1 Enumeration and Shell .............................................................................................................. 667
17.1.1 Initial Enumeration ............................................................................................................ 668
17.1.1.1 Exercises ........................................................................................................................ 670
17.1.2 Gaining an Initial Foothold ............................................................................................... 670
17.1.2.1 Exercises ........................................................................................................................ 675
17.1.3 Post Exploitation Enumeration ....................................................................................... 675
17.1.3.1 Exercises ........................................................................................................................ 679
17.2 Attacking Delegation .................................................................................................................. 679
17.2.1 Privilege Escalation on web01 ........................................................................................ 680
17.2.1.1 Exercises ........................................................................................................................ 685
17.2.2 Getting the Hash ................................................................................................................ 685
17.2.2.1 Exercises ........................................................................................................................ 690
17.2.3 Delegate My Ticket ............................................................................................................ 690
17.2.3.1 Exercises ........................................................................................................................ 693
17.3 Owning the Domain .................................................................................................................... 694
17.3.1 Lateral Movement ............................................................................................................. 694
17.3.1.1 Exercises ........................................................................................................................ 699
17.3.2 Becoming Domain Admin ................................................................................................ 699
17.3.2.1 Exercises ........................................................................................................................ 703
17.3.2.2 Extra Mile ........................................................................................................................ 703
17.4 Wrapping Up ................................................................................................................................ 703
18 Trying Harder: The Labs .................................................................................................................. 704
18.1 Real Life Simulations ................................................................................................................. 704
18.2 Wrapping Up ................................................................................................................................ 704
1.1 About The PEN-300 Course ........................................................................................................ 16
1.2 Provided Material .......................................................................................................................... 17
1.2.1 PEN-300 Course Materials ..................................................................................................... 17
1.2.2 Access to the Internal VPN Lab Network ............................................................................ 17
1.2.3 The Offensive Security Student Forum ................................................................................ 18
1.2.4 Live Support and RocketChat ................................................................................................ 18
1.2.5 OSEP Exam Attempt ................................................................................................................ 18
1.3 Overall Strategies for Approaching the Course ...................................................................... 19
1.3.1 Welcome and Course Information Emails .......................................................................... 19
1.3.2 Course Materials ...................................................................................................................... 19
1.3.3 Course Exercises ...................................................................................................................... 20
1.4 About the PEN-300 VPN Labs .................................................................................................... 20
1.4.1 Control Panel ............................................................................................................................ 20
1.4.2 Reverts ....................................................................................................................................... 20
1.4.3 Client Machines ........................................................................................................................ 21
1.4.4 Kali Virtual Machine ................................................................................................................. 21
1.4.5 Lab Behavior and Lab Restrictions ....................................................................................... 21
1.5 About the OSEP Exam ................................................................................................................. 22
1.6 Wrapping Up .................................................................................................................................. 22
2 Operating System and Programming Theory ................................................................................... 23
2.1 Programming Theory ................................................................................................................... 23
2.1.1 Programming Language Level .............................................................................................. 23
2.1.2 Programming Concepts ......................................................................................................... 25
2.2 Windows Concepts ...................................................................................................................... 26
2.2.1 Windows On Windows ............................................................................................................ 26
2.2.2 Win32 APIs ................................................................................................................................ 27
2.2.3 Windows Registry .................................................................................................................... 28
2.3 Wrapping Up .................................................................................................................................. 29
3 Client Side Code Execution With Office ............................................................................................. 30
3.1 Will You Be My Dropper ............................................................................................................... 30
3.1.1 Staged vs Non-staged Payloads ........................................................................................... 31
3.1.2 Building Our Droppers ............................................................................................................. 31
3.1.2.1 Exercise ............................................................................................................................. 34
3.1.3 HTML Smuggling ..................................................................................................................... 34
3.1.3.1 Exercises .......................................................................................................................... 38
3.2 Phishing with Microsoft Office ................................................................................................... 38
3.2.1 Installing Microsoft Office ...................................................................................................... 38
3.2.1.1 Exercise ............................................................................................................................. 40
3.2.2 Introduction to VBA ................................................................................................................. 40
3.2.2.1 Exercises .......................................................................................................................... 48
3.2.3 Let PowerShell Help Us ........................................................................................................... 48
3.2.3.1 Exercises .......................................................................................................................... 51
3.3 Keeping Up Appearances ............................................................................................................ 52
3.3.1 Phishing PreTexting ................................................................................................................. 52
3.3.2 The Old Switcheroo ................................................................................................................. 54
3.3.2.1 Exercises .......................................................................................................................... 58
3.4 Executing Shellcode in Word Memory ...................................................................................... 58
3.4.1 Calling Win32 APIs from VBA ................................................................................................ 58
3.4.1.1 Exercises .......................................................................................................................... 60
3.4.2 VBA Shellcode Runner ............................................................................................................ 61
3.4.2.1 Exercise ............................................................................................................................. 66
3.5 PowerShell Shellcode Runner .................................................................................................... 66
3.5.1 Calling Win32 APIs from PowerShell ................................................................................... 67
3.5.1.1 Exercises .......................................................................................................................... 69
3.5.2 Porting Shellcode Runner to PowerShell ............................................................................. 70
3.5.2.1 Exercises .......................................................................................................................... 73
3.6 Keep That PowerShell in Memory ............................................................................................. 74
3.6.1 Add-Type Compilation ............................................................................................................ 74
3.6.1.1 Exercises .......................................................................................................................... 77
3.6.2 Leveraging UnsafeNativeMethods ....................................................................................... 77
3.6.2.1 Exercises .......................................................................................................................... 85
3.6.3 DelegateType Reflection ......................................................................................................... 85
3.6.3.1 Exercises .......................................................................................................................... 90
3.6.4 Reflection Shellcode Runner in PowerShell ........................................................................ 90
3.6.4.1 Exercises .......................................................................................................................... 94
3.7 Talking To The Proxy ................................................................................................................... 94
3.7.1 PowerShell Proxy-Aware Communication .......................................................................... 94
3.7.1.1 Exercises .......................................................................................................................... 96
3.7.2 Fiddling With The User-Agent ................................................................................................ 96
3.7.2.1 Exercises .......................................................................................................................... 97
3.7.3 Give Me A SYSTEM Proxy ...................................................................................................... 97
3.7.3.1 Exercise ........................................................................................................................... 101
3.8 Wrapping Up ................................................................................................................................ 101
4 Client Side Code Execution With Windows Script Host ................................................................ 102
4.1 Creating a Basic Dropper in Jscript ........................................................................................ 102
4.1.1 Execution of Jscript on Windows ....................................................................................... 103
4.1.1.1 Exercises ........................................................................................................................ 104
4.1.2 Jscript Meterpreter Dropper ................................................................................................ 104
4.1.2.1 Exercises ........................................................................................................................ 107
4.2 Jscript and C# ............................................................................................................................. 107
4.2.1 Introduction to Visual Studio ............................................................................................... 107
4.2.1.1 Exercises ........................................................................................................................ 112
4.2.2 DotNetToJscript ..................................................................................................................... 112
4.2.2.1 Exercises ........................................................................................................................ 116
4.2.3 Win32 API Calls From C# ..................................................................................................... 117
4.2.3.1 Exercise ........................................................................................................................... 119
4.2.4 Shellcode Runner in C# ......................................................................................................... 119
4.2.4.1 Exercise ........................................................................................................................... 121
4.2.5 Jscript Shellcode Runner ...................................................................................................... 122
4.2.5.1 Exercises ........................................................................................................................ 123
4.2.5.2 Extra Mile ........................................................................................................................ 123
4.2.6 SharpShooter .......................................................................................................................... 123
4.2.6.1 Exercises ........................................................................................................................ 125
4.3 In-memory PowerShell Revisited ............................................................................................. 125
4.3.1 Reflective Load ....................................................................................................................... 125
4.3.1.1 Exercises ........................................................................................................................ 129
4.4 Wrapping Up ................................................................................................................................ 129
5 Process Injection and Migration ........................................................................................................ 131
5.1 Finding a Home for Our Shellcode .......................................................................................... 131
5.1.1 Process Injection and Migration Theory ........................................................................... 131
5.1.2 Process Injection in C# ......................................................................................................... 135
5.1.2.1 Exercises ........................................................................................................................ 140
5.1.2.2 Extra Mile ........................................................................................................................ 140
5.2 DLL Injection ................................................................................................................................ 140
5.2.1 DLL Injection Theory .............................................................................................................. 141
5.2.2 DLL Injection with C# ............................................................................................................ 142
5.2.2.1 Exercise ........................................................................................................................... 146
5.3 Reflective DLL Injection ............................................................................................................. 146
5.3.1 Reflective DLL Injection Theory ........................................................................................... 146
5.3.2 Reflective DLL Injection in PowerShell ............................................................................... 146
5.3.2.1 Exercises ........................................................................................................................ 148
5.4 Process Hollowing ..................................................................................................................... 148
5.4.1 Process Hollowing Theory ................................................................................................... 148
5.4.2 Process Hollowing in C# ...................................................................................................... 150
5.4.2.1 Exercises ........................................................................................................................ 157
5.5 Wrapping Up ................................................................................................................................ 157
6 Introduction to Antivirus Evasion ...................................................................................................... 158
6.1 Antivirus Software Overview .................................................................................................... 158
6.2 Simulating the Target Environment ........................................................................................ 158
6.3 Locating Signatures in Files ..................................................................................................... 159
6.3.1.1 Exercise ........................................................................................................................... 166
6.4 Bypassing Antivirus with Metasploit ....................................................................................... 166
6.4.1 Metasploit Encoders ............................................................................................................. 166
6.4.1.1 Exercise ........................................................................................................................... 171
6.4.2 Metasploit Encryptors ........................................................................................................... 171
6.4.2.1 Exercises ........................................................................................................................ 173
6.5 Bypassing Antivirus with C# ..................................................................................................... 173
6.5.1 C# Shellcode Runner vs Antivirus ....................................................................................... 173
6.5.1.1 Exercises ........................................................................................................................ 176
6.5.2 Encrypting the C# Shellcode Runner .................................................................................. 176
6.5.2.1 Exercises ........................................................................................................................ 179
6.6 Messing with Our Behavior ....................................................................................................... 179
6.6.1 Simple Sleep Timers .............................................................................................................. 179
6.6.1.1 Exercises ........................................................................................................................ 182
6.6.2 Non-emulated APIs ................................................................................................................ 183
6.6.2.1 Exercises ........................................................................................................................ 185
6.7 Office Please Bypass Antivirus ................................................................................................ 186
6.7.1 Bypassing Antivirus in VBA .................................................................................................. 186
6.7.1.1 Exercises ........................................................................................................................ 190
6.7.2 Stomping On Microsoft Word .............................................................................................. 190
6.7.2.1 Exercises ........................................................................................................................ 200
6.8 Hiding PowerShell Inside VBA .................................................................................................. 200
6.8.1 Detection of PowerShell Shellcode Runner ...................................................................... 200
6.8.1.1 Exercises ........................................................................................................................ 201
6.8.2 Dechaining with WMI ............................................................................................................ 202
6.8.2.1 Exercises ........................................................................................................................ 204
6.8.3 Obfuscating VBA .................................................................................................................... 205
6.8.3.1 Exercises ........................................................................................................................ 211
6.8.3.2 Extra Mile Exercise ....................................................................................................... 212
6.9 Wrapping Up ................................................................................................................................ 212
7 Advanced Antivirus Evasion ............................................................................................................... 213
7.1 Intel Architecture and Windows 10 ......................................................................................... 213
7.1.1 WinDbg Introduction ............................................................................................................. 216
7.1.1.1 Exercises ........................................................................................................................ 221
7.2 Antimalware Scan Interface ..................................................................................................... 221
7.2.1 Understanding AMSI ............................................................................................................. 222
7.2.2 Hooking with Frida ................................................................................................................. 224
7.2.2.1 Exercises ........................................................................................................................ 229
7.3 Bypassing AMSI With Reflection in PowerShell ................................................................... 229
7.3.1 What Context Mom? .............................................................................................................. 229
7.3.1.1 Exercises ........................................................................................................................ 236
7.3.2 Attacking Initialization ........................................................................................................... 236
7.3.2.1 Exercise ........................................................................................................................... 237
7.4 Wrecking AMSI in PowerShell .................................................................................................. 237
7.4.1 Understanding the Assembly Flow ..................................................................................... 237
7.4.1.1 Exercises ........................................................................................................................ 238
7.4.2 Patching the Internals ........................................................................................................... 239
7.4.2.1 Exercises ........................................................................................................................ 244
7.4.2.2 Extra Mile Exercise ....................................................................................................... 244
7.5 UAC Bypass vs Microsoft Defender ........................................................................................ 244
7.5.1 FodHelper UAC Bypass ......................................................................................................... 244
7.5.1.1 Exercises ........................................................................................................................ 248
7.5.2 Improving Fodhelper ............................................................................................................. 248
7.5.2.1 Exercises ........................................................................................................................ 250
7.6 Bypassing AMSI in JScript ........................................................................................................ 251
7.6.1 Detecting the AMSI API Flow ............................................................................................... 251
7.6.1.1 Exercise ........................................................................................................................... 253
7.6.2 Is That Your Registry Key? ................................................................................................... 253
7.6.2.1 Exercises ........................................................................................................................ 258
7.6.3 I Am My Own Executable ...................................................................................................... 259
7.6.3.1 Exercises ........................................................................................................................ 263
7.7 Wrapping Up ................................................................................................................................ 263
8 Application Whitelisting ....................................................................................................................... 264
8.1 Application Whitelisting Theory and Setup ............................................................................ 264
8.1.1 Application Whitelisting Theory .......................................................................................... 264
8.1.2 AppLocker Setup and Rules ................................................................................................. 266
8.1.2.1 Exercises ........................................................................................................................ 271
8.2 Basic Bypasses ........................................................................................................................... 271
8.2.1 Trusted Folders ...................................................................................................................... 271
8.2.1.1 Exercises ........................................................................................................................ 273
8.2.2 Bypass With DLLs .................................................................................................................. 273
8.2.2.1 Exercises ........................................................................................................................ 276
8.2.2.2 Extra Mile ........................................................................................................................ 276
8.2.3 Alternate Data Streams ........................................................................................................ 276
8.2.3.1 Exercises ........................................................................................................................ 277
8.2.4 Third Party Execution ............................................................................................................ 278
8.2.4.1 Exercise ........................................................................................................................... 278
8.3 Bypassing AppLocker with PowerShell .................................................................................. 278
8.3.1 PowerShell Constrained Language Mode ......................................................................... 278
8.3.1.1 Exercises ........................................................................................................................ 280
8.3.2 Custom Runspaces ............................................................................................................... 280
8.3.2.1 Exercises ........................................................................................................................ 283
8.3.3 PowerShell CLM Bypass ....................................................................................................... 283
8.3.3.1 Exercises ........................................................................................................................ 288
8.3.4 Reflective Injection Returns ................................................................................................. 288
8.3.4.1 Exercise ........................................................................................................................... 289
8.4 Bypassing AppLocker with C# ................................................................................................. 289
8.4.1 Locating a Target ................................................................................................................... 289
8.4.2 Reverse Engineering for Load .............................................................................................. 290
8.4.2.1 Exercises ........................................................................................................................ 297
8.4.3 Give Me Code Exec ................................................................................................................ 298
8.4.3.1 Exercise ........................................................................................................................... 299
8.4.4 Invoking the Target Part 1 .................................................................................................... 299
8.4.4.1 Exercises ........................................................................................................................ 305
8.4.5 Invoking the Target Part 2 .................................................................................................... 305
8.4.5.1 Exercises ........................................................................................................................ 308
8.4.5.2 Extra Mile ........................................................................................................................ 308
8.5 Bypassing AppLocker with JScript ......................................................................................... 308
8.5.1 JScript and MSHTA ............................................................................................................... 308
8.5.1.1 Exercises ........................................................................................................................ 310
8.5.2 XSL Transform ....................................................................................................................... 311
8.5.2.1 Exercises ........................................................................................................................ 312
8.5.2.2 Extra Mile ........................................................................................................................ 312
8.6 Wrapping Up ................................................................................................................................ 312
9 Bypassing Network Filters .................................................................................................................. 314
9.1 DNS Filters ................................................................................................................................... 316
9.1.1.1 Exercises ........................................................................................................................ 321
9.1.2 Dealing with DNS Filters ....................................................................................................... 321
9.1.2.1 Exercise ........................................................................................................................... 323
9.2 Web Proxies ................................................................................................................................. 323
9.2.1 Bypassing Web Proxies ........................................................................................................ 325
9.2.1.1 Exercises ........................................................................................................................ 328
9.3 IDS and IPS Sensors .................................................................................................................. 328
9.3.1 Case Study: Bypassing Norton HIPS with Custom Certificates ................................... 330
9.3.1.1 Exercises ........................................................................................................................ 337
9.4 Full Packet Capture Devices ..................................................................................................... 337
9.5 HTTPS Inspection ....................................................................................................................... 337
9.6 Domain Fronting ......................................................................................................................... 338
9.6.1 Domain Fronting with Azure CDN ....................................................................................... 345
9.6.1.1 Exercise ........................................................................................................................... 358
9.6.1.2 Extra Mile ........................................................................................................................ 359
9.6.2 Domain Fronting in the Lab .................................................................................................. 359
9.6.2.1 Exercises ........................................................................................................................ 364
9.6.2.2 Extra Mile ........................................................................................................................ 364
9.7 DNS Tunneling ............................................................................................................................ 364
9.7.1 How DNS Tunneling Works .................................................................................................. 364
9.7.2 DNS Tunneling with dnscat2 ............................................................................................... 366
9.7.2.1 Exercises ........................................................................................................................ 371
9.8 Wrapping Up ................................................................................................................................ 371
10 Linux Post-Exploitation .................................................................................................................... 372
10.1 User Configuration Files ............................................................................................................ 372
10.1.1 VIM Config Simple Backdoor .......................................................................................... 373
10.1.1.1 Exercises ........................................................................................................................ 377
10.1.1.2 Extra Mile ........................................................................................................................ 377
10.1.2 VIM Config Simple Keylogger ......................................................................................... 377
10.1.2.1 Exercises ........................................................................................................................ 380
10.2 Bypassing AV ............................................................................................................................... 380
10.2.1 Kaspersky Endpoint Security .......................................................................................... 380
10.2.2 Antiscan.me ........................................................................................................................ 387
10.2.2.1 Exercises ........................................................................................................................ 393
10.2.2.2 Extra Mile ........................................................................................................................ 393
10.3 Shared Libraries .......................................................................................................................... 394
10.3.1 How Shared Libraries Work on Linux ............................................................................ 394
10.3.2 Shared Library Hijacking via LD_LIBRARY_PATH ....................................................... 395
10.3.2.1 Exercises ........................................................................................................................ 401
10.3.2.2 Extra Mile ........................................................................................................................ 402
10.3.3 Exploitation via LD_PRELOAD ......................................................................................... 402
10.3.3.1 Exercises ........................................................................................................................ 407
10.4 Wrapping Up ................................................................................................................................ 407
11 Kiosk Breakouts ................................................................................................................................ 408
11.1 Kiosk Enumeration ..................................................................................................................... 408
11.1.1 Kiosk Browser Enumeration ............................................................................................ 411
11.1.1.1 Exercises ........................................................................................................................ 414
11.2 Command Execution ................................................................................................................. 414
11.2.1 Exploring the Filesystem .................................................................................................. 415
11.2.2 Leveraging Firefox Profiles .............................................................................................. 420
11.2.3 Enumerating System Information .................................................................................. 422
11.2.4 Scratching the Surface ..................................................................................................... 426
11.2.4.1 Exercises ........................................................................................................................ 430
11.2.4.2 Extra Mile ........................................................................................................................ 430
11.3 Post-Exploitation ......................................................................................................................... 430
11.3.1 Simulating an Interactive Shell ....................................................................................... 430
11.3.1.1 Exercises ........................................................................................................................ 432
11.3.1.2 Extra Mile ........................................................................................................................ 432
11.4 Privilege Escalation .................................................................................................................... 432
11.4.1 Thinking Outside the Box ................................................................................................. 434
11.4.2 Root Shell at the Top of the Hour ................................................................................... 440
11.4.3 Getting Root Terminal Access ........................................................................................ 443
11.4.3.1 Exercises ........................................................................................................................ 447
11.5 Windows Kiosk Breakout Techniques .................................................................................... 447
11.5.1.1 Exercises ........................................................................................................................ 456
11.6 Wrapping Up ................................................................................................................................ 457
12 Windows Credentials ....................................................................................................................... 458
12.1 Local Windows Credentials ...................................................................................................... 458
12.1.1 SAM Database ................................................................................................................... 458
12.1.1.1 Exercises ........................................................................................................................ 462
12.1.2 Hardening the Local Administrator Account ................................................................ 462
12.1.2.1 Exercises ........................................................................................................................ 465
12.2 Access Tokens ............................................................................................................................ 466
12.2.1 Access Token Theory ....................................................................................................... 466
12.2.1.1 Exercise ........................................................................................................................... 469
12.2.2 Elevation with Impersonation ......................................................................................... 469
12.2.2.1 Exercises ........................................................................................................................ 484
12.2.3 Fun with Incognito ............................................................................................................. 485
12.2.3.1 Exercise ........................................................................................................................... 486
12.3 Kerberos and Domain Credentials .......................................................................................... 486
12.3.1 Kerberos Authentication .................................................................................................. 486
12.3.2 Mimikatz .............................................................................................................................. 489
12.3.2.1 Exercises ........................................................................................................................ 493
12.4 Processing Credentials Offline ................................................................................................. 493
12.4.1 Memory Dump ................................................................................................................... 493
12.4.1.1 Exercises ........................................................................................................................ 496
12.4.2 MiniDumpWriteDump ....................................................................................................... 496
12.4.2.1 Exercises ........................................................................................................................ 501
12.5 Wrapping Up ................................................................................................................................ 501
13 Windows Lateral Movement .......................................................................................................... 502
13.1 Remote Desktop Protocol ......................................................................................................... 503
13.1.1 Lateral Movement with RDP ............................................................................................ 503
13.1.1.1 Exercises ........................................................................................................................ 509
13.1.2 Reverse RDP Proxying with Metasploit ......................................................................... 509
13.1.2.1 Exercise ........................................................................................................................... 512
13.1.3 Reverse RDP Proxying with Chisel ................................................................................. 512
13.1.3.1 Exercise ........................................................................................................................... 515
13.1.4 RDP as a Console .............................................................................................................. 515
13.1.4.1 Exercise ........................................................................................................................... 517
13.1.5 Stealing Clear Text Credentials from RDP .................................................................... 517
13.1.5.1 Exercises ........................................................................................................................ 521
13.2 Fileless Lateral Movement ........................................................................................................ 521
13.2.1 Authentication and Execution Theory ........................................................................... 521
13.2.2 Implementing Fileless Lateral Movement in C# .......................................................... 523
13.2.2.1 Exercises ........................................................................................................................ 527
13.3 Wrapping Up ................................................................................................................................ 527
14 Linux Lateral Movement ................................................................................................................. 528
14.1 Lateral Movement with SSH ..................................................................................................... 528
14.1.1 SSH Keys ............................................................................................................................. 529
14.1.2 SSH Persistence ................................................................................................................ 532
14.1.2.1 Exercises ........................................................................................................................ 533
14.1.3 SSH Hijacking with ControlMaster ................................................................................. 534
14.1.4 SSH Hijacking Using SSH-Agent and SSH Agent Forwarding .................................. 536
14.1.4.1 Exercises ........................................................................................................................ 540
14.2 DevOps ......................................................................................................................................... 540
14.2.1 Introduction to Ansible ..................................................................................................... 541
14.2.2 Enumerating Ansible ......................................................................................................... 542
14.2.3 Ad-hoc Commands ........................................................................................................... 542
14.2.4 Ansible Playbooks ............................................................................................................. 543
14.2.5 Exploiting Playbooks for Ansible Credentials .............................................................. 545
14.2.6 Weak Permissions on Ansible Playbooks ..................................................................... 548
14.2.7 Sensitive Data Leakage via Ansible Modules ............................................................... 550
14.2.7.1 Exercises ........................................................................................................................ 552
14.2.8 Introduction to Artifactory ............................................................................................... 552
14.2.9 Artifactory Enumeration ................................................................................................... 555
14.2.10 Compromising Artifactory Backups .............................................................................. 556
14.2.11 Compromising Artifactory’s Database .......................................................................... 557
14.2.12 Adding a Secondary Artifactory Admin Account ......................................................... 559
14.2.12.1 Exercises .................................................................................................................... 561
14.3 Kerberos on Linux ....................................................................................................................... 561
14.3.1 General Introduction to Kerberos on Linux .................................................................. 561
14.3.2 Stealing Keytab Files ......................................................................................................... 564
14.3.2.1 Exercise ........................................................................................................................... 566
14.3.3 Attacking Using Credential Cache Files ........................................................................ 566
14.3.4 Using Kerberos with Impacket ........................................................................................ 568
14.3.4.1 Exercises ........................................................................................................................ 571
14.3.4.2 Extra Mile ........................................................................................................................ 571
14.4 Wrapping Up ................................................................................................................................ 571
15 Microsoft SQL Attacks .................................................................................................................... 572
15.1 MS SQL in Active Directory ....................................................................................................... 572
15.1.1 MS SQL Enumeration ....................................................................................................... 572
15.1.1.1 Exercise ........................................................................................................................... 574
15.1.2 MS SQL Authentication .................................................................................................... 574
15.1.2.1 Exercises ........................................................................................................................ 579
15.1.3 UNC Path Injection ............................................................................................................ 579
15.1.3.1 Exercises ........................................................................................................................ 583
15.1.4 Relay My Hash ................................................................................................................... 583
15.1.4.1 Exercises ........................................................................................................................ 586
15.2 MS SQL Escalation ..................................................................................................................... 586
15.2.1 Privilege Escalation ........................................................................................................... 586
15.2.1.1 Exercises ........................................................................................................................ 589
15.2.2 Getting Code Execution .................................................................................................... 590
15.2.2.1 Exercises ........................................................................................................................ 593
15.2.3 Custom Assemblies .......................................................................................................... 593
15.2.3.1 Exercises ........................................................................................................................ 599
15.3 Linked SQL Servers .................................................................................................................... 599
15.3.1 Follow the Link ................................................................................................................... 600
15.3.1.1 Exercises ........................................................................................................................ 603
15.3.1.2 Extra Mile ........................................................................................................................ 603
15.3.2 Come Home To Me ........................................................................................................... 603
15.3.2.1 Exercises ........................................................................................................................ 605
15.3.2.2 Extra Mile ........................................................................................................................ 605
15.4 Wrapping Up ................................................................................................................................ 605
16 Active Directory Exploitation .......................................................................................................... 606
16.1 AD Object Security Permissions .............................................................................................. 606
16.1.1 Object Permission Theory ............................................................................................... 606
16.1.1.1 Exercises ........................................................................................................................ 609
16.1.2 Abusing GenericAll ............................................................................................................ 609
16.1.2.1 Exercises ........................................................................................................................ 611
16.1.3 Abusing WriteDACL ........................................................................................................... 612
16.1.3.1 Exercises ........................................................................................................................ 614
16.1.3.2 Extra Mile ........................................................................................................................ 614
16.2 Kerberos Delegation ................................................................................................................... 614
16.2.1 Unconstrained Delegation ............................................................................................... 615
16.2.1.1 Exercise ........................................................................................................................... 621
16.2.2 I Am a Domain Controller ................................................................................................. 621
16.2.2.1 Exercises ........................................................................................................................ 625
16.2.3 Constrained Delegation .................................................................................................... 625
16.2.3.1 Exercises ........................................................................................................................ 631
16.2.4 Resource-Based Constrained Delegation ..................................................................... 631
16.2.4.1 Exercises ........................................................................................................................ 637
16.3 Active Directory Forest Theory ................................................................................................ 637
16.3.1 Active Directory Trust in a Forest ................................................................................... 638
16.3.2 Enumeration in the Forest ............................................................................................... 641
16.3.2.1 Exercises ........................................................................................................................ 644
16.4 Burning Down the Forest .......................................................................................................... 644
16.4.1 Owning the Forest with Extra SIDs ................................................................................ 644
16.4.1.1 Exercise ........................................................................................................................... 649
16.4.1.2 Extra Mile ........................................................................................................................ 650
16.4.2 Owning the Forest with Printers ..................................................................................... 650
16.4.2.1 Exercises ........................................................................................................................ 652
16.5 Going Beyond the Forest ........................................................................................................... 652
16.5.1 Active Directory Trust Between Forests ....................................................................... 653
16.5.2 Enumeration Beyond the Forest ..................................................................................... 654
16.5.2.1 Exercises ........................................................................................................................ 657
16.6 Compromising an Additional Forest ....................................................................................... 657
16.6.1 Show Me Your Extra SID .................................................................................................. 657
16.6.1.1 Exercises ........................................................................................................................ 663
16.6.2 Linked SQL Servers in the Forest ................................................................................... 663
16.6.2.1 Exercises ........................................................................................................................ 666
16.6.2.2 Extra Mile Exercise ....................................................................................................... 666
16.7 Wrapping Up ................................................................................................................................ 666
17 Combining the Pieces ...................................................................................................................... 667
17.1 Enumeration and Shell .............................................................................................................. 667
17.1.1 Initial Enumeration ............................................................................................................ 668
17.1.1.1 Exercises ........................................................................................................................ 670
17.1.2 Gaining an Initial Foothold ............................................................................................... 670
17.1.2.1 Exercises ........................................................................................................................ 675
17.1.3 Post Exploitation Enumeration ....................................................................................... 675
17.1.3.1 Exercises ........................................................................................................................ 679
17.2 Attacking Delegation .................................................................................................................. 679
17.2.1 Privilege Escalation on web01 ........................................................................................ 680
17.2.1.1 Exercises ........................................................................................................................ 685
17.2.2 Getting the Hash ................................................................................................................ 685
17.2.2.1 Exercises ........................................................................................................................ 690
17.2.3 Delegate My Ticket ............................................................................................................ 690
17.2.3.1 Exercises ........................................................................................................................ 693
17.3 Owning the Domain .................................................................................................................... 694
17.3.1 Lateral Movement ............................................................................................................. 694
17.3.1.1 Exercises ........................................................................................................................ 699
17.3.2 Becoming Domain Admin ................................................................................................ 699
17.3.2.1 Exercises ........................................................................................................................ 703
17.3.2.2 Extra Mile ........................................................................................................................ 703
17.4 Wrapping Up ................................................................................................................................ 703
18 Trying Harder: The Labs .................................................................................................................. 704
18.1 Real Life Simulations ................................................................................................................. 704
18.2 Wrapping Up ................................................................................................................................ 704
Beauty in the flaw, grace of imperfection.