Standoff Student Experience – One Step Closer to the Top

Andryukha, to the horses. Possibly LPE

After gaining primary access to an employee's computer as a result of sending a malicious attachment in a letter (the phishing letter was checked by a bot created by the organizers), the question arises of increasing your privileges to obtain advanced capabilities and further advancement through the corporate network. In the scenarios that we played out on the host, the user had the privilege SeImpersonatePrivilegewhich allowed using exploits of the “potato family” (Local Potato, God Potato, Rotten Potato) to steal a system token using a relay attack, and with it to launch a process from the system. I am attaching a link where you can get more familiar with the theory, and I am also sharing the schemes exploitation.

That's where we need to go. We forward ports and find ways to move around the network.

After escalating privileges and gaining a foothold in the system, you can move on to horizontal movement between hosts. This is where attacks like Kerberosing, AsREPRoastingattacks related to delegation, password spraying. But before that, do not forget to forward ports for ease of operation. You can move on both from a compromised host and from your machine, provided that you have forwarded ports. Here, the indispensable tools are revsocks or chisel. It is possible to route traffic using the standard tools of C2 frameworks, which are already built into them.

Once the ports are forwarded, you can attack the network from your machine. The tool here is the Swiss Army knife in Active Directory testing – CrackMapExecor its newer and more functional version NetExec. If you work directly from the employee's host, help comes Rubeusused for post-exploitation.

Horizontal movement across the network

After we have managed to obtain a kerberos ticket and successfully bruteforce it, the password in plain text is at our disposal. Then we can move around using various tools, depending on whether users have the necessary privileges. The most convenient way to connect is via RDP using utilities rdesktop, xfreerdp and others. As for getting an interactive shell – EvilWinrm. The remaining remote control tools (smbexec, psexec, dcomexec) are collected in the Impacket package, which also has a wide functionality in comparison with the CrackMapExec tool. There is an excellent article about horizontal movement article on Hacker by the amazing s0i37.

Conclusion

This article is technical in nature and helps outline for beginners the areas of knowledge that may be relevant and applicable in the competition. All utilities and techniques provided in the article are the basis for a beginner.

As part of the All-Russian Student Cyberbattle, you can try to complete your kill chain, and what's nice, even practice phishing.

The above actions in real life help to implement unacceptable events, such as: document leakage, gaining access to the computer of the chief accountant or director. Within the framework of cyber exercises, only one of hundreds or even thousands of attack scenarios is described.

It is impossible to fit the entire spectrum of knowledge, techniques, tools and training articles into one scenario, a large collection of materials is available in Telegram our company. All relevant information is published there for both red and blue teams.

You can practice your skills on the platforms Standoff365 and HackTheBox.

We hope that this article will inspire the dear reader to get closer to his cherished goal (and everyone has their own). Perhaps it is read by today's student and tomorrow's winner. The winner of Standoff or the future CISO, the leading engineer or the creator of his own product – all these are great victories that begin with such events.

We wish everyone professional success, interesting cases and cool research!!!