Search Results

Congratulations weary traveler! After breaching AD, performing enumeration, and exploiting it all the way to the top (if you have done these AD networks in order), you have finally made it to the tavern of persistence. The hard work is over and it is now time ...

[!info] La recette permets de faire une petite focaccia. Prévoir environ 5 à 6 heures dans une pièce tempérée +25°C (ou en utilisant une chambre de pousse / un four) Ingrédients : 300g de farine de blé T65 257g d'eau 6g de sel 5g de levure 1 c.à.c de sucre ...

As discussed in the previous tasks, we often want to persist through service accounts with delegation permissions to forge silver and golden tickets. But what are those exactly, and why does every blue team tabletop exercise end with someone shouting: "Flush a...

A quick note here. The techniques discussed from this point forward are incredibly invasive and hard to remove. Even if you have signoff on your red team exercise to perform these techniques, you must take the utmost caution when performing these techniques. I...

The Security IDentifiers (SIDs) have been discussed before. But for a recap, SIDs are used to track the security principal and the account's access when connecting to resources. There is, however, an interesting attribute on accounts called the SID history. T...

If we don't want to tamper with SID histories, we can just add ourselves directly to AD groups for persistence. While SID history is a great persistence technique, credential rotation and cleanup can still remove our persistence. In certain cases, it may be be...

Sometimes, we need more than just persisting to normal AD groups. What if we want to persist to all protected groups simultaneously? Persisting through AD Group Templates While we can just add an account we control to every single privileged group we can fin...

The last persistence technique we will review is persistence through Group Policy Objects (GPOs). At this point, you should be familiar with GPOs based on all the different enumeration, attack, and exploitation techniques we have discussed. However, GPOs are a...

There are several different ways that we can persist in AD. Some of these techniques persist better than others. In order to ensure that your persistence cannot be removed by the blue team, you will have to think creatively about your persistence. Furthermore,...

Credential Access Credential access is where adversaries may find credentials in compromised systems and gain access to user credentials. It helps adversaries to reuse them or impersonate the identity of a user. This is an important step for lateral movement ...

In general, Windows operating system provides two types of user accounts: Local and Domain. Local users' details are stored locally within the Windows file system, while domain users' details are stored in the centralized Active Directory. This task discusses ...

What is the LSASS? Local Security Authority Server Service (LSASS) is a Windows process that handles the operating system security policy and enforces it on a system. It verifies logged in accounts and ensures passwords, hashes, and Kerberos tickets. Windows ...

This task introduces the Windows Credential Manager and discusses the technique used for dumping system credentials by exploiting it. What is Credentials Manager? Credential Manager is a Windows feature that stores logon-sensitive information for websites, a...

This task discusses the required steps to dump Domain Controller Hashes locally and remotely. NTDS Domain Controller New Technologies Directory Services (NTDS) is a database containing all Active Directory data, including objects, attributes, credentials, et...

This task discusses how to enumerate and obtain a local administrator password within the Active Directory environment if a LAPS feature is configured and enabled. Group Policy Preferences (GPP) A Windows OS has a built-in Administrator account which can be ...

In the previous tasks, the assumption is that we already had initial access to a system and were trying to obtain credentials from memory or various files within the Windows operating system. In other scenarios, it is possible to perform attacks in a victim ne...

Recap In this room, we discussed the various approaches to obtaining users' credentials, including the local computer and Domain Controller, which conclude the following: We discussed accessing Windows memory, dumping an LSASS process, and extracting authe...

Comme je n'étais pas hyper convaincu par le cours de TryHackMe, j'ai creusé ailleurs. Quoi qu'il en soit, tout commence par gdb : $ gdb <program> to exploit GNU gdb (Debian 16.3-5) 16.3 Copyright (C) 2024 Free Software Foundation, Inc. License GPLv3+: GNU GPL ...

Pour récupérer l'accès à une fonction, il nous faut : L'adresse de la fonction La taille du padding La longueur de l'adresse à injecter Récupérer l'adresse de la function Dans GDB, pour récupérer l'adresse de la fonction : disassemble <nom de la fonction> :...

Pour l'injection de shellcode, les étapes sont relativement similaires au détournement de fonction. Pour récupérer l'accès à une fonction, il nous faut : La taille du padding La longueur de l'adresse à injecter Un shellcode fonctionnel L'adresse du padding R...