Thursday, May 17, 2018

Gaining a foothold: Using Responder to capture NTLMv2 Hashes and cracking with John the Ripper

Recently, I finally got my new home lab set up and I figured it was time to start documenting some tools that are used quite often within penetration testing.

Today I am going to demonstrate how to run Responder in its most basic form, capture an NTLMv2 Hash and cracking it with John the Ripper. While this will not be an exhaustive list and showing all the possible examples (there are many blog posts out there that do), I will just be demonstrating how this can be done at its simplest form. It is up to you to decide how far you want to go with this information.


Wednesday, May 2, 2018

Running an Obfuscated version of Mimikatz in Memory to bypass AntiVirus and other host based controls

About

The other day I was part of an engagement that required a post exploitation (already obtained administrative access to the system) of the target system and steal credentials. There are many posts online that have done this and I will be referencing them as we go. This is just a supplement to everything else out there.

Mimikatz is a tool that collects credentials, including cleartext passwords, Lan manager hashes, Kerberos tickets and a number of other items. This post is to leverage Mimikatz, but instead of downloading the binary to the targets disk and jeopardizing AntiVirus to trip, or other host based controls stopping us, we will download the script directly in memory and run it without ever touching disk.

Additionally, there are a few obfuscation techniques that can be used with simple Linux fu to help generate this "custom" version of Mimikatz to help bypass AV. Lastly, there is another technique to help obfuscate the actual powershell command that calls the download to run the exploit.


Tuesday, April 24, 2018

Privilege Escalation thru CyberArk Viewfinity

A while ago I encountered a bug within Viewfinity 5.5 (5.5.10.95). Viewfinity is a product owned by CyberArk that provides Endpoint Privilege Management. It bolsters administrator's ability to control user privileges on corporate desktops. Below is a use case in which I was able to elevate privileges from a normal user to Admin through this product.

Step 1: Verify you are a low privilege user by running the command "net session". Net session displays information about all sessions within the local computer. The user will get Access is denied if they do not have Administrator privileges.


Thursday, October 5, 2017

RickdiculouslyEasy: 1 - Walkthrough

It has been a long time since I've last posted anything off of Vulnhub. To be honest, I just haven't had too much time to dive into any of these VM's. However, g0tmi1k released a ton of new VM's so I wanted to check them out. One of which is was RickdiculouslyEasy: 1 made by Luke.

This VM is based off the tv show Rick and Morty. I, myself, am a fan of this show so I had to check it out. It turned out to be quite easy but I still had fun solving it. Below is my walkthrough on capturing all of the flags.