Post by xtr4nge on Feb 22, 2017 9:56:25 GMT
Original: GitHub: FruityC2-Pass-The-Hash
On this tutorial, we will see how to jump from a Local admin (john) to a Domain admin (Administrator) using Pass-The-Hash (Mimikatz).
Every time that credentials and hashes are dumped using inbuilt commands on FruityC2, these remains stored in the Credentials section.
These Credentials will be available for all the Team members connected to FruityC2.
In this example, Iām interacting with an agent running as a Local admin (john) on WSTATION-A.
We can execute a ping to the DC server just to confirm that is available. This server is the domain controller on my Lab network.
Command: `shell ping dc`
I tried to list the files on **\\\\DC\C$**, but this user is just a Local admin for WSTATION-A, and does not have any privileges on the network, so, It cannot list the files.
Command: `ls \\DC\C$`
But, john is a Local admin on WSTATION-A, so we can execute **Mimikatz** to dump credentials and hashes, to then, see if there is any credentials that we can use on the network.
You can see in the image that Mimikatz was successfully executed.
Command: `mimikatz`
After dumping the credentials with Mimikatz and/or hashdump (you needs elevated privileges to run these commands), the credentials will be stored in FruityC2.
If you open Credentials from the main menu, you will see all of them.
We can see in the list that we have the password/hash for a user called Administrator, for the domain THEXCOMPANY (the domain on the Lab network),
yes ok, we also have the password (x.123456), but for this example we will use the hash.
If you click on the hash (Credentials/Password window), FruityC2 will populate ā**Command >_**ā input with all the values required to execute PTH using Mimikatz.
Command: `mimikatz sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:HASH`
After the command is executed, we get the **PID** of the created process as THEXCOMPANY\Administrator, for this example, the PID is 5520.
Using `steal_token` and the PID obtained from the previous command, we can impersonate the user Administrator.
Command: `steal_token 5520`
So lets try again listing the files on **\\\\DC\C$** ā¦
Command: `ls \\DC\C$`
**Success!** We can now interact with the DC server as Domain Admin (THEXCOMPANY\Administrator user).
Use `revtoself` command to reverse token privileges to the original state (user john).
Command: `revtoself`