Persistence through Credentials
Together with your low-privileged credentials, you will be provided with Domain Administrator credentials. What luck! When discussing persistence techniques, you will use the privileged credentials to perform the persistence technique on your low-privileged credential set. Make a note of the following DA account:
Username: Administrator
Password: tryhackmewouldnotguess1@
Domain: ZA
Not All Credentials Are Created Equal
We would usually search for privileged credentials such as those that are members of the Domain Admins group, these are also the credentials that will be rotated (a blue team term meaning to reset the account's password) first. If they did we would lose access
The goal is to persist with near-privileged credentials. We don't always need the full keys to the kingdom; we just need enough keys to ensure we can still achieve goal execution. We should attempt to persist through credentials such as the following:
Credentials that have local administrator rights on several machines
Service accounts that have delegation permissions
Accounts used for privileged AD services: If we compromise accounts of privileged services such as Exchange, Windows Server Update Services (WSUS), or System Center Configuration Manager (SCCM), we could leverage AD exploitation to once again gain a privileged foothold.
DCSync All
I previously explained about DCSync over here
But instead of one account, we want to DCSync every single account. To do this, we will have to enable logging on Mimikatz.
SSH into the DA account
Launch Mimikatz and enable logging
DCSync with /all flag
The file should be outputted and then download the file on the attacker machine. Now usually transferring this on to the attacker machine would be no problem but the file is so big its corrupted I can't transfer it without being corrupted. So I just used secretsdump to remotely dump all the hashes from the parent domain with the -use-vss flag
But that one was the parent domain, we want the hash of the krbtgt user on the child domain. This time I dumped without VSS
VSS
Volume Shadow Copy Service (VSS) is a Windows feature that creates snapshots (backups) of files and volumes, even when they are in use. It allows Windows to make consistent backups without interrupting running applications.
Last updated