Hands-On Red Team Tactics
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Running Implants

In this case, the bypassuac_eventvwr implant is used for escalating the privileges from ring 3 (user land privs) to SYSTEM. To use an implant, you can execute the following command:

use implant/elevate/bypassuac_eventvwr

The option is changed from stager to the implant now and just like we did it when configuring the stager, we need to configure the implant before executing it.

We can find the options by executing the following command:

Info

This will show two options that need to be configured for a successful implant execution: PAYLOAD and ZOMBIE. To set up the payload, execute the following command:

set payload 0

The question here is, why did we set the payload to 0? For understanding this, we need to reference the value from the Listeners command:

Listeners

The listeners command will list down all the stagers running. So, when the payload is set to 0 it means the payload will be using the given stager ID 0; that is, the MSHTA stager for implant delivery over to the zombie for execution.

The implant is now ready to be executed on the target system:

Run

At the time of execution, a new connection is created with the elevated privileges with zombie ID 2. On getting the information regarding the elevated connection, we can see clearly that the privileges were escalated with the * on the user field. The same is mentioned on the ID as well:

We can either use the implant for dumping hash or we can use mimikatz. Koadic supports mimikatz by injecting the DLL into the memory directly. To use mimikatz, run the following command:

use implant/inject/mimikatz_dynwrapx

You can run it directly without changing any settings:

run

By running the implant, we were able to fetch the NTLM hashes, which can further be used in pivoting.

To execute a command on a zombie we can use the exec_cmd implant, which can be run by executing the following command:

use implant/manage/exec_cmd


CMD option is the command that you want to execute. This implant will execute the command and save the result in a file that will be stored on the %TEMP% directory (as mentioned in the implant settings). We can change the directory accordingly but make sure the directory is writeable.

In this case, we will be executing a command to get the list of users on the system by setting cmd to net user:

set cmd "net user"

上一章目录下一章