| description |
|---|
This Methodology is intended to help to stay focus and don't miss anything during the exam. |
{% hint style="info" %}
{% hint style="warning" %} CRTP consists on Live Of The Land then no phishing, no exploits, and no CVEs. {% endhint %}
{% hint style="info" %} The exam environment won't include any tools, but we can add the tools we need to a specific folder in Windows Defender exclusion settings. {% endhint %}
{% hint style="success" %} What you have learned in the course is everything you need in order to pass the exam. {% endhint %}
{% hint style="info" %} The exam goal is to execute OS command on 5 targets not matter what privileges the user have {% endhint %} {% endhint %}
Enumerate PS Language Mode - #language-mode
if the Language is constrained:
try to bypass using PS v2 or #list-applocker-rules
Bypass AMSI every new PowerShell session -#amsi-bypass
Also #invisi-shell can be used
check our privileges using whoami /all
Use #powerup-1 and discover the vectors:
- Unquoted Service
- Modifiable Service File
- Modifiable Service
Once we are Local admin use lsass-dump.md to find other users logons
Better to write down the interesting ACL so they might be useful later
BloodHound is very useful visualizing ACLs
Start to build up a mind map for attacking paths
- Domain
- Domain Controller
- Users
- Computers
- Domain and Enterprise Administrators
- OUs
- GPOs
- SPNs
Understand trusts and map them between the domains
#user-hunting - Hunt for local admin access
delegations.md - Search for Delegations
abusing ACL can lead
- #resource-based-delegation
- dc-sync.md
- security-descriptors.md
- Reset user password
lsass-dump.md after getting Admin privileges then moving inside the domain using over-pass-the-hash.mdthen spawn PowerShell session using winrm.md.
#user-hunting - Hunt for local admin access
trusts.md - After abusing Trust keys or krbtgt of trusted domain it is possible to abuse other forest abusing Inter-Realm TGT