Problem after nt system administrator

[высокий_риск]

Hello again, I am facing a small challenge, I accessed a corporation through vpn global protect and found a vulnerable http host that allowed me to upload a webshell, this way I already had access to upload new files, execute commands and browse the directories , the operating system is windows server 2012 and we have nt system administrator access, the active directory modules are not available in powershell and without domain passwords I cannot access the ldap to create new domain administrators, the windows server does not seem to have access to the internet only their hosts, any suggestions for accessing through hvnc or being able to access the system and execute more complex attacks to reach our destination? I hope I have explained myself well

 

[высокий_риск]

continued, through adsi we can list ldap users and ldap groups, export all users with their DN and more information, I have tried to encrypt mimikatz to a base64 txt format and decrypt it on the server to exe but it is detected as a virus when decrypting it again to exe, using powershell commands it was possible to extract SAM and SYSTEM and download them to my server to obtain the hashes, because I cannot prevent the tools that I have tried to upload to obtain more information from being detected, I am very limited in moving from ny system to admin domain, suggestions?

 

[molotov477]

continued, through adsi we can list ldap users and ldap groups, export all users with their DN and more information, I have tried to encrypt mimikatz to a base64 txt format and decrypt it on the server to exe but it is detected as a virus when decrypting it again to exe, using powershell commands it was possible to extract SAM and SYSTEM and download them to my server to obtain the hashes, because I cannot prevent the tools that I have tried to upload to obtain more information from being detected, I am very limited in moving from ny system to admin domain, suggestions?

You can try to move onto a different machine perhaps, you can put maybe a ligolo agent and try to spray the hashes/ password you already have to see if that user is admin on another server/machine, plus if you are nt/ authority on that system, see if you can stop the AV service on it to get mimikatz to work, list running services, see which one is the AV service, temporarily stop it and run mimikatz.

 

[высокий_риск]

You can try to move onto a different machine perhaps, you can put maybe a ligolo agent and try to spray the hashes/ password you already have to see if that user is admin on another server/machine, plus if you are nt/ authority on that system, see if you can stop the AV service on it to get mimikatz to work, list running services, see which one is the AV service, temporarily stop it and run mimikatz.

It was possible to find 5 more servers in the same range of which have a connection to this server but since i are executing powershell commands from the webshell and not an interactive console, lateral movement to others has not been possible at the moment, them that they use Kaspersky as av but it does not appear in the tasklist, i have disabled the firewall defender on the server and domain

A curious fact is that I have observed that when employees access the gp vpn they have a connection to 4 IP ranges but im only have one connection range to the vpn. At first I thought that some users would have more privileges than others and im try the gp with the credentials of the employees that i saw accessing other ranks but i cannot access either

I continue like a mentally ill person using the few hours I can afford to do this each week.

 

[molotov477]

It was possible to find 5 more servers in the same range of which have a connection to this server but since i are executing powershell commands from the webshell and not an interactive console, lateral movement to others has not been possible at the moment, them that they use Kaspersky as av but it does not appear in the tasklist, i have disabled the firewall defender on the server and domain

A curious fact is that I have observed that when employees access the gp vpn they have a connection to 4 IP ranges but im only have one connection range to the vpn. At first I thought that some users would have more privileges than others and im try the gp with the credentials of the employees that i saw accessing other ranks but i cannot access either

I continue like a mentally ill person using the few hours I can afford to do this each week.

Even if you have a webshell, if the server has internet connectivity, you can get the ligolo agent on it from the github using IEX or by hosting the agent on your own VPS, once placed, use it to connect back to your machine, add the required routes and if 445 is enabled, try spraying the password/ credential you have using crackmapexec and if it works, then try using secretsdump from impacket if that works.

As for Kaspersky, it wont appear as Kaspersky in services, I dont recall exactly but the service name is KL something, check all the services in detail and see which one is it and try stopping it for your work.

 

[высокий_риск]

Even if you have a webshell, if the server has internet connectivity, you can get the ligolo agent on it from the github using IEX or by hosting the agent on your own VPS, once placed, use it to connect back to your machine, add the required routes and if 445 is enabled, try spraying the password/ credential you have using crackmapexec and if it works, then try using secretsdump from impacket if that works.

As for Kaspersky, it wont appear as Kaspersky in services, I dont recall exactly but the service name is KL something, check all the services in detail and see which one is it and try stopping it for your work.

I think the server has some rule to prevent the internet connection, since I have disabled the firewall I rule out that option, maybe some wmware rule or I don't know, I am sure it has internet because although it does not ping Google or other services If it does give me the resolution of the IP of the host I am consulting, then it must have some type of block to only allow connections from the wamp hosts hosted on it through Apache or Wamp.

 

[molotov477]

I think the server has some rule to prevent the internet connection, since I have disabled the firewall I rule out that option, maybe some wmware rule or I don't know, I am sure it has internet because although it does not ping Google or other services If it does give me the resolution of the IP of the host I am consulting, then it must have some type of block to only allow connections from the wamp hosts hosted on it through Apache or Wamp.

Well if you have connectivity inside the network, just use crackmapexec to spray the password or hash you have and see what sticks, you can dump the hashes from this machine and try those too, maybe you will have better connectivity with another server in the subnet/ network you are inside.