OSEP - PEN-300 - Evasion Techniques and Breaching Defenses (Offensive Security) (z-library.sk, 1lib.sk, z-lib.sk)

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 1 Evasion Techniques and Breaching Defenses Offensive Security

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 2 Copyright © 2020 Offensive Security Ltd. All rights reserved. No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner, including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written permission from the author.

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 3 Table of Contents 1 Evasion Techniques and Breaching Defenses: General Course Information ............................. 16 1.1 About The PEN-300 Course ........................................................................................................ 16 1.2 Provided Material .......................................................................................................................... 17 1.2.1 PEN-300 Course Materials ..................................................................................................... 17 1.2.2 Access to the Internal VPN Lab Network ............................................................................ 17 1.2.3 The Offensive Security Student Forum ................................................................................ 18 1.2.4 Live Support and RocketChat ................................................................................................ 18 1.2.5 OSEP Exam Attempt ................................................................................................................ 18 1.3 Overall Strategies for Approaching the Course ...................................................................... 19 1.3.1 Welcome and Course Information Emails .......................................................................... 19 1.3.2 Course Materials ...................................................................................................................... 19 1.3.3 Course Exercises ...................................................................................................................... 20 1.4 About the PEN-300 VPN Labs .................................................................................................... 20 1.4.1 Control Panel ............................................................................................................................ 20 1.4.2 Reverts ....................................................................................................................................... 20 1.4.3 Client Machines ........................................................................................................................ 21 1.4.4 Kali Virtual Machine ................................................................................................................. 21 1.4.5 Lab Behavior and Lab Restrictions ....................................................................................... 21 1.5 About the OSEP Exam ................................................................................................................. 22 1.6 Wrapping Up .................................................................................................................................. 22 2 Operating System and Programming Theory ................................................................................... 23 2.1 Programming Theory ................................................................................................................... 23 2.1.1 Programming Language Level .............................................................................................. 23 2.1.2 Programming Concepts ......................................................................................................... 25 2.2 Windows Concepts ...................................................................................................................... 26 2.2.1 Windows On Windows ............................................................................................................ 26 2.2.2 Win32 APIs ................................................................................................................................ 27 2.2.3 Windows Registry .................................................................................................................... 28 2.3 Wrapping Up .................................................................................................................................. 29 3 Client Side Code Execution With Office ............................................................................................. 30 3.1 Will You Be My Dropper ............................................................................................................... 30 3.1.1 Staged vs Non-staged Payloads ........................................................................................... 31 3.1.2 Building Our Droppers ............................................................................................................. 31 3.1.2.1 Exercise ............................................................................................................................. 34

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 4 3.1.3 HTML Smuggling ..................................................................................................................... 34 3.1.3.1 Exercises .......................................................................................................................... 38 3.2 Phishing with Microsoft Office ................................................................................................... 38 3.2.1 Installing Microsoft Office ...................................................................................................... 38 3.2.1.1 Exercise ............................................................................................................................. 40 3.2.2 Introduction to VBA ................................................................................................................. 40 3.2.2.1 Exercises .......................................................................................................................... 48 3.2.3 Let PowerShell Help Us ........................................................................................................... 48 3.2.3.1 Exercises .......................................................................................................................... 51 3.3 Keeping Up Appearances ............................................................................................................ 52 3.3.1 Phishing PreTexting ................................................................................................................. 52 3.3.2 The Old Switcheroo ................................................................................................................. 54 3.3.2.1 Exercises .......................................................................................................................... 58 3.4 Executing Shellcode in Word Memory ...................................................................................... 58 3.4.1 Calling Win32 APIs from VBA ................................................................................................ 58 3.4.1.1 Exercises .......................................................................................................................... 60 3.4.2 VBA Shellcode Runner ............................................................................................................ 61 3.4.2.1 Exercise ............................................................................................................................. 66 3.5 PowerShell Shellcode Runner .................................................................................................... 66 3.5.1 Calling Win32 APIs from PowerShell ................................................................................... 67 3.5.1.1 Exercises .......................................................................................................................... 69 3.5.2 Porting Shellcode Runner to PowerShell ............................................................................. 70 3.5.2.1 Exercises .......................................................................................................................... 73 3.6 Keep That PowerShell in Memory ............................................................................................. 74 3.6.1 Add-Type Compilation ............................................................................................................ 74 3.6.1.1 Exercises .......................................................................................................................... 77 3.6.2 Leveraging UnsafeNativeMethods ....................................................................................... 77 3.6.2.1 Exercises .......................................................................................................................... 85 3.6.3 DelegateType Reflection ......................................................................................................... 85 3.6.3.1 Exercises .......................................................................................................................... 90 3.6.4 Reflection Shellcode Runner in PowerShell ........................................................................ 90 3.6.4.1 Exercises .......................................................................................................................... 94 3.7 Talking To The Proxy ................................................................................................................... 94 3.7.1 PowerShell Proxy-Aware Communication .......................................................................... 94 3.7.1.1 Exercises .......................................................................................................................... 96

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 5 3.7.2 Fiddling With The User-Agent ................................................................................................ 96 3.7.2.1 Exercises .......................................................................................................................... 97 3.7.3 Give Me A SYSTEM Proxy ...................................................................................................... 97 3.7.3.1 Exercise ........................................................................................................................... 101 3.8 Wrapping Up ................................................................................................................................ 101 4 Client Side Code Execution With Windows Script Host ................................................................ 102 4.1 Creating a Basic Dropper in Jscript ........................................................................................ 102 4.1.1 Execution of Jscript on Windows ....................................................................................... 103 4.1.1.1 Exercises ........................................................................................................................ 104 4.1.2 Jscript Meterpreter Dropper ................................................................................................ 104 4.1.2.1 Exercises ........................................................................................................................ 107 4.2 Jscript and C# ............................................................................................................................. 107 4.2.1 Introduction to Visual Studio ............................................................................................... 107 4.2.1.1 Exercises ........................................................................................................................ 112 4.2.2 DotNetToJscript ..................................................................................................................... 112 4.2.2.1 Exercises ........................................................................................................................ 116 4.2.3 Win32 API Calls From C# ..................................................................................................... 117 4.2.3.1 Exercise ........................................................................................................................... 119 4.2.4 Shellcode Runner in C# ......................................................................................................... 119 4.2.4.1 Exercise ........................................................................................................................... 121 4.2.5 Jscript Shellcode Runner ...................................................................................................... 122 4.2.5.1 Exercises ........................................................................................................................ 123 4.2.5.2 Extra Mile ........................................................................................................................ 123 4.2.6 SharpShooter .......................................................................................................................... 123 4.2.6.1 Exercises ........................................................................................................................ 125 4.3 In-memory PowerShell Revisited ............................................................................................. 125 4.3.1 Reflective Load ....................................................................................................................... 125 4.3.1.1 Exercises ........................................................................................................................ 129 4.4 Wrapping Up ................................................................................................................................ 129 5 Process Injection and Migration ........................................................................................................ 131 5.1 Finding a Home for Our Shellcode .......................................................................................... 131 5.1.1 Process Injection and Migration Theory ........................................................................... 131 5.1.2 Process Injection in C# ......................................................................................................... 135 5.1.2.1 Exercises ........................................................................................................................ 140 5.1.2.2 Extra Mile ........................................................................................................................ 140

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 6 5.2 DLL Injection ................................................................................................................................ 140 5.2.1 DLL Injection Theory .............................................................................................................. 141 5.2.2 DLL Injection with C# ............................................................................................................ 142 5.2.2.1 Exercise ........................................................................................................................... 146 5.3 Reflective DLL Injection ............................................................................................................. 146 5.3.1 Reflective DLL Injection Theory ........................................................................................... 146 5.3.2 Reflective DLL Injection in PowerShell ............................................................................... 146 5.3.2.1 Exercises ........................................................................................................................ 148 5.4 Process Hollowing ..................................................................................................................... 148 5.4.1 Process Hollowing Theory ................................................................................................... 148 5.4.2 Process Hollowing in C# ...................................................................................................... 150 5.4.2.1 Exercises ........................................................................................................................ 157 5.5 Wrapping Up ................................................................................................................................ 157 6 Introduction to Antivirus Evasion ...................................................................................................... 158 6.1 Antivirus Software Overview .................................................................................................... 158 6.2 Simulating the Target Environment ........................................................................................ 158 6.3 Locating Signatures in Files ..................................................................................................... 159 6.3.1.1 Exercise ........................................................................................................................... 166 6.4 Bypassing Antivirus with Metasploit ....................................................................................... 166 6.4.1 Metasploit Encoders ............................................................................................................. 166 6.4.1.1 Exercise ........................................................................................................................... 171 6.4.2 Metasploit Encryptors ........................................................................................................... 171 6.4.2.1 Exercises ........................................................................................................................ 173 6.5 Bypassing Antivirus with C# ..................................................................................................... 173 6.5.1 C# Shellcode Runner vs Antivirus ....................................................................................... 173 6.5.1.1 Exercises ........................................................................................................................ 176 6.5.2 Encrypting the C# Shellcode Runner .................................................................................. 176 6.5.2.1 Exercises ........................................................................................................................ 179 6.6 Messing with Our Behavior ....................................................................................................... 179 6.6.1 Simple Sleep Timers .............................................................................................................. 179 6.6.1.1 Exercises ........................................................................................................................ 182 6.6.2 Non-emulated APIs ................................................................................................................ 183 6.6.2.1 Exercises ........................................................................................................................ 185 6.7 Office Please Bypass Antivirus ................................................................................................ 186 6.7.1 Bypassing Antivirus in VBA .................................................................................................. 186

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 7 6.7.1.1 Exercises ........................................................................................................................ 190 6.7.2 Stomping On Microsoft Word .............................................................................................. 190 6.7.2.1 Exercises ........................................................................................................................ 200 6.8 Hiding PowerShell Inside VBA .................................................................................................. 200 6.8.1 Detection of PowerShell Shellcode Runner ...................................................................... 200 6.8.1.1 Exercises ........................................................................................................................ 201 6.8.2 Dechaining with WMI ............................................................................................................ 202 6.8.2.1 Exercises ........................................................................................................................ 204 6.8.3 Obfuscating VBA .................................................................................................................... 205 6.8.3.1 Exercises ........................................................................................................................ 211 6.8.3.2 Extra Mile Exercise ....................................................................................................... 212 6.9 Wrapping Up ................................................................................................................................ 212 7 Advanced Antivirus Evasion ............................................................................................................... 213 7.1 Intel Architecture and Windows 10 ......................................................................................... 213 7.1.1 WinDbg Introduction ............................................................................................................. 216 7.1.1.1 Exercises ........................................................................................................................ 221 7.2 Antimalware Scan Interface ..................................................................................................... 221 7.2.1 Understanding AMSI ............................................................................................................. 222 7.2.2 Hooking with Frida ................................................................................................................. 224 7.2.2.1 Exercises ........................................................................................................................ 229 7.3 Bypassing AMSI With Reflection in PowerShell ................................................................... 229 7.3.1 What Context Mom? .............................................................................................................. 229 7.3.1.1 Exercises ........................................................................................................................ 236 7.3.2 Attacking Initialization ........................................................................................................... 236 7.3.2.1 Exercise ........................................................................................................................... 237 7.4 Wrecking AMSI in PowerShell .................................................................................................. 237 7.4.1 Understanding the Assembly Flow ..................................................................................... 237 7.4.1.1 Exercises ........................................................................................................................ 238 7.4.2 Patching the Internals ........................................................................................................... 239 7.4.2.1 Exercises ........................................................................................................................ 244 7.4.2.2 Extra Mile Exercise ....................................................................................................... 244 7.5 UAC Bypass vs Microsoft Defender ........................................................................................ 244 7.5.1 FodHelper UAC Bypass ......................................................................................................... 244 7.5.1.1 Exercises ........................................................................................................................ 248 7.5.2 Improving Fodhelper ............................................................................................................. 248

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 8 7.5.2.1 Exercises ........................................................................................................................ 250 7.6 Bypassing AMSI in JScript ........................................................................................................ 251 7.6.1 Detecting the AMSI API Flow ............................................................................................... 251 7.6.1.1 Exercise ........................................................................................................................... 253 7.6.2 Is That Your Registry Key? ................................................................................................... 253 7.6.2.1 Exercises ........................................................................................................................ 258 7.6.3 I Am My Own Executable ...................................................................................................... 259 7.6.3.1 Exercises ........................................................................................................................ 263 7.7 Wrapping Up ................................................................................................................................ 263 8 Application Whitelisting ....................................................................................................................... 264 8.1 Application Whitelisting Theory and Setup ............................................................................ 264 8.1.1 Application Whitelisting Theory .......................................................................................... 264 8.1.2 AppLocker Setup and Rules ................................................................................................. 266 8.1.2.1 Exercises ........................................................................................................................ 271 8.2 Basic Bypasses ........................................................................................................................... 271 8.2.1 Trusted Folders ...................................................................................................................... 271 8.2.1.1 Exercises ........................................................................................................................ 273 8.2.2 Bypass With DLLs .................................................................................................................. 273 8.2.2.1 Exercises ........................................................................................................................ 276 8.2.2.2 Extra Mile ........................................................................................................................ 276 8.2.3 Alternate Data Streams ........................................................................................................ 276 8.2.3.1 Exercises ........................................................................................................................ 277 8.2.4 Third Party Execution ............................................................................................................ 278 8.2.4.1 Exercise ........................................................................................................................... 278 8.3 Bypassing AppLocker with PowerShell .................................................................................. 278 8.3.1 PowerShell Constrained Language Mode ......................................................................... 278 8.3.1.1 Exercises ........................................................................................................................ 280 8.3.2 Custom Runspaces ............................................................................................................... 280 8.3.2.1 Exercises ........................................................................................................................ 283 8.3.3 PowerShell CLM Bypass ....................................................................................................... 283 8.3.3.1 Exercises ........................................................................................................................ 288 8.3.4 Reflective Injection Returns ................................................................................................. 288 8.3.4.1 Exercise ........................................................................................................................... 289 8.4 Bypassing AppLocker with C# ................................................................................................. 289 8.4.1 Locating a Target ................................................................................................................... 289

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 9 8.4.2 Reverse Engineering for Load .............................................................................................. 290 8.4.2.1 Exercises ........................................................................................................................ 297 8.4.3 Give Me Code Exec ................................................................................................................ 298 8.4.3.1 Exercise ........................................................................................................................... 299 8.4.4 Invoking the Target Part 1 .................................................................................................... 299 8.4.4.1 Exercises ........................................................................................................................ 305 8.4.5 Invoking the Target Part 2 .................................................................................................... 305 8.4.5.1 Exercises ........................................................................................................................ 308 8.4.5.2 Extra Mile ........................................................................................................................ 308 8.5 Bypassing AppLocker with JScript ......................................................................................... 308 8.5.1 JScript and MSHTA ............................................................................................................... 308 8.5.1.1 Exercises ........................................................................................................................ 310 8.5.2 XSL Transform ....................................................................................................................... 311 8.5.2.1 Exercises ........................................................................................................................ 312 8.5.2.2 Extra Mile ........................................................................................................................ 312 8.6 Wrapping Up ................................................................................................................................ 312 9 Bypassing Network Filters .................................................................................................................. 314 9.1 DNS Filters ................................................................................................................................... 316 9.1.1.1 Exercises ........................................................................................................................ 321 9.1.2 Dealing with DNS Filters ....................................................................................................... 321 9.1.2.1 Exercise ........................................................................................................................... 323 9.2 Web Proxies ................................................................................................................................. 323 9.2.1 Bypassing Web Proxies ........................................................................................................ 325 9.2.1.1 Exercises ........................................................................................................................ 328 9.3 IDS and IPS Sensors .................................................................................................................. 328 9.3.1 Case Study: Bypassing Norton HIPS with Custom Certificates ................................... 330 9.3.1.1 Exercises ........................................................................................................................ 337 9.4 Full Packet Capture Devices ..................................................................................................... 337 9.5 HTTPS Inspection ....................................................................................................................... 337 9.6 Domain Fronting ......................................................................................................................... 338 9.6.1 Domain Fronting with Azure CDN ....................................................................................... 345 9.6.1.1 Exercise ........................................................................................................................... 358 9.6.1.2 Extra Mile ........................................................................................................................ 359 9.6.2 Domain Fronting in the Lab .................................................................................................. 359 9.6.2.1 Exercises ........................................................................................................................ 364

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 10 9.6.2.2 Extra Mile ........................................................................................................................ 364 9.7 DNS Tunneling ............................................................................................................................ 364 9.7.1 How DNS Tunneling Works .................................................................................................. 364 9.7.2 DNS Tunneling with dnscat2 ............................................................................................... 366 9.7.2.1 Exercises ........................................................................................................................ 371 9.8 Wrapping Up ................................................................................................................................ 371 10 Linux Post-Exploitation .................................................................................................................... 372 10.1 User Configuration Files ............................................................................................................ 372 10.1.1 VIM Config Simple Backdoor .......................................................................................... 373 10.1.1.1 Exercises ........................................................................................................................ 377 10.1.1.2 Extra Mile ........................................................................................................................ 377 10.1.2 VIM Config Simple Keylogger ......................................................................................... 377 10.1.2.1 Exercises ........................................................................................................................ 380 10.2 Bypassing AV ............................................................................................................................... 380 10.2.1 Kaspersky Endpoint Security .......................................................................................... 380 10.2.2 Antiscan.me ........................................................................................................................ 387 10.2.2.1 Exercises ........................................................................................................................ 393 10.2.2.2 Extra Mile ........................................................................................................................ 393 10.3 Shared Libraries .......................................................................................................................... 394 10.3.1 How Shared Libraries Work on Linux ............................................................................ 394 10.3.2 Shared Library Hijacking via LD_LIBRARY_PATH ....................................................... 395 10.3.2.1 Exercises ........................................................................................................................ 401 10.3.2.2 Extra Mile ........................................................................................................................ 402 10.3.3 Exploitation via LD_PRELOAD ......................................................................................... 402 10.3.3.1 Exercises ........................................................................................................................ 407 10.4 Wrapping Up ................................................................................................................................ 407 11 Kiosk Breakouts ................................................................................................................................ 408 11.1 Kiosk Enumeration ..................................................................................................................... 408 11.1.1 Kiosk Browser Enumeration ............................................................................................ 411 11.1.1.1 Exercises ........................................................................................................................ 414 11.2 Command Execution ................................................................................................................. 414 11.2.1 Exploring the Filesystem .................................................................................................. 415 11.2.2 Leveraging Firefox Profiles .............................................................................................. 420 11.2.3 Enumerating System Information .................................................................................. 422 11.2.4 Scratching the Surface ..................................................................................................... 426

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 11 11.2.4.1 Exercises ........................................................................................................................ 430 11.2.4.2 Extra Mile ........................................................................................................................ 430 11.3 Post-Exploitation ......................................................................................................................... 430 11.3.1 Simulating an Interactive Shell ....................................................................................... 430 11.3.1.1 Exercises ........................................................................................................................ 432 11.3.1.2 Extra Mile ........................................................................................................................ 432 11.4 Privilege Escalation .................................................................................................................... 432 11.4.1 Thinking Outside the Box ................................................................................................. 434 11.4.2 Root Shell at the Top of the Hour ................................................................................... 440 11.4.3 Getting Root Terminal Access ........................................................................................ 443 11.4.3.1 Exercises ........................................................................................................................ 447 11.5 Windows Kiosk Breakout Techniques .................................................................................... 447 11.5.1.1 Exercises ........................................................................................................................ 456 11.6 Wrapping Up ................................................................................................................................ 457 12 Windows Credentials ....................................................................................................................... 458 12.1 Local Windows Credentials ...................................................................................................... 458 12.1.1 SAM Database ................................................................................................................... 458 12.1.1.1 Exercises ........................................................................................................................ 462 12.1.2 Hardening the Local Administrator Account ................................................................ 462 12.1.2.1 Exercises ........................................................................................................................ 465 12.2 Access Tokens ............................................................................................................................ 466 12.2.1 Access Token Theory ....................................................................................................... 466 12.2.1.1 Exercise ........................................................................................................................... 469 12.2.2 Elevation with Impersonation ......................................................................................... 469 12.2.2.1 Exercises ........................................................................................................................ 484 12.2.3 Fun with Incognito ............................................................................................................. 485 12.2.3.1 Exercise ........................................................................................................................... 486 12.3 Kerberos and Domain Credentials .......................................................................................... 486 12.3.1 Kerberos Authentication .................................................................................................. 486 12.3.2 Mimikatz .............................................................................................................................. 489 12.3.2.1 Exercises ........................................................................................................................ 493 12.4 Processing Credentials Offline ................................................................................................. 493 12.4.1 Memory Dump ................................................................................................................... 493 12.4.1.1 Exercises ........................................................................................................................ 496 12.4.2 MiniDumpWriteDump ....................................................................................................... 496

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 12 12.4.2.1 Exercises ........................................................................................................................ 501 12.5 Wrapping Up ................................................................................................................................ 501 13 Windows Lateral Movement .......................................................................................................... 502 13.1 Remote Desktop Protocol ......................................................................................................... 503 13.1.1 Lateral Movement with RDP ............................................................................................ 503 13.1.1.1 Exercises ........................................................................................................................ 509 13.1.2 Reverse RDP Proxying with Metasploit ......................................................................... 509 13.1.2.1 Exercise ........................................................................................................................... 512 13.1.3 Reverse RDP Proxying with Chisel ................................................................................. 512 13.1.3.1 Exercise ........................................................................................................................... 515 13.1.4 RDP as a Console .............................................................................................................. 515 13.1.4.1 Exercise ........................................................................................................................... 517 13.1.5 Stealing Clear Text Credentials from RDP .................................................................... 517 13.1.5.1 Exercises ........................................................................................................................ 521 13.2 Fileless Lateral Movement ........................................................................................................ 521 13.2.1 Authentication and Execution Theory ........................................................................... 521 13.2.2 Implementing Fileless Lateral Movement in C# .......................................................... 523 13.2.2.1 Exercises ........................................................................................................................ 527 13.3 Wrapping Up ................................................................................................................................ 527 14 Linux Lateral Movement ................................................................................................................. 528 14.1 Lateral Movement with SSH ..................................................................................................... 528 14.1.1 SSH Keys ............................................................................................................................. 529 14.1.2 SSH Persistence ................................................................................................................ 532 14.1.2.1 Exercises ........................................................................................................................ 533 14.1.3 SSH Hijacking with ControlMaster ................................................................................. 534 14.1.4 SSH Hijacking Using SSH-Agent and SSH Agent Forwarding .................................. 536 14.1.4.1 Exercises ........................................................................................................................ 540 14.2 DevOps ......................................................................................................................................... 540 14.2.1 Introduction to Ansible ..................................................................................................... 541 14.2.2 Enumerating Ansible ......................................................................................................... 542 14.2.3 Ad-hoc Commands ........................................................................................................... 542 14.2.4 Ansible Playbooks ............................................................................................................. 543 14.2.5 Exploiting Playbooks for Ansible Credentials .............................................................. 545 14.2.6 Weak Permissions on Ansible Playbooks ..................................................................... 548 14.2.7 Sensitive Data Leakage via Ansible Modules ............................................................... 550

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 13 14.2.7.1 Exercises ........................................................................................................................ 552 14.2.8 Introduction to Artifactory ............................................................................................... 552 14.2.9 Artifactory Enumeration ................................................................................................... 555 14.2.10 Compromising Artifactory Backups .............................................................................. 556 14.2.11 Compromising Artifactory’s Database .......................................................................... 557 14.2.12 Adding a Secondary Artifactory Admin Account ......................................................... 559 14.2.12.1 Exercises .................................................................................................................... 561 14.3 Kerberos on Linux ....................................................................................................................... 561 14.3.1 General Introduction to Kerberos on Linux .................................................................. 561 14.3.2 Stealing Keytab Files ......................................................................................................... 564 14.3.2.1 Exercise ........................................................................................................................... 566 14.3.3 Attacking Using Credential Cache Files ........................................................................ 566 14.3.4 Using Kerberos with Impacket ........................................................................................ 568 14.3.4.1 Exercises ........................................................................................................................ 571 14.3.4.2 Extra Mile ........................................................................................................................ 571 14.4 Wrapping Up ................................................................................................................................ 571 15 Microsoft SQL Attacks .................................................................................................................... 572 15.1 MS SQL in Active Directory ....................................................................................................... 572 15.1.1 MS SQL Enumeration ....................................................................................................... 572 15.1.1.1 Exercise ........................................................................................................................... 574 15.1.2 MS SQL Authentication .................................................................................................... 574 15.1.2.1 Exercises ........................................................................................................................ 579 15.1.3 UNC Path Injection ............................................................................................................ 579 15.1.3.1 Exercises ........................................................................................................................ 583 15.1.4 Relay My Hash ................................................................................................................... 583 15.1.4.1 Exercises ........................................................................................................................ 586 15.2 MS SQL Escalation ..................................................................................................................... 586 15.2.1 Privilege Escalation ........................................................................................................... 586 15.2.1.1 Exercises ........................................................................................................................ 589 15.2.2 Getting Code Execution .................................................................................................... 590 15.2.2.1 Exercises ........................................................................................................................ 593 15.2.3 Custom Assemblies .......................................................................................................... 593 15.2.3.1 Exercises ........................................................................................................................ 599 15.3 Linked SQL Servers .................................................................................................................... 599 15.3.1 Follow the Link ................................................................................................................... 600

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 14 15.3.1.1 Exercises ........................................................................................................................ 603 15.3.1.2 Extra Mile ........................................................................................................................ 603 15.3.2 Come Home To Me ........................................................................................................... 603 15.3.2.1 Exercises ........................................................................................................................ 605 15.3.2.2 Extra Mile ........................................................................................................................ 605 15.4 Wrapping Up ................................................................................................................................ 605 16 Active Directory Exploitation .......................................................................................................... 606 16.1 AD Object Security Permissions .............................................................................................. 606 16.1.1 Object Permission Theory ............................................................................................... 606 16.1.1.1 Exercises ........................................................................................................................ 609 16.1.2 Abusing GenericAll ............................................................................................................ 609 16.1.2.1 Exercises ........................................................................................................................ 611 16.1.3 Abusing WriteDACL ........................................................................................................... 612 16.1.3.1 Exercises ........................................................................................................................ 614 16.1.3.2 Extra Mile ........................................................................................................................ 614 16.2 Kerberos Delegation ................................................................................................................... 614 16.2.1 Unconstrained Delegation ............................................................................................... 615 16.2.1.1 Exercise ........................................................................................................................... 621 16.2.2 I Am a Domain Controller ................................................................................................. 621 16.2.2.1 Exercises ........................................................................................................................ 625 16.2.3 Constrained Delegation .................................................................................................... 625 16.2.3.1 Exercises ........................................................................................................................ 631 16.2.4 Resource-Based Constrained Delegation ..................................................................... 631 16.2.4.1 Exercises ........................................................................................................................ 637 16.3 Active Directory Forest Theory ................................................................................................ 637 16.3.1 Active Directory Trust in a Forest ................................................................................... 638 16.3.2 Enumeration in the Forest ............................................................................................... 641 16.3.2.1 Exercises ........................................................................................................................ 644 16.4 Burning Down the Forest .......................................................................................................... 644 16.4.1 Owning the Forest with Extra SIDs ................................................................................ 644 16.4.1.1 Exercise ........................................................................................................................... 649 16.4.1.2 Extra Mile ........................................................................................................................ 650 16.4.2 Owning the Forest with Printers ..................................................................................... 650 16.4.2.1 Exercises ........................................................................................................................ 652 16.5 Going Beyond the Forest ........................................................................................................... 652

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 15 16.5.1 Active Directory Trust Between Forests ....................................................................... 653 16.5.2 Enumeration Beyond the Forest ..................................................................................... 654 16.5.2.1 Exercises ........................................................................................................................ 657 16.6 Compromising an Additional Forest ....................................................................................... 657 16.6.1 Show Me Your Extra SID .................................................................................................. 657 16.6.1.1 Exercises ........................................................................................................................ 663 16.6.2 Linked SQL Servers in the Forest ................................................................................... 663 16.6.2.1 Exercises ........................................................................................................................ 666 16.6.2.2 Extra Mile Exercise ....................................................................................................... 666 16.7 Wrapping Up ................................................................................................................................ 666 17 Combining the Pieces ...................................................................................................................... 667 17.1 Enumeration and Shell .............................................................................................................. 667 17.1.1 Initial Enumeration ............................................................................................................ 668 17.1.1.1 Exercises ........................................................................................................................ 670 17.1.2 Gaining an Initial Foothold ............................................................................................... 670 17.1.2.1 Exercises ........................................................................................................................ 675 17.1.3 Post Exploitation Enumeration ....................................................................................... 675 17.1.3.1 Exercises ........................................................................................................................ 679 17.2 Attacking Delegation .................................................................................................................. 679 17.2.1 Privilege Escalation on web01 ........................................................................................ 680 17.2.1.1 Exercises ........................................................................................................................ 685 17.2.2 Getting the Hash ................................................................................................................ 685 17.2.2.1 Exercises ........................................................................................................................ 690 17.2.3 Delegate My Ticket ............................................................................................................ 690 17.2.3.1 Exercises ........................................................................................................................ 693 17.3 Owning the Domain .................................................................................................................... 694 17.3.1 Lateral Movement ............................................................................................................. 694 17.3.1.1 Exercises ........................................................................................................................ 699 17.3.2 Becoming Domain Admin ................................................................................................ 699 17.3.2.1 Exercises ........................................................................................................................ 703 17.3.2.2 Extra Mile ........................................................................................................................ 703 17.4 Wrapping Up ................................................................................................................................ 703 18 Trying Harder: The Labs .................................................................................................................. 704 18.1 Real Life Simulations ................................................................................................................. 704 18.2 Wrapping Up ................................................................................................................................ 704

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 16 1 Evasion Techniques and Breaching Defenses: General Course Information Welcome to the Evasion Techniques and Breaching Defenses (PEN-300) course! PEN-300 was created for security professionals who already have some experience in offensive techniques and penetration testing. This course will help you develop the skills and knowledge to bypass many different types of defenses while performing advanced types of attacks. Since the goal of this course is to teach offensive techniques that work against client organizations with hardened systems, we expect students to have taken the PWK1 course and passed the OSCP exam or have equivalent knowledge and skills. 1.1 About The PEN-300 Course Before diving into the course related material it is important to spend a few moments on basic terminology. IT and information security professionals use various terminology for offensive operations and attacks. To prevent confusion we are going to define some of the main terms as we understand them and as they apply to this course. A penetration test is an engagement between a client organization and a penetration tester. During such an operation, the penetration tester will perform various sanctioned attacks against the client organization. These can vary in size, duration, and complexity. A penetration test can have various entry points into the targeted organization. In an assumed breach penetration test, the penetration tester is given standard or low-privileged user access to an internal system and can perform the attacks from there. In this type of test the focus is on the internal network. Additional information may be provided by the client to aid the test. A slightly more complex test is an external penetration test, which can leverage social engineering and attacks against internet facing infrastructure. Both types of penetration tests will attempt to compromise as much of the internal systems of the client organization as possible. This often includes attacking Active Directory and production systems. No matter how a penetration test is conducted, the overall goal is to test the security of client organizations IT infrastructure. Instead of testing the security of the IT infrastructure, it is possible to test the security response of the organization. This is typically called a red team test (red teaming) or adversary simulation and works by mimicking the techniques and procedures of advanced attackers. 1 (Offensive Security, 2020), https://www.offensive-security.com/pwk-oscp/

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 17 The main purpose of a red team test is to train or test the security personal in the client organization, which are referred to as the blue team. While many techniques between penetration tests and red team tests overlap, the goals are different. PEN-300 will provide the knowledge and techniques required to perform advanced penetration tests against mature organizations with a developed security level. It is not a Red Team course. The topics covered in this course includes techniques such as client side code execution attacks, antivirus evasion, application whitelisting bypasses, and network detection bypasses. The second half of the course focuses on key concepts such as lateral movement, pivoting, and advanced attacks against Active Directory. Since PEN-300 is an advanced penetration testing course, we will generally not deal with the act of evading a blue team. Instead, we will focus on bypassing automated security mechanisms that block an attack. 1.2 Provided Material Next let’s take a moment to review the individual components of the course. You should now have access to the following: • The PEN-300 course materials • Access to the internal VPN lab network • Student forum credentials • Live support • An OSEP exam attempt Let’s review each of these items. 1.2.1 PEN-300 Course Materials The course includes this lab guide in PDF format and the accompanying course videos. The information covered in the PDF and the videos are complementary, meaning you can read the lab guide and then watch the videos to fill in any gaps or vice versa. In some modules, the lab guide is more detailed than the videos. In other cases, the videos may convey some information better than the guide. It is important that you pay close attention to both. The lab guide also contains exercises at the end of each chapter. Completing the course exercises will help students solidify their knowledge and practice the skills needed to attack and compromise lab machines. 1.2.2 Access to the Internal VPN Lab Network The email welcome package, which you received on your course start date, included your VPN credentials and the corresponding VPN connectivity pack. These will enable you to access the internal lab network, where you will be spending a considerable amount of time.

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 18 Lab time starts when your course begins and is tracked as continuous access. Lab time can only be paused in case of an emergency.2 If your lab time expires, or is about to expire, you can purchase a lab extension at any time. To purchase additional lab time, use the personalized purchase link that was sent to your email address. If you purchase a lab extension while your lab access is still active, you can continue to use the same VPN connectivity pack. If you purchase a lab extension after your existing lab access has ended, you will receive a new VPN connectivity pack. 1.2.3 The Offensive Security Student Forum The Student Forum3 is only accessible to Offensive Security students. Your forum credentials are also part of the email welcome package. Access does not expire when your lab time ends. You can continue to enjoy the forums long after you pass your OSEP exam. On the forum, you can ask questions, share interesting resources, and offer tips (as long as there are no spoilers). We ask all forum members to be mindful of what they post, taking particular care not to ruin the overall course experience for others by posting complete solutions. Inappropriate posts may be moderated. Once you have successfully passed the OSEP exam, you will gain access to the sub-forum for certificate holders. 1.2.4 Live Support and RocketChat Live Support4 and RocketChat will allow you to directly communicate with our Student Administrators. These are staff members at Offensive Security who have taken the PEN-300 course and know the material. Student Administrators are available to assist with technical issues, related to VPN connectivity for the labs and the exam through Live Support. In RocketChat it is possible to chat with fellow PEN-300 students and ask questions to our Student Administrators regarding clarifications in the course material and exercises. In addition, if you have tried your best and are completely stuck on a lab machine, Student Administrators may be able to provide a small hint to help you on your way. Remember that the information provided by the Student Administrators will be based on the amount of detail you are able to provide. The more detail you can give about what you’ve already tried and the outcomes you’ve been able to observe, the better. 1.2.5 OSEP Exam Attempt Included with your initial purchase of the PEN-300 course is an attempt at the Offensive Security Experienced Penetration Tester (OSEP) certification. 2 (Offensive Security, 2020), https://support.offensive-security.com/registration-and-orders/#can-i-pause-my-lab-time 3 (Offensive Security, 2020), https://forums.offensive-security.com 4 (Offensive Security, 2020), https://support.offensive-security.com

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 19 The exam is optional, so it is up to you to decide whether or not you would like to tackle it. You have 120 days after the end of your lab time to schedule and complete your exam attempt. After 120 days, the attempt will expire. If your exam attempt expires, you can purchase an additional one and take the exam within 120 days of the purchase date. If you purchase a lab extension while you still have an unused exam attempt, the expiration date of your exam attempt will be moved to 120 days after the end of your lab extension. To book your OSEP exam, use your personalized exam scheduling link. This link is included in the welcome package emails. You can also find the link using your PEN-300 control panel. 1.3 Overall Strategies for Approaching the Course Each student is unique, so there is no single best way to approach this course and materials. We want to encourage you to move through the course at your own comfortable pace. You’ll also need to apply time management skills to keep yourself on track. We recommend the following as a very general approach to the course materials: 1. Review all the information included in the welcome and course information emails. 2. Review the course materials. 3. Complete the course exercises. 4. Attack the lab machines. 1.3.1 Welcome and Course Information Emails First and foremost, take the time to read all the information included in the emails you received on your course start date. These emails include things like your VPN pack, lab and forum credentials, and control panel URL. They also contain URLs to the course FAQ, Rocket chat and the support page. 1.3.2 Course Materials Once you have reviewed the information above, you can jump into the course material. You may opt to start with the course videos, and then review the information for that given module in the lab guide or vice versa depending on your preferred learning style. As you go through the course material, you may need to re-watch or re-read modules to fully grasp the content. Note that all course modules except this introduction, Operating System and Programming Theory and Trying Harder: The Labs have course videos associated with them. In the lab guide you will occasionally find text in red font which is centered. These blocks of text represents additional information provided for further context but is not required to understand to follow the narrative of an attack. Note that the information in these blocks is not mentioned in the course videos. We recommend treating the course like a marathon and not a sprint. Don’t be afraid to spend extra time with difficult concepts before moving forward in the course.

OS -9 15 38 J oy ce C ox Evasion Techniques and Breaching Defenses PEN-300 v1.0 - Copyright © Offensive Security Ltd. All rights reserved. 20 1.3.3 Course Exercises We recommend that you fully complete the exercises at the end of each module prior to moving on to the next module. They will test your understanding of the material and build your confidence to move forward. The time and effort it takes to complete these exercises may depend on your existing skillset. Please note that some exercises are difficult and may take a significant amount of time. We want to encourage you to be persistent, especially with tougher exercises. They are particularly helpful in developing that Offsec “Try Harder” mindset. Note that copy-pasting code from the lab guide into a script or source code may include unintended whitespace or newlines due to formatting. Some modules will have extra mile exercises, which are more difficult and time-consuming than regular exercises. They are not required to learn the material but they will develop extra skills and aid you towards the exam. 1.4 About the PEN-300 VPN Labs The PEN-300 labs provides an isolated environment that contains two sets of machine types. The first type is the virtual machines associated with a given module in the lab guide, while the other is the set of challenges presented once you have completed the course videos and the lab guide. Note that all virtual machines in this course are assigned to you and are not shared with other students. 1.4.1 Control Panel Once logged into the internal VPN lab network, you can access your PEN-300 control panel. The PEN-300 control panel will help you revert your client and lab machines or book your exam. The URL for the control panel was listed in the welcome package email. 1.4.2 Reverts Each student is provided with twelve reverts every 24 hours. Reverts enable you to return a particular set of lab machines to its pristine state. This counter is reset every day at 00:00 GMT +0. If you require additional reverts, you can contact a Student Administrator via email (help@offensive-security.com) or contact Live Support to have your revert counter reset. The minimum amount of time between lab machine reverts is five minutes. Each module from the lab guide (except this introduction and the modules Operating System and Programming Theory and Trying Harder: The Labs) will have an entry from a drop down menu. Before starting on the exercises or following the information given in the course videos or lab guide you must access the control panel and revert the entry associated with the given module.