⚙️CRTP Methodology

This Methodology is intended to help to stay focus and don't miss anything during the exam.

Important to know:

The exam environment won't include any tools, but we can add the tools we need to a specific folder in Windows Defender exclusion settings.

The exam goal is to execute OS command on 5 targets not matter what privileges the user have

0. Defenses

Policy language mode

Enumerate PS Language Mode - Language Mode

if the Language is constrained: try to bypass using PS v2 or List AppLocker Rules

Bypass AMSI

Bypass AMSI every new PowerShell session -AMSI Bypass

Also Invisi-Shell can be used

Bypass Defender

Windows Defender

Turn off Firewall

Firewall


1. Local Privilege Escalation

check our privileges using whoami /all

Use PowerUp and discover the vectors:

  • Unquoted Service

  • Modifiable Service File

  • Modifiable Service

Once we are Local admin use Credentials Dumping to find other users logons


2. Domain Enumeration

ACL

ACL

Better to write down the interesting ACL so they might be useful later

BloodHound is very useful visualizing ACLs

General

Gnereral

Start to build up a mind map for attacking paths

  • Domain

  • Domain Controller

  • Users

  • Computers

  • Domain and Enterprise Administrators

  • OUs

  • GPOs

  • SPNs

Forests and Trusts

Understand trusts and map them between the domains

Forests and Trusts


3. Domain Privileges Escalation

Reverse shell by abusing Jenkins

User Hunting

User Hunting - Hunt for local admin access

AD CS

AD CS

Delegations

Delegations - Search for Delegations

ACL

ACL

abusing ACL can lead


4. Lateral Movement

Bypass Defenses

CRTP Methodology

OPTH

Credentials Dumping after getting Admin privileges then moving inside the domain using Over Pass The Hashthen spawn PowerShell session using WinRM.

User Hunting

User Hunting - Hunt for local admin access


5. Cross Domain Privilege Escalation

MSSQL

MSSQL Servers

Inter-Realm TGT

Trusts - After abusing Trust keys or krbtgt of trusted domain it is possible to abuse other forest abusing Inter-Realm TGT

Last updated

Was this helpful?