7minsec / lplite Goto Github PK

Updated: While we're sniffing around Active Directory, let's also do some snooping within the environment's file share system to see if we can find anything interesting.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
https://7minsec.teachable.com/courses/2053747/lectures/46224733

Describe the problem
A trailing slash to icacls results in an error:

And the lab directions say to include them:

Remove the trailing slashes and all is good

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224728

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
From my experience amsi.fail just kinda doesn't work anymore. Also the file "c:\users\public\pentest-tools\amsibypass.txt" doesn't seem to be helpful so maybe it can be removed. The github link at the end of the page does work but people might need some handholding to get it working. Setting up http server etc.

To Reproduce
Steps to reproduce the behavior:

1. Go to amsi.fail
2. Try a bypass and watch it fail
3. Repeat from step 1

Expected behavior
A clear and concise description of what you expected to happen.
Student should be able to bypass amsi without a lot of interactive hand holding.

Where is the problem happening
https://7minsec.teachable.com/courses/2053747/lectures/46224724

Describe the problem
Incorrect Domain Admins group vs quiz:

Expected behavior
They should match.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.

Inside PDF at https://7minsec.teachable.com/courses/2053747/lectures/46224753

Presumably more typoes are in this thread

Where is the problem happening
https://7minsec.teachable.com/courses/2053747/lectures/46224745

Describe the problem
Typo - "At a high level, here's what's happening:" then talking about Brian's Laptop, then 'her machine' and ' so sends her a "Nope!"'.
Typo - "OMg, pick me" should be OMG
Typo - Brian''s -> Brian's

Whoops. Pypykatz is missing in this exercise (https://7minsec.teachable.com/admin-app/courses/2053747/curriculum/lessons/46224760) so it needs to be part of the standard build.

Consider what to do with things that got cut from v1 such as unconstrained delegation. Make it extra credit? What about carving up LPLITE into 2 difficulty levels?

Where is the problem happening
https://7minsec.teachable.com/courses/2053747/lectures/46224746

Describe the problem

Before making final VM snapshot for course, make sure to change:

• Figure out a way to batch snapshot and batch de-snapshot (is that a word?)
• Fix weird port forward on student 6
• Cleanup student firewall aliases
• ISO unmount from ALL VMs!
• Fix firewall RDP schedule

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224737

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
When running the hashcat command to crack the kerberoast and asreproast hashes the hash files won't be in the same dir as the hashcat .exe because it was extracted to its own sub folder. So copy pasting the command from the instructions wont work. Instead of this
hashcat kerberoast.txt ..\wordlists\rockyou.txt
You need this
hashcat ..\kerberoast.txt ..\wordlists\rockyou.txt
Or you need to copy paste kerberoast.txt into the new hashcat directory

To Reproduce
Steps to reproduce the behavior:

1. dump roasted hashese to c:\users\public.pentest-tools dir
2. follow instructions to extract hashcat to the hashcat subfolder
3. cd to c:\users\public.pentest-tools or c:\users\public.pentest-tools\hashcat-6.2.6\
4. run hashcat kerberoast.txt ..\wordlists\rockyou.txt

At the very end of the training curriculum, add a thank you section to all the fine folks that made this possible!

Would love to....but will mark this as a v3 enhancement for the future.

And I need to update this ticket when I revisit ADCS vuln: AlmondOffSec/PassTheCert#13

Where is the problem happening
https://7minsec.teachable.com/courses/2053747/lectures/46224760

Describe the problem

You could use Mimikatz instead, though:
C:\Users\Public\pentest-tools>mimikatz\x64\mimikatz.exe "sekurlsa::minidump C:\Users\Public\pentest-tools\dump.dmp" "sekurlsa::logonpasswords" "exit"

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224730

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
Then link to here ASREPRoasting doesn't work.

To Reproduce
Steps to reproduce the behavior:

1. Click on the link labeled "ASREPRoasting"

Expected behavior
A clear and concise description of what you expected to happen.
The link should send you to a valid website

Screenshots
If applicable, add screenshots to help explain your problem.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224722

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
Ran ipconfig /all as instructed. Noticed that alternate DNS servers 1.1.1.1 and 9.9.9.9 are being distributed by DHCP. This could lead to issues in the future. If the pc can't find the primary DNS server (domain controller) it could fail over to another DNS server. If this happens active directory authentications and lookups will stop working on the client. On windows DNS doesn't always fail back to the primary DNS server when it recovers and stays with the most recent workins DNS server.

To Reproduce
Steps to reproduce the behavior:

1. opend cmd.exe
2. run ipconfig /all

Expected behavior
A clear and concise description of what you expected to happen.
Only have domain controllers specified as DNS servers

Screenshots
If applicable, add screenshots to help explain your problem.
I think you get it lol.

Additional context
Add any other context about the problem here.
https://activedirectorypro.com/dns-best-practices/

I need to update the content/outline for the "sales" page here

When we talk about identifying hash types with the hashcat wiki and other resources, a student mentioned this was awesome as well:
https://github.com/blackploit/hash-identifier

Where is the problem happening
https://7minsec.teachable.com/courses/2053747/lectures/46224726

Describe the problem

Probably start with Run PowerShell, then have the Browse to C:\Users\Public... step afterwards. No biggie though.

Updated 2 areas:
ASREPRoasting enumerates any users in the domain that do not require Kerberos preauthentication and captures the affected user’s hashes.

Other:
Much like the Kerberoasting attack we just looked at, ASREPRoasting allows us to say, "Hey, Active Directory, if any users you know about are set to do not require Kerberos preauthentication, let me have a bit of encrypted data about that user that I can bring offline and crack!”

Where is the problem happening
https://7minsec.teachable.com/courses/2053747/lectures/46224728*

Describe the problem
Line 15 says 'typing import-module powerup.ps1 which fails. It should be ./powerup.ps1 (like the image shows)

OK I'm going to be rude and skip the rest of the stuff, as that should be good enough for you to figure it out :)

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
https://7minsec.teachable.com/courses/2053747/lectures/46224742

Describe the problem

I'll see how big a deal this is later, though the installer is present:

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224748

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
The instructions say to navigate to C:\users\public\pentest-tools\AD\Bloodhound-win32-x64
But the correct path is C:\Users\Public\pentest-tools\BloodHound-win32-x64

Screenshots
If applicable, add screenshots to help explain your problem.

Where is the problem happening
https://7minsec.teachable.com/courses/2053747/lectures/46224763

Describe the problem
Should be Hashcat linked here (https://hashcat.net/hashcat/), not JtR.

Where is the problem happening
https://7minsec.teachable.com/courses/2053747/lectures/46806226

Describe the problem
For inexperienced users (such as myself), adding the directions to click Menu -> Add Files (such as the following) would help greatly:

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224733

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
Instructions say click "Start > Run". There is nothing called Run in the start menu to click. Yes I know this is dumb feedback.

To Reproduce
Steps to reproduce the behavior:

1. Click on start menu
2. Look for Run button

Additional context
Add any other context about the problem here.
Could type in the search box instead. Or just open the start menu and start typing. Or right click the start menu and select run. Or a million other solutions.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224758

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
The path to cme is listed as C:\users\public\pentest-tools\multitool but it's actually C:\users\public\pentest-tools

Screenshots
If applicable, add screenshots to help explain your problem.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224757

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
The path to the wordlist in the hashcat command is incorrect. It says hashcat -m 1000 crackme.csv ..\rockyou.txt --username
It should say hashcat.exe -m 1000 crackme.csv ..\wordlists\rockyou.txt --username

Screenshots
If applicable, add screenshots to help explain your problem.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224749

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
Instructions say hamburger icon is in upper right but it's in the upper left

Screenshots
If applicable, add screenshots to help explain your problem.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224759

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
When trying to run the reg query command in the instructions the impacket reg tool runs instead. It has different syntax so the command fails

To Reproduce
Steps to reproduce the behavior:

1. Open cmd
2. In any directory try running the command from the instructions reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
3. You'll receive an error message

Expected behavior
A clear and concise description of what you expected to happen.
Either the syntax in the instructions should be for the Impacket reg command or the standard windows reg command should run

Screenshots
If applicable, add screenshots to help explain your problem.

Updated: I agree to abide by the training scope and rules of engagement above and understand my training experience may be canceled, without refund, if these rules are violated.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224760

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
Instructions say 1. Open a command prompt. But we are in a powershell remoting session. No need for this step.

Screenshots
If applicable, add screenshots to help explain your problem.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224760

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
The link to the "Deadliest Catch" show doesn't work.

Screenshots
If applicable, add screenshots to help explain your problem.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224760

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
The instructions say that I should receive an error when powershell remoting to tt-it01 using my student credentials. I didn't receive an error and remoting is working.

Screenshots
If applicable, add screenshots to help explain your problem.
Instructions

Actual

This tool looks promising....kind of like the "slinky" feature of CME:

https://github.com/mdsecactivebreach/Farmer

Updated: ...Not sure if you’re missing something? As a quick recap, 24 hours before your start date (at the LATEST) you should have: ...

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224760

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
When I ram mimikatz against the lsass dump I only got creds for the computer account. Not sure if there is supposed to be some automated account login that I should have captured. Or if you just manually do some login at this point for people to capture.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224723

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
instructions say "PT-DC01" actual server name is "tt-dc01"

Expected behavior
A clear and concise description of what you expected to happen.
names should be the same

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Updated: I agree to abide by the training scope and rules of engagement above and understand my training experience may be canceled, without refund, if these rules are violated.

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46808970

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
The network is described as 10.0.7.0/x but it should be 10.0.7.0/24. Maybe you meant 10.0.7.x/24

Screenshots
If applicable, add screenshots to help explain your problem.

Updated: Let's learn a little about where we are, which might help us figure out where to go next:

Where is the problem happening
https://7minsec.teachable.com/courses/2053747/lectures/46224757

Describe the problem

Lab step is simply as follows:

But crackme.csv is in the Mimikatz folder, hashcat.exe is in a different folder, and even the rockyou.txt file is in the Wordlists folder.

If this is intentional to challenge students a bit, it's fine. Otherwise I'd recommend making the steps more explicit.

On the Welcome tab under Privilege Escalation, should it be "shell"! instead of "shell!"?

Like the "relay DA creds for super secret backdoor account with Enterprise Admin rights!" trick.

Updated: ...Not sure if you’re missing something? As a quick recap, 24 hours before your start date (at the LATEST) you should have: ...

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224722

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
Minor issue and you don't need to fix this. BUT as a system admin this one always bugs me 😊. When running nslookup commands against the domain the Server is shown as "unknown" because there is no reverse lookup zone for the 10.0.7.0/24 network and no PTR record for the DNS server.

To Reproduce
Steps to reproduce the behavior:

1. run cmd.exe as instructed
2. run nslookup -type=SRV _ldap._tcp.dc._msdcs.tangent.town as instructed

Expected behavior
A clear and concise description of what you expected to happen.
The reverse DNS lookup should complete and the name of the server that responded to the query should be displayed.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
https://activedirectorypro.com/configure-dns-reverse-lookup-zones-ptr-records/

Where is the problem happening
Provide the Teachable curriculum URL that corresponds with the issue you're reporting.
i.e. https://7minsec.teachable.com/courses/x/y/z
https://7minsec.teachable.com/courses/2053747/lectures/46224759

Describe the problem
A clear and concise description of what the bug is.
*i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there."
Instructions reference PT-IT01 instead of TT-IT01

Screenshots
If applicable, add screenshots to help explain your problem.

Updated: Let’s see if the TT-DC01 domain controller, which is also a DNS server, will allow us to do a zone transfer (essentially a request to dump out ALL DNS records the server knows about).

Where is the problem happening
https://7minsec.teachable.com/courses/2053747/lectures/46224760

Describe the problem
At this point students are Domain Admin via , so the Enter-PSSession command as written will actually work.

Expected behavior
As the lab step is written, this isn't supposed to work:

Recommendation

Write the lab step using one of the Domain User accounts (no privileges) found via Inveigh, like tangent\beverly.

The curriculum itself needs to be written, and I can't seem to get Inveigh relay to work even if I follow guides like this one or this one.

Our pal Jeff McJunkin recommends trying out PortBender.