UnChleuHacker

IntroductionVintage is a Hard challenge on HackTheBox that simulates an assumed breach scenario in an Active Directory environment where NTLM is completely disabled. The entire exploit relies exclusively on Kerberos, making it an extremely educational challenge for pentesters accustomed to relying on NTLM. With the phase-out of NTLM announced by Microsoft for future versions of Windows Server, this type of environment will become the norm. We might as well prepare for it now. ConfigurationFi...

IntroductionTo truly control a Windows system, you must operate at Ring 0, i.e., the kernel. The problem is that from user mode (Ring 3), you cannot interact directly with Ring 0, so it is impossible to modify the kernel’s internal structures, disable an EDR’s monitoring mechanisms, or manipulate process protections. Tools like WinDbg allow you to explore and modify kernel memory, but they are not viable in production environments: WinDbg requires a reboot to enable debug mode, a second machi...

IntroductionClickOnce is a Microsoft deployment technology built into the .NET Framework. It allows Windows applications to be distributed via a simple URL: the user clicks a link, and the application downloads, installs, and runs with very little user interaction. The idea is not to create a malicious application from scratch, but to backdoor an existing legitimate ClickOnce application and redeploy it. The application retains its normal behavior but executes arbitrary code upon launch. Sev...

IntroductionThe previous article on Local Hollowing addressed the issue of loading native PEs into memory. The encrypted payload is decrypted, manually mapped section by section, relocations are corrected, imports are resolved, and then the main thread is redirected to the entry point. This approach works because a native PE contains machine instructions that the CPU can understand directly. Therefore, it is sufficient to place the bytes in the correct location in memory and have the RIP poin...

IntroductionIn a previous article, we detailed how Local Hollowing works—a technique that allows a malicious PE file to be executed in memory without ever writing it in plaintext to the disk. The loader is compiled using OLLVM to obfuscate the machine code, and the payload (Mimikatz) is encrypted with AES-256 In theory, this combination should be sufficient to bypass static detection. In practice, Microsoft Defender detects the loader immediately: The MTB (Machine Learning Based Threat) suffi...

IntroductionDuring Red Team exercises, once initial access has been gained, one of the first obstacles is static detection. Deploying tools like Mimikatz to the disk is immediately detected by EDR because the signatures for these tools have long been known to EDR systems. Local Hollowing allows you to bypass this problem. The principle: a loader embeds the malicious PE (Portable Executable) encrypted with AES-256, decrypts it in memory at runtime, manually maps it to replace the Windows loade...

BypassAMSI BYPASS12Set-Item ('Va'+'rI'+'a'+'blE:1'+'q2'+'uZx') ([TYpE]("F"+'rE')) (Get-variable (('1Q'+'2U') +'zX'))."A`ss`Embly"."GET`TY`Pe"(('Uti'+'l','A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'...

Sidecar is a chain made up of two machines, WS01 and DC01, classified as difficult. Initial access to WS01 is gained via a booby-trapped .lnk file, set up to limit antivirus detection. Once the first machine has been compromised, the absence of an LDAP signature combined with the presence of WebDAV enables a Shadow Credentials attack to be carried out, resulting in a much deeper compromise of the infrastructure. By compromising WS01, the recovery of a password made it possible to reach an acc...

Vigilant is a chain of Vulnlab-hardened machines, consisting of a Linux machine and a Windows machine. Anonymous access to the domain controller (DC) shares is used to retrieve a PDF file encrypted with ADAudit. By recovering the DLLs linked to the ADAudit executable, we can use ILSpy to identify the way in which the PDF is encrypted, and thus decrypt it. The identifiers contained in the PDF then allow us to access an Elasticsearch administration interface which, once exploited, gives us a sh...