Phase III: Lateral Movement & Privilege Escalation

:: SYSTEM_BROADCAST :: [MSG_ID: 0X100]

PHASE III CONFIRMED: LATERAL MOVEMENT
From Workstation Foothold to Domain Controller
> ACTIVE VERSION: CHAIN #3 > QUEUED: CHAIN #4

:: MITRE ATT&CK MAPPING TACTICS DETECTED

[T1003.001]
LSASS Memory

[T1003.002]
SAM Database

[T1003.004]
LSA Secrets

[T1550.002]
Pass the Hash

[T1569.002]
Service Execution

[T1134]
Token Impersonation

[T1574.010]
Service Hijacking

[T1098]
Account Manipulation

Recap from Phase II

The perimeter has been breached. In Phase II, we successfully transitioned from a blind vantage point to a verified foothold. By leveraging AS-REP Roasting, we cracked the credentials for the user clee and established Local Administrator access on CLIENT-2 (10.0.2.9).

We are no longer knocking on the door: we are inside the building. The objective for Phase III is Lateral Movement. We must now turn our compromised workstation into a pivot point, harvesting credentials from memory and the network to hunt for the keys to the kingdom: the Domain Controller.

:: MISSION PARAMETERS PHASE III OBJECTIVES

Scenario: We have successfully compromised the clee account, granting us Local Administrator rights on CLIENT-2. Our objective is to leverage this foothold to harvest high-privilege credentials and pivot to the Domain Controller.

[CURRENT ASSETS]:
User: clee (COMPROMISED)
Pass: !!XzUfrog69
Access: Local Admin @ CLIENT-2 (10.0.2.9)

• [>] Credential Harvesting: Dump LSASS and SAM on CLIENT-2 to find new identities.
• [>] Privilege Escalation: Identify and exploit paths to Domain Admin.
• [>] Lateral Movement: Pivot from the workstation to the Domain Controller (DC01).

:: RECONNAISSANCE & WEAPONIZATION

Before we can move laterally, we must secure full control over our current foothold. A PowerUp scan identified a critical vulnerability in a third-party service: ElevationService (Wondershare Dr.Fone). The first step is to verify the root cause by inspecting the Access Control Lists (ACLs).

:: VULNERABILITY CONFIRMATION [T1574.010] Tool: icacls

Objective: Verify file permissions on the service binary.

[ANALYSIS]: The icacls output confirms that the 'Everyone' group holds Full Control (F) permissions over the service binary. This is a critical misconfiguration allowing any user to overwrite the executable.

:: PAYLOAD GENERATION [T1059] Tool: msfvenom

Objective: Create a malicious reverse shell binary to replace the legitimate service.

[WEAPONIZATION]: Generated a Windows x64 reverse TCP shell configured to connect back to our Kali machine on port 443 (HTTPS) to blend in with legitimate traffic.

:: EXPLOITATION: SERVICE HIJACKING

With the payload ready, we proceed to exploit the weak permissions. Since we cannot stop the service directly without admin rights, we will rename the running binary and place our trap.

:: BINARY REPLACEMENT [T1574.010] TRAP SET

Objective: Swap the legitimate ElevationService.exe with our malicious shell.exe.

[EXPLOIT]: Using RDP for visual confirmation and PowerShell for execution, we successfully moved the original binary to .bak and copied our payload into place. The trap is now set to trigger on the next system reboot.

:: PRIVILEGE ESCALATION [T1068] SYSTEM SHELL

Objective: Catch the reverse shell upon system reboot.

[SUCCESS]: The system rebooted, the service started, and our payload executed. We have successfully elevated privileges from local user to NT AUTHORITY\SYSTEM with SID S-1-5-18.

:: POST-EXPLOITATION: CREDENTIAL HARVESTING

Now operating as SYSTEM, we have unrestricted access to the machine's memory and secrets. We deploy Mimikatz to harvest credentials that will allow us to pivot to other machines in the network.

:: TOKEN MANIPULATION [T1134] Mimikatz

Objective: Impersonate the SYSTEM token to ensure full control over LSASS.

[TRADE]: We loaded the binary directly to memory. Using token::elevate allows Mimikatz to interact with protected system processes without access violations.

:: LSA PATCHING ATTEMPT [T1003.001] BLOCKED

Objective: Attempt to patch LSASS memory to retrieve cleartext credentials.

[DEFENSE]: Access Denied (0x5). This indicates LSA Protection (RunAsPPL) is likely enabled, preventing direct memory patching. We must pivot to alternative extraction methods.

:: SAM DATABASE DUMP [T1003.002] NTLM HASHES

Objective: Extract local NTLM hashes from the Security Account Manager (SAM) database via Registry.

[INTEL]: Successfully recovered NTLM hashes for local users, including the built-in Administrator (RID 500) and user David. These hashes can be used for Pass-the-Hash attacks.

:: LSA SECRETS EXFILTRATION [T1003.004] CRITICAL FIND

Objective: Dump LSA Secrets to find cached credentials and machine keys.

[JACKPOT]: Deep inspection revealed a cleartext DefaultPassword (Password112233!), machine Kerberos keys, and cached (DCC2) credentials.

:: PERSISTENCE & NETWORK PIVOT

With credentials secured, we establish persistence and verify our administrative reach across the network using NetExec.

:: PERSISTENCE ESTABLISHED [T1098] Local Admin

Objective: Add the compromised user clee to the local Administrators group for permanent access.

[BACKDOOR]: We successfully added clee to the Administrators group directly from our SYSTEM shell.

:: LATERAL MOVEMENT VERIFICATION [T1021.002] PWN3D!

Objective: Verify administrative access remotely using NetExec with corrected credentials.

[DOMINANCE]: The (Pwn3d!) flag confirms full administrative control over CLIENT-2 via SMB.

:: AUTOMATED EXFILTRATION [T1003] NetExec

Objective: Use our new access to remotely dump SAM and LSA secrets to validate findings.

[LOOT]: Verified capture of DCC2 hashes for user mross and the machine keys via remote execution.

:: REMOTE EXECUTION [T1569.002] NT AUTHORITY\SYSTEM

Objective: Execute arbitrary commands remotely as SYSTEM.

[COMPLETE]: Remote code execution confirmed. We have successfully pivoted from a standard user foothold to full remote system authority.

:: PHASE III CONCLUSION

We close this phase by cracking the final piece of the puzzle: the cached credentials found in LSA secrets.

:: OFFLINE CRACKING [T1110] John the Ripper

Objective: Crack the MSCache2 (DCC2) hash for user mross found in LSA secrets.

[RESULT]: Successfully cracked the hash.
User: mross
Password: !!TWIZtid11

:: DEFENSIVE RECOMMENDATIONS BLUE TEAMING

Objective: Mitigate Service Hijacking and prevent Credential Dumping & Lateral Movement.

• 1. Restrict Service Binary Permissions:
  Audit file system ACLs (Access Control Lists). Ensure that non-administrative groups (e.g., Everyone, Authenticated Users) do not have Write or Full Control permissions on service executables to prevent binary replacement attacks.
• 2. Enable LSA Protection (RunAsPPL):
  Configure the RunAsPPL registry key to restrict the LSA process. This prevents non-protected processes (like Mimikatz) from injecting code into LSASS and dumping cleartext credentials or hashes from memory.
• 3. Deploy LAPS (Local Admin Password Solution):
  Implement LAPS to automatically randomize and rotate the local Administrator password on every workstation. This prevents Pass-the-Hash attacks where an attacker reuses a compromised local admin hash to pivot laterally across the network.

:: OPERATION ROADMAP STATUS: UPDATED 29.12.2025

[COMPLETE]

Phase I: Infrastructure Deployment

[COMPLETE]

Phase II: Foothold & Enumeration

[COMPLETE]

Phase III: Lateral Movement

Objective Achieved: Local Privilege Escalation & Credential Harvesting.
> Service Hijacking | Mimikatz | LSA Secrets | Persistence

[ACTIVE]

Phase IV: Domain Dominance Target: Domain Controller...

:: MISSION UPDATE INCOMING NEXT STAGE COOKING

PREPARING PHASE IV

ASSETS ACQUIRED: mross, David, DefaultPassword...