Suppose you are Internal Assessment and got Local Admin on one of the box in the network. And you know Domain Admin privileged user logged-into or took RDP of compromised host somedays back.
So next choice of any pentester would be as follows
- Dumping Lsass process and extracts hashes/creds
- Using Procdump and Psexec
- Using Incognito
- Using Crackmapexec
But what if we achieve same without dropping any new EXE to compromised host and generating less noise on network.
Domain : hackable.com
Compromised Host : Client-01.hackable.com
Domain Controller : DC.hackable.com
Users : victim-1 (Domain User), pc (Domain Admin user)
So below screenshot shows Client-01 with user victim-1 logged-in, who also belongs to local admin on the system. (Normal Domain user to Local Admin on system can be achieved by various ways)
Now query who all are remotely connected to the compromised host and we find victim-1 is remotely connected to the host right now and pc (Domain Admin) connected to host some time back.(Session is disconnected)
Now victim-1 (local admin) needs to hijack the session of pc user. For this we can use TSCON binary on the system. Lets create a service which will hijack Domain Admins disconnected session. For this we require Session ID you want to hijack and your own SESSIONNAME. In our case value of Session ID is 2 and SESSIONNAME is console.
Post entering net start hijack victim-1 session would be replaced by pc user session. We got into Domain Admin users RDP session without dropping extra tool to box.
Happy Hacking !!