Mythic C2 Framework - Complete Active Directory Attack Chain Full demonstration of using Mythic C2 framework to execute a complete Active Directory attack chain, from initial access to domain compromise.
What is Mythic? Mythic is a collaborative, multi-platform Command & Control (C2) framework designed for red team operations. It provides a web-based interface for managing agents, tracking operations, and executing complex attack chains across enterprise environments.
Attack Chain Overview This tutorial demonstrates a complete Active Directory compromise using Mythic C2:
Enumeration Starting with a service scan:
sudo nmap -sV 10.129.66.245 -oN firstscan.txt Key Findings PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 80/tcp open http nginx 1.18.0 (Ubuntu) Only two ports open - SSH and HTTP. Let’s focus on the web service.
Web Enumeration The website appears to be a dating platform allowing users to create accounts and upload images.
Initial Testing Attempted to upload a PHP reverse shell disguised as an image, but discovered:
Sliver C2 Framework Tutorial Complete walkthrough of the Sliver Command & Control framework for red team operations and penetration testing.
What is Sliver? Sliver is an open-source Command & Control (C2) framework developed by BishopFox for red team operations and adversary simulations. It provides a robust platform for post-exploitation activities with strong operational security features.
Topics Covered Installation & Setup: Getting Sliver up and running Implant Generation: Creating Windows, Linux, and macOS payloads Command & Control: Establishing and managing sessions Post-Exploitation: Credential harvesting, lateral movement, persistence Evasion Techniques: AV bypass, process injection, obfuscation Operational Security: OPSEC considerations for real-world engagements Why Sliver?
Enumeration Starting with a comprehensive nmap scan to discover all open ports and services:
sudo nmap -sS -sC -A 10.10.11.202 -T4 -oN first.scan -p- -Pn Key Findings The scan reveals a Windows Domain Controller running multiple services:
Port 53: DNS Port 88: Kerberos Port 389/636: LDAP (Domain: sequel.htb) Port 445: SMB Port 1433: Microsoft SQL Server 2019 Port 5985: WinRM Domain identified: sequel.htb with hostname dc.sequel.htb
SMB Enumeration Checking SMB shares as a guest user:
Enumeration Starting with a comprehensive nmap scan:
sudo nmap -sS -sC -A 10.10.11.14 -T4 -oN first.scan -p- Key Findings The scan reveals a Windows server running hMailServer with multiple mail-related services:
Port 25/587: SMTP (hMailServer) Port 80: HTTP (Microsoft IIS 10.0) - redirects to mailing.htb Port 110: POP3 (hMailServer) Port 143/993: IMAP (hMailServer) Port 445: SMB Port 465: SSL/SMTP Port 5985: WinRM Domain identified: mailing.htb
Web Enumeration Local File Inclusion Discovery When downloading a PDF from the website, the URL structure reveals a potential LFI vulnerability: