init

Frida is a reverse engineering framework which can be used to

installed apps

The below command will let you view applications which are on the virtual mobile device.

$ frida-ps -Uai
 PID  Name           Identifier                
----  -------------  --------------------------
3054  Calendar       com.android.calendar      
2463  Clock          com.android.deskclock     
3141  Email          com.android.email         
3175  Gallery        com.android.gallery3d     
3554  Hello App      com.example.helloapp      
3198  Messaging      com.android.messaging     
2547  Phone          com.android.dialer        
2299  Settings       com.android.settings      
3372  WebView Shell  org.chromium.webview_shell
   -  Calculator     com.android.calculator2   
   -  Camera         com.android.camera2       
   -  Contacts       com.android.contacts      
   -  Files          com.android.documentsui   
   -  Music          com.android.music         
   -  Search         com.android.quicksearchbox

run script

The below command will run the script on the application.

I was faced with a difficult situation where I had to find a why a SentinelOne agent will not communicate with the management portal for some reason. I ran the troubleshooting script which generated many files and among them there was a packet captured file as we can see below:

We can use the etl2pcapng.exe to convert the log files into the pcap file. The executable for the application is in the reference section

init

When we have reverse shell from that shell we need to create a user so that we can access the domain as domain admin. However, sometimes you might have only hash of that user but unable to login locally.

In such situation, it could be beneficial to create a AD Domain user and work on it

To create the user

PS C:\users\robb.stark\Desktop> New-ADUser adm1n
New-ADUser adm1n

To check if the user has been successfully created.

Dig deeper into the PowerShell base64 encoder

Grab hash using responder.py tool