11 - LO1️1️
Learning Object 11
Last updated
Learning Object 11
Last updated
1 - Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence
Flag 20 [dcorp-dc] - Name of the Registry key modified to change Logon behavior of DSRM administrator 🚩
To obtain a persistance with administrative access to the DC we need to have Domain Admin privileges by abusing the DSRM administrator:
As usual, into the new shell spawned we need to run the following commands for copying Loader.exe to the DC and extract credentials from the SAM hive:
The DSRM administrator is not allowed to logon to the DC from network, so we need to change the logon behavior for the account by modifying registry on the DC. We can do this as follows:
Now on the student VM, we can use Pass-The-Hash (not OverPass-The-Hash) for the DSRM administrator:
From the new procees, we can now access dcorp-dc. In this case we are using PowerShell Remoting with IP address and Authentication: 'NegotiateWithImplicitCredential' as we are using NTLM authentication. So, it's necessary to modify TrustedHosts for the student VM running the below command from an elevated PowerShell session:
Now, run the commands below to access the DC:
Based on the last command, the registry key modified to change Logon behavior of DSRM administrator is: XXXXXXXXXXXBehavior.