1 - Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access
2 - Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI
Flag 22 [dcorp-dc] - SDDL string that provides studentx same permissions as BA on root\cimv2 WMI namespace. Flag value is the permissions string from (A;CI;Permissions String;;;SID) 🚩
Solutions
1 - Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access
Remembering that once we have administrative privileges on a machine, we can modify security descriptors of services to access the services without administrative privileges.
So, run as Domain Administrator the following commands to modify the host security descriptors for WMI on the DC to allow student867 access to WMI using RACE toolkit:
2 - Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI
We've already inject Silver Ticket into previous tasks, so we can test
Flag 22 [dcorp-dc] - SDDL string that provides studentx same permissions as BA on root\cimv2 WMI namespace. Flag value is the permissions string from (A;CI;Permissions String;;;SID) 🚩
whoami /user
this is our SID: S-1-5-21-719815819-3726368948-3917688648-20607
The flag regards the permissions string from (A;CI;Permissions String;;;SID): CCDCLXXXXXXXXXXX