9 - LO9️
Learning Object 9
Tasks
1 - Try to get command execution on the domain controller by creating silver ticket for:
HTTP
WMI
Flag 18 [dcorp-dc] - The service whose Silver Ticket can be used for winrs or PowerShell Remoting 🚩
Solutions
1 - Try to get command execution on the domain controller by creating silver ticket for:
Based on the last task we already have the hash for the machine account of the domain controller (dcorp-dc$).
HTTP
We can create a Silver Ticket that provides us access to the HTTP service (WinRM) on DC:
We can check if we got the correct service ticket:
And run klist or C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args klist we can see it
http/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
let's try accessing it using winrs. Note that we are using FQDN of dcorp-dc as that is what the service ticket has:
WMI
For accessing WMI, we need to create two tickets: one for HOST service and another for RPCSS.
We can start to run the following commands from an elevated shell:
Verify that tickets generated are present:
let's try to use WMI commands on the domain controller:
Flag 18 [dcorp-dc] - The service whose Silver Ticket can be used for winrs or PowerShell Remoting 🚩
As we can see in the previous task the XXXX service can be used for winrs or PowerShell Remoting.
Last updated