⛑️Modify security descriptors on DC & modify host security descriptors for WMI
Once we have administrative privileges on a machine, we can modify security descriptors of services to access the services without administrative privileges. the following command modifies the host security descriptors for WMI on the DC to allow studentx access to WMI
WMI provides powerful administrative capabilities, such as querying system information, modifying system configurations, and executing scripts remotely. Granting studentx
access to WMI on a DC effectively elevates the user's privileges,
First we need to spawn a domain admin shell ->
Argsplit to encode "asktgt"
and then:
We can now run everything we need:
Now, we can execute WMI queries on the DC as studentx:
gwmi
: This is an alias for theGet-WmiObject
cmdlet in PowerShell.Get-WmiObject
is used to retrieve management information from local and remote computers using Windows Management Instrumentation (WMI).-class win32_operatingsystem
: This specifies the WMI class you are querying. Thewin32_operatingsystem
class contains properties and methods related to the operating system of a computer, such as its version, name, manufacturer, configuration, and more.-ComputerName dcorp-dc
: This specifies the target computer you want to query.dcorp-dc
is the name of the remote computer from which you are retrieving the operating system information.
In summary, this command retrieves detailed information about the operating system from a computer named dcorp-dc
using WMI.
Similar modification can be done to PowerShell remoting configuration. (In rare cases, you may get an I/O error while using the below command, please ignore it). Please note that this is unstable since some patches in August 2020:
Now, we can run commands using PowerShell remoting on the DC without DA privileges:
Now we would want to retrieve machine account hash without DA, first we need to modify permissions on the DC. ->
Now, we can retreive hash as student613:
We can now use the machine account hash to create Silver Tickets. Create Silver Tickets for HOST and RPCSS using the machine account hash to execute WMI queries ->
rpcss
host:
Proof that the 2 tickets are cached with klist:
And we are now able to run wmi queries on the dcorp-dc computer ->
Last updated