Breaking News



The move the hash technique is not new and it was once in most cases used for lateral movement on the neighborhood in situations where the administrator password hash might simply not be cracked as a result of complexity or review time constraints. On the other hand, performing move the hash with device accounts as an alternative of local administrators accounts is not reasonably commonplace even though it is been described in an article by the use of Adam Chester years prior to now and could be used in situations where the host is part of an greater body of workers such for the reason that space admins.

Because of this truth not following the least privilege concept for device accounts throughout the space during red staff operations could be leveraged for space escalation if local administrator get entry to has been granted on the host and the computer is a member of the “Space Admins” body of workers. This is achieved via using the device account of the host for gaining access to the sophisticated helpful useful resource (space controller or each different host) using move the hash technique.

Id during which groups the host belongs is trivial by the use of executing the following command from a PowerShell session:

Get-ADComputer -Filter * -Properties MemberOf | ? {$_.MemberOf}

From the output it is visible that the “HIVE” computer is part of the “Space Admins” body of workers.

An alternative manner is to query refined groups to be able to determine device accounts which are part of the ones groups.

internet body of workers "space admins" /space

From the viewpoint of the Full of life Checklist this is visible by the use of having a look at the Properties of the computer on the Member Of tab.

In order to be able to leverage the privileges of the device account for space escalation the move the hash technique can be used at the side of Mimikatz. The NTLM hash of the device account can be extracted using the directions underneath:

privilege::debug
sekurlsa::logonPasswords

Mimikatz can be used to perform the move the hash technique for the device account to boost get entry to to space admin.

sekurlsa::pth /individual:HIVE$ /space:pink.lab /ntlm:3405ab3646a3569f393327eeca53f3b2

From the new command steered that can opened by the use of Mimikatz belongings on the space controller are available in the market which validates that the world escalation has been achieved.

dir dc.pink.labc$

References




Leave a Reply

Your email address will not be published.

Donate Us

X