In this post, i would like to share another method which we are using impacket-ticketcoverter to obtain a root shell on the Flight Machine.

The script for the impacket can be downloaded on this page

A demonstration of using the impacket-ticketconverter methods to obtain a root shell on a Flight Machine

From the priv access that we found which is stated in the screenshot above, we notice that the privileges as “SeImpersonatePrivilege” has been set to enabled.

Firstly, we need to retrieve the reverse shell connection as iis apppool\defaultapppool as shown in the screenshot above. If you are curious about how to obtain the shell by looking at the full writeup.

The only difference from the full writeup here is we will be using Rubeus script which we need to upload into the machine itself. Once we have completed uploading the script into the machine, we can execute the script by typing the command “.\Rubeus.exe tgtdeleg /nowrap

For this phrase activity, we should be converting the ticket of kirbi version into ccache version by using the impacket-ticketconverter. We know the process is a success when we sighted the message as shown

As usual, we can normally export the KRB5CCNAME as shown above.

I also will be using the secretdump from impacket because my Python version is having issues.

However, we receive an error saying “Clock skew too great” but luckily that I do know how to solve the issues

Therefore, we need to update the date and time by running ntpdate on the domain

Finally, we managed to get the command works as i expected.

We managed to obtain the Administrator’s hashes by using the secretdump script

At last, we can sight that the smb can be Pwn3d on the machine

Therefore, let’s execute the psexec command as shown above to obtain the root shell.

Leave a Reply

Your email address will not be published. Required fields are marked *