Aug 5, 2022
Hey friends, wow...we're up to thirty-nine episodes of pwnage? Should we make a cake when we hit the big 4-0?! Anyway, today's TLDL is this:
If you get a nagging suspicion about something you find during enumeration, make sure to either come back to it later, or exhaust the path right away so you don't miss something! Because I did :-/
A tip that's been helping me speed along my use of CrackMapExec and other tools is by using Kerberos authentication. You can grab a ticket for your test AD account by using Impacket like so:
gettgt.py victim.domain/LowPrivUser export KRB5CCNAME=LowPrivUser.ccache
Then in most tools you can pass the cred by doing something like:
crackmapexec smb DC01 -k
In my enumeration of this network, I used Certipy to find potential attack paths against Active Directory Certificate Services. Something cool I learned is that Certipy will spit out both a text and json dump so you can import into BloodHound and then pair that data with their custom queries json file for beautiful visual potential pwnage!
I ran into an issue where my certificate shenanigans resulted in
an KDC_ERR_PADATA_TYPE_NOSUPP
. I originally gave
up on this attack path, only to learn about this
awesome PassTheCert tool
from this
rad blog post! After initially being hesitant to use a tool I'd
never heard of, I raised a GitHub issue to calm my
nerves and, shortly after, found myself doing a domain
admin dance.
Oh, and although I didn't use it on this specific pentest, coercer is an awesome tool that helps you, ya know, coerce things!