sn🥶vvcr💥sh Profile picture
Sr. Penetration Tester / Red Team Operator @ptswarm :: Author of Pentester’s Promiscuous Notebook (PPN) :: He/him :: Tweets’re my pwn 🐣

Nov 24, 2022, 9 tweets

🧵 (1/x) I know you love #pentest stories, so here’s one of those ⬇️

There’s a non-DC computer (Victim) that is a member of the Exchange Trusted Subsytem group and has DCSync privs. The WebClient is ON but the MAQ=0 and domain functional level is 2012 R2 which prevents us ⤵️

(2/x) from abusing Key Credentials. Relaying to AD CS HTTP is not possible either. Here’s when I decided to go for SPN-less RBCD (credits to @tiraniddo) on a prod domain 🤦🏻‍♂️

But first let’s add a DNS record pointing to the attacker’s machine to coerce Victim over WebDav ⤵️

(3/x) Now it’s all ready to go: Printer Bug + ntlmrelayx[.]py and we’re escalating a low privilege user (j.doe) to be trusted for delegation by Victim ⤵️

(4/x) Now we want to request and parse the TGT for j.doe hunting for the ticket’s session key ⤵️

(5/x) At this point all we’ve to do is to set j.doe’s long term RC4 key (NT hash actually) to the value of TGT session key saved earlier ⤵️

tiraniddo.dev/2022/05/exploi…

(6/x) After that some S4U2self+U2U magic brought to #impacket by @_nwodtuhs and now the DC can successfully complete the S4U2proxy phase to give us an ST! ⤵️

thehacker.recipes/ad/movement/ke…

(7/x) Having got a valid ST we can impersonate a privileged user and secretsdump SAM & LSA on Victim looking for the appropriate NT hash ⤵️

(8/x) And finally DCSync ➡️ Overpass-the-Key ➡️ wmiexec[.]py on the DC 😤

P. S. As a final remark, with DA privileges I can directly inject old NT hash into NTDS.dit, thus bypassing password history policy in the domain and revert j.doe’s broken password.

Oops, a typo on the bottom pane - it’s VICTIM[.]corp[.]local when doing Printer Bug, of course, not DC01.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling