[#HackTip ⚒️] (1/3) There’re a couple of ways to become a local admin on a box when you possess only the corresponding machine account NT hash. The first one being the well known Silver ticket technique that can be performed via ticketer[.]py from #Impacket ⬇️
(2/3) But a stealthier and cleaner way of impersonating a privileged account against the target machine is to use Delegate 2 Thyself technique which abuses #S4U2self phase of #S4U with an SPN alt name. It can be achieved via the -self & -altname options of getST[.]py ⬇️
Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (@exploitph) and Sapphire (@_nwodtuhs) tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️
🧵 (2/) Golden tickets are forged privileged TGTs that’re crafted completely offline. Having got krbtgt RC4 (NT hash) or AES key, a TA can specify some params (e.g., group membership, user’s RID, ticket validity period) to create and sign a fake PAC embedded inside the TGT ⤵️
🧵 (3/) Thus, the TA can provide the forged TGT to request an ST to any resource in the domain which will contain a copy of the fake PAC signed by the target service account. Since recently, we cannot use a non-existent account name as a result of CVE-2021-42287 mitigations ⤵️
🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻💻
🧶 (3/) I shall now prepare my team server and generate an encrypted Sliver beacon to use it with DInjector 💉
🧵 (2/x) So that now the execution hangs like follows ⏬
🧵 (3/x) But guess what, there’s another super cool tool – Coercer (by @podalirius_) – which can be used to trigger the authentication with a different API that is not affected by the ad-hoc check provided in the patch ⏬
[#HackStory 🧵] (1/4) Here’s a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network 👀
(2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, there’re fancy (py|Sharp)GPOAbuse, etc… But when it’s a pentest, who cares 😒
(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh 😈
Yo, ho, was doing a bit of pentesting today. Inspired by @ippsec I shall give you my short story of 3 different paths to DA in 5 hours of work (hot pics are inside). Enjoy!
Path 1. DHCPv6 poisoning for initial access (thx to @_dirkjan)➡️authenticated PetitPotam to grab NTLMv1-SSP (thx to @topotam77)➡️ntlmv1-multi (thx to @Evil_Mog) + crack.sh to crack the response and get NT hash of DC➡️DCSync (thx to @SecureAuth)
(1/2) Path 2. Scan the network to discover an MS17-010 unpatched system ➡️ Use AutoBlue-MS17-010 to perform the exploitation with an x86 shellcode ➡️ Dump LSASS via comsvcs.dll LOLBAS technique ➡️ Exfiltrate the dump with PowerShell ➡️ Parse it to get credz of a privileged user