Hi there,
Blocked at the Question to use Resource-Based Constrained Delegation with ESC10 certificate mapping.
Going thru the steps.
- shadow user2 to get the hash
- Change the user2’s UPN
- get the lab-dc.pfx with ESC10
- rollback the User2’s UPN
- pfx authentication with ldap-shell
- Add Computer and put rbcd on lab-dc
- Got Administrator.ccache for cifs with getST.py
And …
KRB5CCNAME=Administrator.ccache wmiexec.py -k -no-pass LAB-DC.LAB.LOCAL
gives everytime an error
[-] [Errno Connection error (LAB-DC.lab.local:445)] [Errno -2] Name or service not known
Tried to reset target so many times
Tried with /etc/hosts and -dc-ip w.x.y.z.
lab-dc.lab.local does not have any serviceprincipalname ‘cifs/lab-dc.lab.local’ so the error seems ‘normal’ right ?
Finally, i used ESC3 vulnerability from this module to get the flag but i’m still not satisfied about the method and would like to know if anyone succeed with ESC10 here.
Thank you very much
/Dworkin
