ACTIVE DIRECTORY ENUMERATION & ATTACKS | Bleeding Edge Vulnerabilities

Hi Guys!
I cant perform PetitPotam (MS-EFSRPC) vulnerability. I cant cach the base64 encoded certificate.
Just trying examples, dosnt work. “ntlmrelayx error obtaining certificate”
I download another version of ntlmrelayx.py.
Even I just use certificate from example, I cant interact with that on linux/win host to recive TGT ccache.
Did you perform this attack?

I join the question.
On the attacking host ATTACK01, something does not pass this attack.((

Same, did either of you get it to work? I also could not get printnightmare to run, did that work for you?

Yea no luck here for me either using ntlmrelayx.py. Using it on the linux pivot host. Keep getting “200 OK” followed by HTTP headers and HTML in the body. I used the following certi.py command as recommended:

getTGT.py ‘inlanefreight.local/forend:Klmcargo2’

export KRB5CCNAME=forend.ccache

python3 certi.py list ‘inlanefreight.local/forend’ -k -n --dc-ip 172.16.5.5 --class ca

The response I get is
certca

I replaced the host name presented in the example on Academy, but then the name doesn’t resolve. I checked /etc/hosts, and ‘Inlanefreight-CA’ isn’t in there. Tried adding it, but still nothing.

Really not sure what’s going on here.

Update: Had to reset the instance a few times before the certificate popped up. You have to wait several seconds. I’d say up to half a minute sometimes before it shows up.

But regardless, using gettgtpkinit.py didn’t yield any results. Python kept throwing an error mentioning “wrong padding”. Tried using double and single quotes around base64 blob. I’ve reset the instance a few times; same results.

Using Rubeus to gettgt and ptt didn’t work either; replies with

[!] Failed to find certificate for [base64 blob]

Though I did get noPac.py and printnightmare to work.

Not sure how to even start the exercise seems I cant ssh or rdp as the forend user. Can ssh as the htb-user but cant find nopac tool on that box and cant gitclone tools into the box cause it doesn’t seem to have internet access.

How id you guys start this exercise?

@truthreaper the answers to all of your questions are in the first few paragraphs of the module. If I get stuck like that then I usually just reread and find the answer.

ya realized tools needed are in the /opt directory

Hi, I have the same issue. Finally get the base64 certificate, but gettgtpkinit.py reporting the same issue "Error Name: KDC_ERR_PADATA_TYPE_NOSUPP Detail: “KDC has no support for PADATA type (pre-authentication data)”.
Doing the same with Rubeus gives “KRB-ERROR (62) : KDC_ERR_CLIENT_NOT_TRUSTED”

Did someone find solution for this?

2 Likes

Did you found a way to do it? Honestly the more i make labs on htb modules the less i like it… there is always more troubleshooting around the learning objective than the objective himself… Yeah troubleshooting is part of pentest jobs but if i want to learn something i dont want to spend time digging around instead of learning it…

No, still doesn’t work for me. I was able to grab a certificate after rebooting the instance a couple of times, but getting TGT still not working. As I understand, there is an issue with the type and purpose of the certificate that I am obtaining.
Troubleshooting is ok, I am learning a lot doing it, but yes, sometimes it takes days to finish just one lab. But in real life, it’s even worse, so labs are preparing you to struggling :)))

same for me

For the KDC_ERR_PADATA_TYPE_NOSUPP, I RDP into DC1 and restart it. After that I did not have any problem. So try to restart DC1. Hope it helps.

1 Like

Thank you, will try it.