Can anyone who’s gotten root share any resources you found helpful for abusing “writedacl” & “dcsync” please?
Type your comment> @TheRamen said:
Can anyone who’s gotten root share any resources you found helpful for abusing “writedacl” & “dcsync” please?
When you walk the dog, you will find out everything you need to know.
Got it done!! Huge thanks to @rene866 and @episteme for the nudges, once i figured out my problem it was smooth sailing to root!
Finally got root 
Although now that I’ve read other people’s write ups on how they did it, I realise I could have done it a slightly easier way. I did notice in some of the write ups they did some extra unnecessary steps to gain permissions they already had, which make me think they didn’t really understand what they were doing lol but still ended up being simpler and quicker than the way I did it so I guess I can’t knock them.
Type your comment> @DeDeReporter said:
Hello Guys,
a little question. Could someone explain me what am I doing wrong with TGT?
I managed to get credentials for sv*-***o user, I cracked AS-REP response. Then I tried to gT.py and I successfully saved ticket in cache, but actually I cant do anything with that ticket.
- I cant make smbclient with -k (i got gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/htb.local failed)
- When i tried rpcclient with -k i got Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Basically I can`t make any benefit from ticket I got from KDC. Ive got KRB5CCNAME env with valid path to cache. I also have similar time in comparison to DC.
Can someone explain me this thing? Am I missing something?
I dont ask for guide for user, just a little explanation what am I doing wrong.
Thanks guys.Edit: is this because I dont get any SPN that sv*-*******o have access to?
I am also stuck on the exact same point
Type your comment> @unmesh836 said:
Type your comment> @DeDeReporter said:
Hello Guys,
a little question. Could someone explain me what am I doing wrong with TGT?
I managed to get credentials for sv*-***o user, I cracked AS-REP response. Then I tried to gT.py and I successfully saved ticket in cache, but actually I cant do anything with that ticket.
- I cant make smbclient with -k (i got gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/htb.local failed)
- When i tried rpcclient with -k i got Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Basically I can`t make any benefit from ticket I got from KDC. Ive got KRB5CCNAME env with valid path to cache. I also have similar time in comparison to DC.
Can someone explain me this thing? Am I missing something?
I dont ask for guide for user, just a little explanation what am I doing wrong.
Thanks guys.Edit: is this because I dont get any SPN that sv*-*******o have access to?
I am also stuck on the exact same point
Exactly the same, if anyone can point out what the wrong process is that we do
I know this is an unpopular opinion but… if you’re attacking a Windows box, do it from a Windows box. Once I’d got the ticket you guys are talking about, I literally just browsed to the server’s C drive in explorer and Windows takes care of all the authentication for you. As long as you’re using the FQDN, not the IP address, it will try and use kerberos auth.
I know you all wanna use linux to feel like a “real hacker”, but you’re just making it harder for yourself half the time lol
I’ve gotten user
used the evil and I’m trying to walk the dog but nothing happens. If anyone could PM me a hint that would be amazing. I’m stuck
Type your comment> @TheOpethian said:
I’ve gotten user
used the evil and I’m trying to walk the dog but nothing happens. If anyone could PM me a hint that would be amazing. I’m stuck
I´m trying to use the evil with s…-alfr-- and I get this error
HTTPClient::KeepAliveDisconnected: Connectio reset by pee
Could you give me a hint on how to use evil to get the shell???
I have found the port to use the credentials. However when I try to use the evil in that port i get this error message:
Error: An error of type Winrm::WinRMHTTPTranspor error happened, message is unable to parse authorization header
Please anybody could help ???
Type your comment> @alexmore8 said:
Type your comment> @TheOpethian said:
I’ve gotten user
used the evil and I’m trying to walk the dog but nothing happens. If anyone could PM me a hint that would be amazing. I’m stuckI´m trying to use the evil with s…-alfr-- and I get this error
HTTPClient::KeepAliveDisconnected: Connectio reset by pee
Could you give me a hint on how to use evil to get the shell???
I sent you a PM.
I have used evil to get a shell and added a new user account to ex* groups. What should I do next? PM me please
would really appreciate if some one can provide hint for root, i have got data from hound and i see relation and see to dacl , but my attack trageting delegation is not working, i can PM more details.
I’ve been on this all day and only managed to get a list of users by running sd.py - please can someone poke me in the right direction? I’ve tried reading loads about impacket but can’t seem to find anything that works without entering passwords! (I don’t have any passwords so not sure how to progress from the user list)
@iSmarsh said:
I’ve tried reading loads about impacket but can’t seem to find anything that works without entering passwords! (I don’t have any passwords so not sure how to progress from the user list)
You will need to find one unprivileged user and its password. That’ll be enough for the user shell eventually. No additional users are needed. Use a Kerberos roast attack technique in order to get the hash of this user. The tool is part of Impacket. Then crack the hash with hashcat, it takes ~20 secs. See this link for more information.
Type your comment> @qmi said:
@iSmarsh said:
I’ve tried reading loads about impacket but can’t seem to find anything that works without entering passwords! (I don’t have any passwords so not sure how to progress from the user list)
You will need to find one unprivileged user and its password. That’ll be enough for the user shell eventually. No additional users are needed. Use a Kerberos roast attack technique in order to get the hash of this user. The tool is part of Impacket. Then crack the hash with hashcat, it takes ~20 secs. See this link for more information.
Hey Qmi - thanks for the reply, turns out I had the right tool all along, it was just my syntax which was wrong - I thought domain was the same as dc-ip, once I worked out the correct domain I was able to fire the request and get a TGT
Cheers
Finally managed to pop user on this box. Need to figure out where to start attacking for root. I get why this box is flagged easy, but IMHO, I think it’s more of a medium.
I have bh running, and I can see paths, not sure what to do with them though… I’ve tried creating a user and adding this user to the ex***** groups, but I can’t log in with this user… any hints? Resources to read up on?
@ShadowSuave said:
I have bh running, and I can see paths, not sure what to do with them though… I’ve tried creating a user and adding this user to the ex***** groups, but I can’t log in with this user… any hints? Resources to read up on?
Just google priv esc regarding those E****** groups you’ve got your account into, and you’ll find articles explaining how to use one of them that has some strong permissions you can exploit
Hi all,
I’ve got a set of usernames and tried to use Geters.py but everytime i have an “name or service not known”. Looks like i have an issue with the dn name or IP.
Any hint?