Relatively easy machine with straightforward walk through from bloodhound + the name of the machine is disclosing more than required
If you need help you can DM me as well.
Relatively easy machine with straightforward walk through from bloodhound + the name of the machine is disclosing more than required
If you need help you can DM me as well.
facing problem while running pywhisker , i have added the judith.mader to management group and confirms it as well , but getting error on running pywhisker
āāā(kalićækali)-[~/Downloads/pywhisker]
āā$ python pywhisker.py -d ācertified.htbā -u ājudith.maderā -p ājudith09ā --target āmanagement_svcā --action āaddā
[] Searching for the target account
[] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[] Generating certificate
[] Certificate generated
[] Generating KeyCredential
[] KeyCredential generated with DeviceID: 73da3289-4de4-4b45-52d4-0f8f94d07365
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[!] module āOpenSSL.cryptoā has no attribute āPKCS12ā
Im having problems with the last part, certipy is showing me this: Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate. Which means smth like the ca is not enabled, can anyone help? Thx
As many mentioned Pywhisker is kinda broken after python 3.12 in kali.
There are other tools that can help you adding the attribute on example is Bloodyad
After obtaining the hash for ma**vc, I am unsure what to do I have looked at Bloodhound many times still unable to find anything. There is only 1 connection between that user and the DC which seems like I cannot exploit as ma**vc is not a privileged user on the DC?
Oh, I have actually also gotten the has of the c**op** r account but I didnāt think it was able to do anything based on the bloodhound enumeration
Thank you so much for the hints, I have finally solved it!
FINALLY rooted. brain off, running tool after tool. stumbled upon hacktricks and a certain tool. And one of the exploits worked for the priv esc part. Thought it wasnāt for an hour, and then ran with āsudoā and voila! Feel so dumb ć ć ć
Certified pwned
Hello to all
I am stuck at the starting point I know what is the input vector, but before that the user judith must be part of the group M******?, I have tried to add it to the group with net rpc group addmem but as output of the command I get a message of Could not add judith.mader to M**********: NT_STATUS_ACCESS_DENIED.
Any hint would be very helpful.
Judith needs to be owner of that group and needs to have the necessary permission over that group (like GenericAll
) to add itself as member and to finally gain access via shadow credentials to a specific service.
Use a tool of your choice (eg BloodyAD
) and carefully do each step as I have described.
net rpc group addmem
is obviously right, even if you are the owner of that group you have not the right permissions yet.
Thank you very much for the hints, they were a great help!
Hello, I see your message and Iām a bit lost so I hope you can help me. Iām using bloodhound and I see that judith has āWriteOwnerā rights on the Management group. I guess thatās what Iām supposed to use but I canāt.
Hi, during few of the last steps I see an error message:
ā[-] Name mismatch between certificate and user āadministratorāā
Any hint what am I missing?
Thanks
Hint for future me: remember about the dates!
Pwnd!
How did you fixed that?
$ sudo ntpdate ā¦and here youāll start this adventure;)
Good luck!
How are people actually doing the Bloodhound collection?
Everyone seems to say you use the intial creds to collect Bloodhound data and follow that path.
But I cannot log in anywhere to ingest Bloodhound data.
Can anyone give me a hint on this?
I had the same issueā¦ Take a look at this site: GitHub - yovelo98/OSCP-Cheatsheet: My Notes For OSCP - filter for bloodhound
I used the command i found in another machineās discussion: