Skip to main content
Advanced Search
Search Terms
Content Type

Exact Matches
Tag Searches
Date Options
Updated after
Updated before
Created after
Created before

Search Results

25 total results found

BobBuilder

The Team

Passion for Red Team/Pentesting and machine learning. Software Ing. HackTheBox: BobBuilder

OtterSec

The Team

I like otters... a lot ʕ •ᴥ•ʔ Currently focusing on honing my AD skills and recently got into AV/EDR evasion Find me on HackTheBox here and on VulnLab :)

serioton

The Team

I love cats, Active Directory and playing CTFs

Kerberos Attacks

Windows Attacks and Enumerations

Kerberoasting Kerberoasting is an attack against service accounts that allows an attacker to perform an offline password-cracking attack against the Active Directory account associated with the service. We need a valid domain user account and password. Vulnera...

Miscellaneous

Windows Attacks and Enumerations

User SID and RID In Active Directory, any group or user that Windows doesn't create has a RID of 1000 or greater. The last 8 bytes of RID determines the user's group. RID : 0x0105000000000005150000001c00d1bcd181f1492bdfc236f4010000 SID : 0x01050000000000051500...

Cracking

Cracking

Find hash type based on length Get example hashes that has length of 80 $hashes=(.\hashcat64.exe --example-hashes | where {$_.split('HASH: ')[-1].length -like 80}) Get crack type from example hashes with length 80 hashcat64.exe --example-hashes |Select-String...

SQL Injection

Web

Database enumeration MySQL SELECT GROUP_CONCAT(schema_name,',') FROM information_schema.schemata; SELECT GROUP_CONCAT(table_name,',') FROM information_schema.tables; SELECT GROUP_CONCAT(column_name,',') FROM information_schema.columns WHERE table_name = 'users...

Windows Local Privilege Escalation

Windows Attacks and Enumerations

SeDebugPrivilege Migrate PID to privileged process such as WinLogon using ProcessInjection to load adopt. WinLogon PID: 3488 Adopt binary: adopt.exe PS /bob> dotnet inline-execute /home/user/ProcessInjection.exe /f:raw /pid:3488 /t:1 /path:C:\Windows\Tasks\ado...

ESC1

Abusing Active Directory Certificate Se...

For this technique to work we need a certificate template with the following requirements: ENROLLEE_SUPPLIES_SUBJECT attribute enabled: this allows the user that initialized the CSR (certificate request) to specify any SAN (subjectAltName) allowing us to req...

ESC2

Abusing Active Directory Certificate Se...

This privilege escalation technique requires the following: Any Purpose EKU which allows the attacker to get a certificate that can be used for all purposes (Client Authentication, Code Signing, ...) ENROLLEE_SUPPLIES_SUBJECT attribute enabled a user with en...

ESC3

Abusing Active Directory Certificate Se...

Unlike ESC1 and ESC2, this method requires two certificate templates with the following requirements First Template Certificate Request Agent EKU Second Template Client Authentication EKU Application Policy Issuance Requirement with Authorized Signatures ...

Assess whether ADCS is installed

Abusing Active Directory Certificate Se...

Check if ADCS installed Windows Presence of module ADCS: Get-WindowsFeature -Name ADCS-Cert-Authority -ErrorAction SilentlyContinue Presence of built-in Cert Publishers group which authorizes Certificate Authorities to publish certificates: net localgroup "...

ESC4

Abusing Active Directory Certificate Se...

You can create misconfigurations even in templates that are not initially vulnerable. For example, enabling the mspki-certificate-name-flag for a template allowing domain authentication could result in a situation similar to ESC1. This might allow less privile...

ESC5

Abusing Active Directory Certificate Se...

Vulnerable PKI Object Access Control where the objects have the following requirements: The AD computer object of the CA server, which may be compromised through mechanisms like S4U2Self or S4U2Proxy. The RPC/DCOM server of the CA server. Any descendant ...

ESC6

Abusing Active Directory Certificate Se...

Note: ESC6 got patch on May of 2022. ESC6 permits the inclusion of user-defined values in subject alternative name for any request. On Windows we can verify the permission : PS /home/bobbuilder> certutil -config "CA_HOST\CA_NAME" -getreg "policy\EditFlags" Wi...

ESC7

Abusing Active Directory Certificate Se...

Vulnerable Certificate Authority Access Control where 2 sets of permissions poses security risks: ManageCA (or ManageCertificates) ManageCertificates (or Certificate Manager) Enumerate using certsrv.msc PS /home/bobbuilder> Get-CertificationAuthority -Comput...

ESC8

Abusing Active Directory Certificate Se...

Authentication coercion from a machine account where we relay the NTLM hash to AD CS to obtain a certificate that allows us to authenticate. Requirements A vulnerable web enrollment endpoint. At least one certificate template published that allows for domain ...

ESC9

Abusing Active Directory Certificate Se...

To exploit ESC9, ensure the StrongCertificateBindingEnforcement key is not set to 2 or includes the UPN flag, the template has CT_FLAG_NO_SECURITY_EXTENSION, specifies client authentication, and the attacker has GenericWrite privilege on account A to compromis...

ESC10

Abusing Active Directory Certificate Se...

Case 1 Reviewing registry keys as Administrator bob$ python3 reg.py minions.com/'Administrator':'<pass>'@<IP_address> query -keyName 'HKLM\SYSTEM\CurrentControlSet\Services\Kdc' If we get StrongCertificateBindingEnforcement REG_DWORD 0x0 we can proceed. Retri...

ESC11

Abusing Active Directory Certificate Se...

The vulnerability identified as ESC11 involves exploiting the modification of the IF_ENFORCEENCRYPTICERTREQUEST flag in the MS-ICPR RPC interface of ADCS, potentially allowing an NTLM relay attack to request certificates from authorized certificate templates v...