7MS #532: Tales of Pentest Pwnage - Part 39

Hey friends, wow...we're up to thirty-nine episodes of pwnage? Should we make a cake when we hit the big 4-0?! Anyway, today's TLDL is this: If you get a nagging suspicion about something you find during enumeration, make sure to either come back to it later, or exhaust the path right away so you don't miss something! Because I did :-/ A tip that's been helping me speed along my use of CrackMapExec and other tools is by using Kerberos authentication. You can grab a ticket for your test AD account by using Impacket like so: gettgt.py victim.domain/LowPrivUser export KRB5CCNAME=LowPrivUser.ccache Then in most tools you can pass the cred by doing something like: crackmapexec smb DC01 -k In my enumeration of this network, I used Certipy to find potential attack paths against Active Directory Certificate Services. Something cool I learned is that Certipy will spit out both a text and json dump so you can import into BloodHound and then pair that data with their custom queries json file for beautiful visual potential pwnage! I ran into an issue where my certificate shenanigans resulted in an KDC_ERR_PADATA_TYPE_NOSUPP. I originally gave up on this attack path, only to learn about this awesome PassTheCert tool from this rad blog post! After initially being hesitant to use a tool I'd never heard of, I raised a GitHub issue to calm my nerves and, shortly after, found myself doing a domain admin dance. Oh, and although I didn't use it on this specific pentest, coercer is an awesome tool that helps you, ya know, coerce things!

There are no comments yet.

Please log in to write the first comment.