[cutty]

Has anyone here tried to abuse DACL for user oorend using Powerview? When trying to use Get-DomainGUIDMap, I kept getting an error:

Error in retrieving forest schema path from Get-Forest

I ended up doing this with dacledit.py, but I was wondering if anyone else got this error before and how to fix it.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | Contact us via http://breachqr3dqbysbq5khaadg5ynnpxn2wrmw5y3rnzesun55l6lkq73yd.onion/misc.php?action=help&hid=27 if you feel this is incorrect.

[xxxxx]

I have this problem
```
getTGT.py 'rebound.htb/oorend:1GR8t@$$4u' -dc-ip 10.129.244.207
Impacket v0.11.0 - Copyright 2023 Fortra

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
```

When i do :
sudo ntpdate -u pool.ntp.org
faketime '2023-09-12 12:30:09' getTGT.py 'rebound.htb/oorend:1GR8t@$$4u' -dc-ip 10.129.244.207

it not solve the problem.

you should ntp-sync with target???  "Clock skew too great" is between you and target and not between you and ntp  ¯⧵_(ツ)_/¯

[Sundayz]

Here i have the Delegator NTLM hash but i don't know how i can abuse delegation

[genega]

Here i have the Delegator NTLM hash but i don't know how i can abuse delegation

how did you get to tbrady user? constrained delegation is simple https://www.thehacker.recipes/ad/movemen...onstrained

[randomname188]

impossible to get tbrady user, i think 0x410x420x41 is hacker

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | Contact us via http://breachqr3dqbysbq5khaadg5ynnpxn2wrmw5y3rnzesun55l6lkq73yd.onion/misc.php?action=help&hid=27 if you feel this is incorrect.

[cagptgls]

Got tbrady hash (and password) but honestly out of ideas of what to try next...

[crypt1]

Got tbrady hash (and password) but honestly out of ideas of what to try next...

how did you get hash?

[cagptgls]

how did you get hash?

this one weird trick...

[al3xis]

The path to the system flag is not shorter than the user.
1. The user tbrady has the ability to read the GMSA password of the delegator$ GMSA
2. the delegator GMSA has constrained delegation configured over the DC

So as a first step a way to the user tbrady needs to be found (he has a session on the DC), next the gmsa password for delegator needs to be fetched and with this information the constrained delegation needs to be abused.

How do you know that tbrady has an active session? I see the exploit works but I don't see why...

[randomname188]

The path to the system flag is not shorter than the user.
1. The user tbrady has the ability to read the GMSA password of the delegator$ GMSA
2. the delegator GMSA has constrained delegation configured over the DC

So as a first step a way to the user tbrady needs to be found (he has a session on the DC), next the gmsa password for delegator needs to be fetched and with this information the constrained delegation needs to be abused.

How do you know that tbrady has an active session? I see the exploit works but I don't see why...

bloodhound

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | Contact us via http://breachqr3dqbysbq5khaadg5ynnpxn2wrmw5y3rnzesun55l6lkq73yd.onion/misc.php?action=help&hid=27 if you feel this is incorrect.