Possibly Related Threads…

Raphgui · Jun 18, 2023, 03:03 PM

Hello,
I recently did an active directory pentest. And I managed to go to the DC but the administrator user was in protected user. So impossible to do mimikatz to recover his hash nt.

Anyone got any tricks? Heart

https://pbs.twimg.com/profile_images/462...00x400.png

Raphgui · Jun 18, 2023, 09:43 PM

If any body have idea ?

god · (This post was last modified: Jun 18, 2023, 10:09 PM by god.)

(Jun 18, 2023, 03:03 PM)Raphgui Wrote: Hello,
I recently did an active directory pentest. And I managed to go to the DC but the administrator user was in protected user. So impossible to do mimikatz to recover his hash nt.

Anyone got any tricks?

https://pbs.twimg.com/profile_images/462...00x400.png

you didnt gave so much informations, so i assume you only have an user shell without any Administrator right.
There is 4 ways to interact with LSA :
processes; winlogon; kernel-mode; and CredUI.
In your case kernel an winlogon are ofc forbidden, so you will have to focus on credui.dll and processes.
taking a quick look at credui.dll reveals many things.

username@domain DOMAIN\username

are the credentials you should provide to interact efficiently with lsass and globally LSA from credui.
we can see the dll stores an username, a password, a PIN and a certificate.
You can try to abuse this dll, its not seriously protected, the imports table looks decent. You can also try to get more privileges by another way and then try a token impersonation or smth similar, maybe ProcDump, cme...

Raphgui · Jun 19, 2023, 09:16 AM

(Jun 18, 2023, 10:00 PM)god Wrote:
(Jun 18, 2023, 03:03 PM)Raphgui Wrote: Hello,
I recently did an active directory pentest. And I managed to go to the DC but the administrator user was in protected user. So impossible to do mimikatz to recover his hash nt.

Anyone got any tricks?

https://pbs.twimg.com/profile_images/462...00x400.png
you didnt gave so much informations, so i assume you only have an user shell without any Administrator right.
There is 4 ways to interact with LSA :
processes; winlogon; kernel-mode; and CredUI.
In your case kernel an winlogon are ofc forbidden, so you will have to focus on credui.dll and processes.
taking a quick look at credui.dll reveals many things.

username@domain DOMAIN\username
are the credentials you should provide to interact efficiently with lsass and globally LSA from credui.
we can see the dll stores an username, a password, a PIN and a certificate.
You can try to abuse this dll, its not seriously protected, the imports table looks decent. You can also try to get more privileges by another way and then try a token impersonation or smth similar, maybe ProcDump, cme...

Thanks for ur answer. So i be admin with constrained delagation to s4u2self. But now i be Nc Authority system on the DC but the administrator user or krbgt be on the groupe protected user. So i look credui.dll.

joepa · Feb 11, 2025, 06:00 PM

Dump all AD hashes, and use pass the hash.

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	All Microsoft Products for any OS	AntiBrok3rs	8	3,151	Feb 09, 2026, 10:48 AM Last Post: turronf
	Top 10 CMD Commands for Security Researchers (BEGGINERS)	elJefeDonBiazzi	17	3,725	Jan 30, 2026, 10:22 AM Last Post: hulubalangreman
	Free Windows Activation Keys	blush	38	10,109	Dec 19, 2025, 02:27 PM Last Post: x1d
	PowerShell scripts commands and payloads to Enumerate and manipulate Windows Systems.	SSR147	32	9,000	Mar 16, 2025, 11:08 AM Last Post: SeleniumGPT
	⚡Windows 10 High Performance Edition⚡	Depression	6	7,054	Mar 09, 2025, 12:27 PM Last Post: williamred