search

๐Ÿ‘ฎAuthority

hashtag
Enumeration

We have a Windows Domain controller with domainauthority.htbbut for some reason the ssl cert says that the hostname of the machine is authority.htb.corp maybe because this machine is also a CA

Enumerating SMB we find two custom shares

In the Development share we find different Ansible files

One in particular is interesting

This file probably contains encrypted Ansible vault credentials

We use ansible2john and then we crack the hash

We decrypt the vault and now have credentials

Since these are probably not Domain creds we need to find another way to log in

This seems promising

The alert says that we are in configuration mode and we can probably tamper with it

We login in the configuration manager and download the current configuration

We have encrypted credentials

To make the application store passwords in cleartext we modify the properties as said in the comment above

And we got the password for the svc_ldap service account

Now we enumerate the domain with Bloodhound

We can see that this service account can log in to the DC to get the user flag

But we are not local admin and don't have particular privileges

We can try to enumerate certificate templates with certipy

To view this data in bloodhound we need to download a custom version for ADCS made by ly4k We find a misconfigured certificate called CorpVPN

All the users can request this certificate when adding a workstation to the domain

Impersonate any user

It does not require approval from admins

hashtag
ADCS Privilege Escalation

First we use Impacket's addcomputer.py to add a new workstation to the domain

Then we request the certificate as the Administrator user

Then i tried getting the NTLM hash of the Administrator but it did not work

So i used PassTheCert arrow-up-rightto change the Administrator password and log in

PreviousForestNextBlackfield

Last updated