🚔Intercept

You will learn about a technique that allows to takeover domain joined workstations on default configurations & exploiting ADCS

Enumeration

Enumerating shares we find a dev writable share

Inside we find a readme.txt and autologon64.exe, this probably means that an autologon password is stored somewhere

The readme says to check the share regularly

We have write perms on the share so we can try to steal a NTLMv2 hash

This time instead of using ntlm_theft i wanted to try a NetExec module

And we get a hit

To clean the .lnk file add CLEANUP=True to the previous NetExec command

We cracked the password

This user does not have any interesting privileges

But from the Nmap scan we can see that the DC is a CA

This means that ADCS is probably installed

We can try to run certipy but it does not find anything vulnerable

After looking at the hints ;) i checked if ldap channel binding was enabled

If WS01 is running the WebClient service we can make the workstation connect back to us and abuse Resource Based Constrained Delegation

RBCD

We checked the MachineAccountQuota and it's 10, the default

This means that we can add computer accounts to the domain

First we need to add a DNS entry that points to the attacker machine

If you get a DNS error add the DC IP to /etc/resolv.conf

Now we add a computer account

Now we can start ntlmrelayx

Now we force authentication from WS01$

And it worked

I should have specified the machine account to use for ntlmrelayx but it's whatever

Now we can request a ticket to impersonate Administrator on WS01

Now if we use secretsdump we can also see the autologon credential from before

ADCS

Now that we have new creds i wanted to look at certipy again in bloodhound

Here we can see that Simon has GenericAll on CA-Managers

It's a bit of a messy attack path but if you click on ESC7 we can see that the certificate is vulnerable since now we are a CA-Manager

To abuse this first we need to add Simon.Bowen to the CA-Managers group

Now we can use certipy

After issuing the certificate we can request it and authenticate to get the Administrator's NT hash