Samples
Here is the demonstration of the tool I have used for performing an HTB Lab (Retired Machine with Writeup) with ESC1 vulnerability
- Request and Export certificates via DCOM/SMB with current login user context
- Certificate stored successfully
- Used certipy to retrieve TGT and extract NTLM hash (There are other methods such as ldap-shell/Retrieving TGT and inject into current session also works)
- Logged in as high privilege user
