Red Team Privilege Escalation - RBCD Based Privilege Escalation - Part 2 - Praetorian

common mistakes

1. Using the IP address of the target hosts in stead of full name in SPN/UPN
2. Wmi doesn’t provide full network logon
3. When performing attacks using TGS thru S4U2Proxy do it from SOCKS or compromised host. The above articles have the commands.

TODO: adding powershell oneliner to convert base64 tickets\

Port bender

redirecting traffic and bypass firewall using backdooor ( it’s not a backdoor that allows you to run commands ）

https://www.praetorian.com/blog/portbender-utility/

Viewing AD containers

[ADCS Containers]
pkiview.msc
adsiedit.msc
[Certificate Template]
certtmpl.msc
[CAs srv]
certsrv.msc

AD CS

1. How does DC propagates Root CA certificate to windows hosts Trusted Root Certification Authorities Store