π₯Silver Ticket Attack
Mostly we will have SeImpersonatePrivilege after getting a shell with xp_cmdshell and can use a potato attack. Sometimes intended path can be enumerating a database.
Refer PG Practice Nagota and Escape from HTB. Just because the ticket is generated won't mean it works. Check the domain in SPN:
get-addomain
This is what we are gonna use for silver ticket. If credentials acquired from Kerberoasting CHECK GetUserSPNs.py output for SPN
General syntax:
Without spn Golden ticket will be created:
With SPN specified we get the ticket for a specific service:
We can use a fake user as well.
To get existing spns:
Example to get the silver ticket for a specific service:
Get SID
To get Domain SID
or
or
or
Now use the domain-sid Can also be done with ldap
MSSQL
Just empty enter for password. It is normal to get user as svc_mssql or similar when xp_cmdshell whoami is run.
Check if ticket present with klist
Then edit /etc/krb5user.conf:] Example:
Last updated
Was this helpful?