Abuse Unconstrained Delegation to get the TGT of DC01$ and submit the flag located at \\DC01\UCD_flag\flag.txt.
Can someone please guide me here? I have captured the NTLM hash of the user below and tried to read the flags.txt. However, whenever I attempt to read or list the content present in the \UCD_flag` directory, it returns an access denied error message. Please help
htb-admin
gmsa_adm$
Probably you donât have a Ticket stored in your session or it might be wrong.
Arenât you trying to access the UCD directory with a GMSA user?
Provide the response to âklistâ command.
Did you get it?
Your âClientâ should be DC01$
The screenshot in the tutorial is misleading when it says
[+] Ticket succesfully imported!
The , which the screenshot leads us to think is the last part of the ticket, actually includes another rubeus command as well, .\Rubeus.exe ptt /ticket:/ (ptt stands for pass the ticket). Then after that command the Ticket succesfully imported! message shows up.
And for the directory, I was still getting the same error unless I typed the directory exactly as in the hackthebox question.
The comments hide the stuff in carats. Here it is with carats.
The screenshot in the tutorial is misleading when it says
<SNIP>
[+] Ticket succesfully imported!
The <SNIP>, which the screenshot leads us to think is the last part of the ticket, actually includes another rubeus command as well, .\Rubeus.exe ptt /ticket:/<ticket> (ptt stands for pass the ticket). Then after that command the Ticket succesfully imported! message shows up.
And for the directory, I was still getting the same error unless I typed the directory exactly as in the hackthebox question.
