🎫Command execution on other DC via silver ticket on HTTP & WMI
From the information gathered in previous steps we have the hash for machine account of the domain controller (dcorp-dc$). Using the below command, we can create a Silver Ticket that provides us access to the HTTP service of DC
Please note that the hash of dcorp-dc$ (RC4 in the below command) may be different in the lab. You can also use aes256 keys in place of NTLM hash:
In our previous path we had to copy the hash of the machine account of Dcorp-DC. You can identify it as Dcorp-DC$
First we start by encoding "silver" then we throw in rubeus ->
We can check if we go the correct service ticket but first we need to encode "klist":
We can check if we go the correct service ticket:
And now we can enter the session:
For accessing WMI, we need to create two tickets - one for HOST service and another for RPCSS. We could also use Rubeus for this but let's use BetterSafetyKatz. Note that we are not using any AV bypass technique here as this is just an example:
Let's start an elevated shell:
(don't forget to use hash of machine user)
Now we need to Inject a ticket for RPCSS:
And if we check what tickets are present with klist:
And now we could tru to run WMI commands on the domain controller:
Last updated
