From 94e289499f2302cdf5476efb2407605e032847de Mon Sep 17 00:00:00 2001
From: Ashley Donaldson <smashery@gmail.com>
Date: Tue, 21 Nov 2023 13:28:27 +1100
Subject: [PATCH] Copy across some more properties from the PAC

---
 lib/msf/core/exploit/remote/kerberos/client/pac.rb | 11 ++++++++---
 lib/msf/core/exploit/remote/kerberos/ticket.rb     |  2 ++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/remote/kerberos/client/pac.rb b/lib/msf/core/exploit/remote/kerberos/client/pac.rb
index eae5ad865a841..5290e30095928 100644
--- a/lib/msf/core/exploit/remote/kerberos/client/pac.rb
+++ b/lib/msf/core/exploit/remote/kerberos/client/pac.rb
@@ -53,6 +53,8 @@ def build_pac(opts = {})
               extra_sids = opts[:extra_sids] || []
               domain_name = opts[:realm] || ''
               logon_domain_name = opts[:logon_domain_name] || opts[:realm] || ''
+              logon_count = opts.fetch(:logon_count)
+              password_last_set = opts.fetch(:password_last_set)
               domain_id = opts[:domain_id] || Rex::Proto::Kerberos::Pac::NT_AUTHORITY_SID
               auth_time = opts[:auth_time] || Time.now
               checksum_type = opts[:checksum_type] || Rex::Proto::Kerberos::Crypto::Checksum::RSA_MD5
@@ -68,12 +70,14 @@ def build_pac(opts = {})
                 primary_group_id: primary_group_id,
                 logon_domain_name: logon_domain_name,
                 logon_domain_id: domain_id,
+                logon_count: logon_count,
                 full_name: '',
                 logon_script: '',
                 profile_path: '',
                 home_directory: '',
                 home_directory_drive: '',
-                logon_server: ''
+                logon_server: '',
+                password_last_set: password_last_set
               }
               unless base_vi.nil?
                 obj_opts.merge({
@@ -138,8 +142,9 @@ def build_pac(opts = {})
               if is_golden
                 # These PAC elements are required for golden tickets in post-October 2022 systems
                 pac_elements.append(
-                  pac_requestor,
-                  pac_attributes)
+                  pac_attributes,
+                  pac_requestor
+                  )
               end
 
               pac_elements.append(
diff --git a/lib/msf/core/exploit/remote/kerberos/ticket.rb b/lib/msf/core/exploit/remote/kerberos/ticket.rb
index 2570f833a1b6d..69c02bf13c476 100644
--- a/lib/msf/core/exploit/remote/kerberos/ticket.rb
+++ b/lib/msf/core/exploit/remote/kerberos/ticket.rb
@@ -151,6 +151,8 @@ def modify_ticket(ticket, enc_kdc_response, new_user, new_user_rid, domain, extr
                 opts[:group_id] = element.data.primary_group_id.value
                 opts[:domain_id] = element.data.logon_domain_id
                 opts[:logon_domain_name] = element.data.logon_domain_name
+                opts[:logon_count] = element.data.logon_count
+                opts[:password_last_set] = element.data.password_last_set
                 if copy_entire_pac
                   opts[:base_verification_info] = element.data
                   element.data.extra_sids.each do |sid|