Child to Parent (Cross Domain)

Across Domains, i.e within a forest, there is an attribute called sIDHistory. We abuse this attribute to escalate to Enterprise Admin Privileges.

• sIDHistory is a user attribute designed for scenarios where a user is moved from one domain to another. When a user's domain is changed, they get a new SID and the old SID is added to sIDHistory.

• sIDHistory can be abused in two ways of escalating privileges within a forest:

  • krbtgt hash of the child

  • Trust tickets

Dollarcorp is the child of moneycorp and moneycorp is the forest root. Let's assume we want to access a service, CIFS on mcorp-dc. The first 3 steps of Kerberos authentication is same. In step 3, when DC realizes that the SPN is CIFS on mcorp-dc (another forest), it responds with a new TGT.

The 4th step involves a "inter-realm TGT". This is encrypted using the Trust Key.

The Trust Key is what we need to move across forests.

We inject a SID History for the SID-519 which is well known for the enterprise admins group.