Child to Parent (Cross Domain)
Across Domains, i.e within a forest, there is an attribute called sIDHistory. We abuse this attribute to escalate to Enterprise Admin Privileges.
sIDHistory is a user attribute designed for scenarios where a user is moved from one domain to another. When a user's domain is changed, they get a new SID and the old SID is added to sIDHistory.
sIDHistory can be abused in two ways of escalating privileges within a forest:
krbtgt hash of the child
Trust tickets
Dollarcorp is the child of moneycorp and moneycorp is the forest root. Let's assume we want to access a service, CIFS on mcorp-dc. The first 3 steps of Kerberos authentication is same. In step 3, when DC realizes that the SPN is CIFS on mcorp-dc (another forest), it responds with a new TGT.
The 4th step involves a "inter-realm TGT". This is encrypted using the Trust Key.
The Trust Key is what we need to move across forests.
We inject a SID History for the SID-519 which is well known for the enterprise admins group.
Last updated