# Child to Parent (Cross Domain)

Across Domains, i.e within a forest, there is an attribute called **sIDHistory**. We abuse this attribute to escalate to Enterprise Admin Privileges.

* **sIDHistory** is a user attribute designed for scenarios where a user is moved from one domain to another. When a user's domain is changed, they get a new SID and the old SID is added to sIDHistory. 
* sIDHistory can be abused in two ways of escalating privileges within a forest: 
  * krbtgt hash of the child
  * Trust tickets

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2Fzs9fqYOybbEeYq9D4BmF%2Fimage.png?alt=media&#x26;token=0270318f-c3f5-44d6-84ec-36d0974cb0a9" alt=""><figcaption><p>Child to Parent Trust Flow</p></figcaption></figure>

Dollarcorp is the child of moneycorp and moneycorp is the forest root. Let's assume we want to access a service, CIFS on mcorp-dc. The first 3 steps of Kerberos authentication is same. In step 3, when DC realizes that the SPN is CIFS on mcorp-dc (another forest), it responds with a new TGT.

The 4th step involves a "**inter-realm TGT**". This is encrypted using the **Trust Key**.&#x20;

The Trust Key is what we need to move across forests.&#x20;

We inject a SID History for the SID-519 which is well known for the enterprise admins group.

###