Using KRBTGT Hash
We abuse sIDhistory again. First, we dump the credentials and obtain krbtgt of dcorp-dc.
We can forge the inter-realm TGT for Administrator and inject it.
In the above command, the mimkatz option "/sids" is forcefully setting the sIDHistory
for the Enterprise Admin group for dollarcorp.moneycorp.local
that is the Forest Enterprise Admin Group.
We can now access mcorp:
On any machine of the current domain
We can now run commands on the remote machine
If you can't access shell on the remote system with
winrs
, in case you get an error as shown in the screen shot below, here is what to do to get a shell 🤟 (DCsync)
Run the
dcsync
attack against the krbtgt hash of the forest root
Now use over-passthehash to start a process as the administrator of
moneycorp.local
of this domain we want the request to be sent to
You should now have a new process running as domain administrator of
mcorp-dc
, run thewinrs
command again and you should have shell access
Avoid suspicious logs by using Domain Controllers group (Bypass MDI Detection) Note: /user:dcorp-dc$ used to work earlier (till April 2023) but now we need to user /user:Administrator
Domain SID's -:
S-1-5-21-2578538781-2508153159-3419410681-516 - Domain Controllers
S-1-5-9 - Enterprise Domain Controllers
Last updated