Exploiting Domain Trusts

We have only exploited the ZA.TRYHACKME.LOC domain. Surely TRYHACKME must have domains for other regions as well? Well, if we take control of the root domain, TRYHACKME.LOC, we will be in a position to compromise all of these regional domains.

---

Domain Trusts

As discussed before, a forest is a collection of one or more domain trees inside an AD network. Domain Trusts are a mechanism for users in the network to gain access to other resources in the domain. For the most part, trusts outline how the domains inside of a forest communicate with each other. In some environments, trusts can be extended out to external domains and even forests in some cases.

There are two main types of trusts that can be configured between domains:

1. Directional

The direction of the trust flows from a trusting domain to a trusted domain

2. Transitive

It is common to have a root or parent domain in a forest. In our case, this is TRYHACKME.LOC. For each regional office, sub or child domains are created, such as ZA.TRYHACKME.LOC or UK.TRYHACKME.LOC. This forest configuration will allow the sharing of resources between the ZA and the UK office.

However, as an attacker, we can also exploit this trust to compromise the parent domain if we have compromised a child domain.

KRBTGT and Golden Tickets

I have explained this before in a previous section:

Use of Alternate Authentication Material | Stuffmfkrypt.gitbook.io

In order to forge TGTs, we need the following information:

• The FQDN of the domain

• The Security Identifier (SID) of the domain

• The username of the account we want to impersonate

• The KRBTGT password hash

We will again use Mimikatz with a DCSync to recover the KRBTGT password hash on THMSERVER2

DCSync

DCSync is an attack that allows an adversary to simulate the behavior of a domain controller (DC) and retrieve password data via domain replication. The classic use for DCSync is as a precursor to a Golden Ticket attack, as it can be used to retrieve the KRBTGT hash.

It uses commands in the Directory Replication Service Remote Protocol (MS-DRSR) to simulate the behavior of a domain controller and ask other domain controllers to replicate information

mimikatz.exe
# privilege::debug
# lsadump::dcsync /user:za\krbtgt

Inter-Realm TGTs

We can take this a step further by forging an Inter-Realm TGT. Inter-Realm TGTs are used to provide access to resources in other domains. In our case, we want to exploit the bidirectional trust relationship between the child and parent domain to gain full access to the parent domain.

The key here is that we will exploit the trust the parent domain has with our child domain by adding the SID of the Enterprise Admins (EA) group as an extra SID to our forged ticket for the domain controller of the child domain. The EA group belongs to the parent domain and membership to this group essentially grants Administrative privileges over the entire forest! The default SID for this group is S-1-5-21-<RootDomain>-519.

Before we can go into exploitation, we first need to recover two SIDs:

• The SID of the child domain controller (THMDC), which we will impersonate in our forged TGT

• The SID of the EA in the parent domain, which we will add as an extra SID to our forged TGT

Recover the SID of the child domain controller using:

Get-ADComputer -Identity "THMDC"

We can recover the SID of the EA group using the following command to query the parent domain controller:

Get-ADGroup -Identity "Enterprise Admins" -Server thmrootdc.tryhackme.loc

Then in Mimikatz, generate the Golden Ticket with the EA SID and pass the ticket

kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:<SID of child domain> /service:krbtgt /rc4:<Password hash of krbtgt user> /sids:<SID of Enterprise Admins group> /ptt

Verify that the ticket works to for the child DC

dir \\thmdc.za.tryhackme.loc\c$

It works. Now let's try to enumerate the directory of the Parent DC

dir \\thmrootdc.tryhackme.loc\c$

Get the flag in Administrator's Desktop