Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • Tasks
  • Solutions
  • 1 - Enumerate all domains in the moneycorp.local forest
  • 2 - Map the trusts of the dollarcorp.moneycorp.local domain
  • 3 - Map External trusts in moneycorp.local forest
  • 4 - Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest?
  • Flag 4 [Student VM] - Trust Direction for the trust between dollarcorp.moneycorp.local and eurocorp.local 🚩
  1. Certified Red Team Professional (CRTP) - Notes
  2. Lab

4 - LO 4️

Learning Object 4

Tasks

1 - Enumerate all domains in the moneycorp.local forest

2 - Map the trusts of the dollarcorp.moneycorp.local domain

3 - Map External trusts in moneycorp.local forest

4 - Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest?

Flag 4 [Student VM] - Trust Direction for the trust between dollarcorp.moneycorp.local and eurocorp.local 🚩

Solutions

1 - Enumerate all domains in the moneycorp.local forest

Start InviShell and PowerView

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Powerview.ps1

Using Get-ForestDomain we obtain all domains relative to moneycorp.local forest

Get-DomainTrust -Domain dollarcorp.moneycorp.local | select TargetName,TrustAttributes,TrustDirection
TargetName                    TrustAttributes TrustDirection
----------                    --------------- --------------
moneycorp.local               WITHIN_FOREST   Bidirectional
us.dollarcorp.moneycorp.local WITHIN_FOREST   Bidirectional
eurocorp.local                FILTER_SIDS     Bidirectional

2 - Map the trusts of the dollarcorp.moneycorp.local domain

Using Get-DomainTrust command we're able to retrieve Trusts and relative direction for dollarcorp.moneycorp.local domain

Get-DomainTrust -Domain dollarcorp.moneycorp.local
SourceName      : dollarcorp.moneycorp.local
TargetName      : moneycorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 5:59:01 AM
WhenChanged     : 4/19/2025 4:04:35 AM

SourceName      : dollarcorp.moneycorp.local
TargetName      : us.dollarcorp.moneycorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 6:22:51 AM
WhenChanged     : 5/1/2025 5:09:26 AM

SourceName      : dollarcorp.moneycorp.local
TargetName      : eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 5/1/2025 5:09:25 AM

3 - Map External trusts in moneycorp.local forest

Using Get-DomainTrust and the trust attribute "FILTER_SIDS" we can display all external trust relationship. Enabling FILTER_SIDS ensures that only the primary SID is considered during authorization, ignoring any SIDHistory.

As saw in the last tasks, the current forest is moneycorp.local, so it's not necessary to specify it.

Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}
SourceName      : dollarcorp.moneycorp.local
TargetName      : eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 5/1/2025 5:09:25 AM

4 - Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest?

We just know these information regarding dollarcorp domain

Get-DomainTrust -Domain dollarcorp.moneycorp.local | select TargetName,TrustAttributes,TrustDirection
TargetName                    TrustAttributes TrustDirection
----------                    --------------- --------------
moneycorp.local               WITHIN_FOREST   Bidirectional
us.dollarcorp.moneycorp.local WITHIN_FOREST   Bidirectional
eurocorp.local                FILTER_SIDS     Bidirectional

and the relative external trust:

Get-DomainTrust -Domain dollarcorp.moneycorp.local | ? { $_.TrustAttributes -match "FILTER_SIDS" }
SourceName      : dollarcorp.moneycorp.local
TargetName      : eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 5/1/2025 5:09:25 AM

To answer at the question: "Can you enumerate trusts for a trusting forest?" Remembering that the external forest is: eurocorp.local, we can enurate all domains of the forest checking the domain trust:

Get-ForestDomain -Forest eurocorp.local | %{Get-DomainTrust -Domain $_.Name}
SourceName      : eurocorp.local
TargetName      : eu.eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 5:49:08 AM
WhenChanged     : 5/1/2025 5:03:47 AM

SourceName      : eurocorp.local
TargetName      : dollarcorp.moneycorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 5/1/2025 5:09:25 AM

Exception calling "FindAll" with "0" argument(s): "A referral was returned from the
server.
"
At C:\AD\Tools\Powerview.ps1:23860 char:20
+             else { $Results = $Searcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

There's an error message because we can't enumerate trusts of a domain for which we haven't visibility into.

In addition, if we try to check forest domain for eurocorp.local, we can't extract full informations

Get-ForestDomain -Forest eurocorp.local
Forest                  : eurocorp.local
DomainControllers       : {eurocorp-dc.eurocorp.local}
Children                : {eu.eurocorp.local}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  :
PdcRoleOwner            : eurocorp-dc.eurocorp.local
RidRoleOwner            : eurocorp-dc.eurocorp.local
InfrastructureRoleOwner : eurocorp-dc.eurocorp.local
Name                    : eurocorp.local

Forest                  :
DomainControllers       :
Children                :
DomainMode              :
DomainModeLevel         :
Parent                  :
PdcRoleOwner            :
RidRoleOwner            :
InfrastructureRoleOwner :
Name                    : eu.eurocorp.local

Flag 4 [Student VM] - Trust Direction for the trust between dollarcorp.moneycorp.local and eurocorp.local 🚩

The trust direction between dollarcorp.moneycorp.local and eurocorp.local can be determined by inspecting the TrustDirection field using:

Get-DomainTrust -Domain dollarcorp.moneycorp.local | ? { $_.TargetName -eq "eurocorp.local" } | select TargetName,TrustAttributes,TrustDirection
Previous3 - LO 3️Next5 - LO 5️

Last updated 2 days ago

📝