ACTIVE DIRECTORY — PRIVILEGE ESCALATION

Breaking Domain Trusts with Forged Trust Tickets

Abuse Active Directory domain trusts for privilege escalation to Enterprise Admin

Credit: matejmo

In the previous post about enumerating domain trusts, we discussed trust relationships between domains and forests. We learned that all of the domains within a forest have implicit transitive two-way relationships, allowing users to easily access shared resources within the same or different domains.

This post will learn how to abuse the domain trusts during the lateral movement phase to hop to other domains like the root domain and escalate to Enterprise Admin. The attack scenario would require the attacker to obtain a DA on the domain controller to dump its trust keys. Then, use them to forge trust tickets to access resources located on other domains.

The demonstration steps of the attack scenario will be on the Pentester Academy Active Directory Lab by Nikhil Mittal associated with the CRTP course.

KEY CONCEPTS 📄

• Analysis Flow
• Escalation Requirements
• Used Tools
• Forging Trust Tickets [demo]

$_Trust_Flow_Analysis

1- The user authenticates to DC#1 by sending an encrypted request with their credentials. The DC #1 verifies their identity and sends a TGT ticket.

2. The user receives the TGT ticket and sends it back to DC#1, requesting a service ticket for a specific service like SQL service. If the requested service resides on another domain, DC #1 will issue a special TGT ticket called Inter-Realm or Referral Ticket encrypted with their trust key to refer to the DC that has the service.

In our case, the user requested access to a SQL service that resides on domain #2. So, DC #1 issued a referral ticket to DC #2.

Figure 1- shows the DC #1 issuing inter-realm TGT ticket for the user.

3. The user takes that inter-realm ticket and presents it to DC #2, requesting a SQL service ticket. DC #2 has a copy of the trust key of DC#1; If it decrypts the ticket presented by the user, it will go ahead and issue a SQL service ticket as requested without conducting additional verification.

Figure 2 — shows the user presenting the inter-realm ticket to the DC #2

📌 DC#2 will blindly trust DC #1 to verify the user. However, we will see the risk later in the escalation part that if the attacker obtains the trust keys, can forge TGT tickets all day long.

4. The user presents the SQL TGS ticket to the database server and gets the intended access.

$_Escalation_Requirements 🚩

• Domain Admin privileges on the compromised domain controller.
• Domain Controller Trust Keys to forge the Inter-realm TGT tickets.

$_Used _Tools 🔧

• Invoke-Mimikatz
• Rubeus

$_Escalation_Demo 🔥

Our goal is to forge an inter-realm trust ticket that escalates us to Enterprise Admin using the compromised trust keys. This step assumes that you have already gained domain admin privileges on the DC.

I obtained the access by abusing the application server’s unconstrained delegation in the previous post (link).

Figure 3 — shows access to the domain controller.

To forge a trusted ticket, we need the domain trust key and the SID of the root domain. Run Invoke-Mimikatz with the trust parameter to obtain the keys.

Invoke-Mimikatz -Command ‘“lsadump::trust /patch”’-ComputerName dc-name

As seen in the below screenshot, we obtained all the trust keys from the domain controller. The [IN] and [OUT] in front of the domain names indicate the trust direction.

In our case, we are interested in getting access to the root domain “moneycorp.local” from our child domain “dollar.moneycorp.local”. Therefore, we choose the first key.

[ In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL

Figure 4 — shows Mimikatz obtains all the trust keys from the child domain controller.

After identifying the right trust key, we need the domain controller SID and the SID of the root domain to create the fake trust ticket with Enterprise Admin privileges.

Figure 5 — shows forging a new trust ticket with Mimikatz using the trust key hash and SID values.

Next, run Invoke-Mimikatz to issue the inter-realm tickets. Again, we specify the gold module, the child domain SID of “dollar.moneycorp.local” and the root domain SID “moneycorp. local”.

Invoke-Mimikatz -Command '"Kerberos::golden 
/user: Administrator 
/domain: dollarcorp.moneycorp.local [child_domain]
/sid: DomainAdmin_SID 
/sids: Enterprise_Admin_SID
/rc4: Ticket HASH 
/service:krbtgt 
/target:moneycorp.local [root domain]
/ticket: location to save the ticket"'

Figure 6 — shows a new inter-realm ticket, “trust.kirbi” with Mimikatz.

Copy the ticket locally, and use it to request a service ticket (TGS) from the root domain. In the below example, we requested CIFS service with Rubeus — asktgs module.

Rubeus.exe asktgs
/ticket: ticket Location
/service: service type [cifs/mcorpdc.moneycorp.local] 
/dc: domain controller [mcorp-dc.moneycorp.local] 
/ptt

Figure 7 — shows Rubeus requesting a CIFS service ticket with the forged inter-realm ticket.

After running the command, verify we have the new TGS ticket with the klist command.

As seen below, we got a TGS ticket as Administrator for the CIFS service on the root domain controller “mcorp-dc.moneycorp.local”. We were able to list the Enterprise Administrator’s shares on the root domain.

Figure 8 — shows access to the root domain as Enterprise Admin.

That brings us to the end of this post. We learned about the dynamics of the active directory trusts across domains and how to forge inter-realm trust tickets with higher privileges to gain access to the root domain as Enterprise Admin.

Thanks for stopping by 😃!!

🔔 All of the used commands can be found at R3d-Buck3T — (Active Directory — Privilege Escalation —Domain Trusts — Forging Trust Tickets)

$_References

Enumerating Domain Trusts in Active Directory

Attacking and Defending Active Directory Lab

A Guide to Attacking Domain Trusts - harmj0y

Active Directory forest trusts part 1 - How does SID filtering work?

From Domain Admin to Enterprise Admin

Specifying Security and Administrative Boundaries