ACTIVE DIRECTORY — PRIVILEGE ESCALATION
Breaking Domain Trusts with Forged Trust Tickets
Abuse Active Directory domain trusts for privilege escalation to Enterprise Admin
In the previous post about enumerating domain trusts, we discussed trust relationships between domains and forests. We learned that all of the domains within a forest have implicit transitive two-way relationships, allowing users to easily access shared resources within the same or different domains.
This post will learn how to abuse the domain trusts during the lateral movement phase to hop to other domains like the root domain and escalate to Enterprise Admin. The attack scenario would require the attacker to obtain a DA on the domain controller to dump its trust keys. Then, use them to forge trust tickets to access resources located on other domains.
The demonstration steps of the attack scenario will be on the Pentester Academy Active Directory Lab by Nikhil Mittal associated with the CRTP course.
KEY CONCEPTS 📄
- Analysis Flow
- Escalation Requirements
- Used Tools
- Forging Trust Tickets [demo]
$_Trust_Flow_Analysis
1- The user authenticates to DC#1 by sending an encrypted request with their credentials. The DC #1 verifies their identity and sends a TGT ticket.
2. The user receives the TGT ticket and sends it back to DC#1, requesting a service ticket for a specific service like SQL service. If the requested service resides on another domain, DC #1 will issue a special TGT ticket called Inter-Realm or Referral Ticket encrypted with their trust key to refer to the DC that has the service.
In our case, the user requested access to a SQL service that resides on domain #2. So, DC #1 issued a referral ticket to DC #2.
3. The user takes that inter-realm ticket and presents it to DC #2, requesting a SQL service ticket. DC #2 has a copy of the trust key of DC#1; If it decrypts the ticket presented by the user, it will go ahead and issue a SQL service ticket as requested without conducting additional verification.
📌 DC#2 will blindly trust DC #1 to verify the user. However, we will see the risk later in the escalation part that if the attacker obtains the trust keys, can forge TGT tickets all day long.
4. The user presents the SQL TGS ticket to the database server and gets the intended access.
$_Escalation_Requirements 🚩
- Domain Admin privileges on the compromised domain controller.
- Domain Controller Trust Keys to forge the Inter-realm TGT tickets.
$_Used _Tools 🔧
- Invoke-Mimikatz
- Rubeus
$_Escalation_Demo 🔥
Our goal is to forge an inter-realm trust ticket that escalates us to Enterprise Admin using the compromised trust keys. This step assumes that you have already gained domain admin privileges on the DC.
I obtained the access by abusing the application server’s unconstrained delegation in the previous post (link).
To forge a trusted ticket, we need the domain trust key and the SID of the root domain. Run Invoke-Mimikatz
with the trust
parameter to obtain the keys.
Invoke-Mimikatz -Command ‘“lsadump::trust /patch”’-ComputerName dc-name
As seen in the below screenshot, we obtained all the trust keys from the domain controller. The [IN] and [OUT] in front of the domain names indicate the trust direction.
In our case, we are interested in getting access to the root domain “moneycorp.local” from our child domain “dollar.moneycorp.local”. Therefore, we choose the first key.
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
After identifying the right trust key, we need the domain controller SID and the SID of the root domain to create the fake trust ticket with Enterprise Admin privileges.
Next, run Invoke-Mimikatz to issue the inter-realm tickets. Again, we specify the gold module, the child domain SID of “dollar.moneycorp.local” and the root domain SID “moneycorp. local”.
Invoke-Mimikatz -Command '"Kerberos::golden
/user: Administrator
/domain: dollarcorp.moneycorp.local [child_domain]
/sid: DomainAdmin_SID
/sids: Enterprise_Admin_SID
/rc4: Ticket HASH
/service:krbtgt
/target:moneycorp.local [root domain]
/ticket: location to save the ticket"'
Copy the ticket locally, and use it to request a service ticket (TGS) from the root domain. In the below example, we requested CIFS service with Rubeus — asktgs module.
Rubeus.exe asktgs
/ticket: ticket Location
/service: service type [cifs/mcorpdc.moneycorp.local]
/dc: domain controller [mcorp-dc.moneycorp.local]
/ptt
After running the command, verify we have the new TGS ticket with the klist
command.
As seen below, we got a TGS ticket as Administrator for the CIFS service on the root domain controller “mcorp-dc.moneycorp.local”. We were able to list the Enterprise Administrator’s shares on the root domain.
That brings us to the end of this post. We learned about the dynamics of the active directory trusts across domains and how to forge inter-realm trust tickets with higher privileges to gain access to the root domain as Enterprise Admin.
Thanks for stopping by 😃!!
🔔 All of the used commands can be found at R3d-Buck3T — (Active Directory — Privilege Escalation —Domain Trusts — Forging Trust Tickets)