Forest Attacks - From Child to Parent using KRBTGT Hash

Home Blog


I have been going through my course and thought I would share a video I made on an attack method to gain Local Admin Privleges to Domain Admin, then finally to Enterprise Admin on different domains. The course that I'm currently taking clearly teaches you that if your network has been hacked and a Domain Administrator is comprimised, we must assume that all Enterprise Administrator accounts are comprimised on different forests no matter of location.

I love these types of attacks because its about finding misconfigurations on systems. Its teaching me to understand foundations, which I'm really enjoying. The video doesn't have any audio, however below are some steps that I have taken to comprimise the accounts. Hope you learned something new.

Low Priv User > Local Administrator > Domain Administrator > Enterprise Administrator on different domains!

Domain - dollarcorp.moneycorp.local
- Obtain Local Administrator by exploiting a misconfigured service
- Hunting for interesting credentials on machines where my current account is a Local Administrator is on. If I can see that I am a Local Administrator on a machine which has interesting credentials in memory, I can dump it.
- Pivot and move to different machines laterally while bypassing App Locker and AMSI.
- Dump Credentials using Invoke-Mimikatz when finding these machines with interesting accounts.
- Obtain Domain Administrator (dollarcorp.moneycorp.local) after pivoting multiple times.

Domain - moneycorp.local
- Using KRBTGT hash and SID history of Enterprise Admins group to RCE against the parent domain (moneycorp.local).
- Scheduling a Weekly task to run as NT Authority\SYSTEM to download a Powershell Reverse shell.
- Run the scheduled Task while waiting for a connection.
- Comprimise moneycorp.local domain as Enterprise Admin!

Click on this link video for Forest Attack Demonstration