PrivEsc

*Evil-WinRM* PS C:\Users\Administrator\Desktop> Get-ADTrust -Filter *


Direction               : BiDirectional
DisallowTransivity      : False
DistinguishedName       : CN=zsm.local,CN=System,DC=painters,DC=htb
ForestTransitive        : True
IntraForest             : False
IsTreeParent            : False
IsTreeRoot              : False
Name                    : zsm.local
ObjectClass             : trustedDomain
ObjectGUID              : 7c5a3e64-19d9-45d1-b935-53c7ccf27c78
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source                  : DC=painters,DC=htb
Target                  : zsm.local
TGTDelegation           : False
TrustAttributes         : 8
TrustedPolicy           :
TrustingPolicy          :
TrustType               : Uplevel
UplevelOnly             : False
UsesAESKeys             : False
UsesRC4Encryption       : False

The IsTreeParent and IsTreeRoot shows that this is a forest -> forest relationship between painters.htb -> zsm.local. And the trust is bidirectional.

We can confirm that. And we are painters.htb

Who is zsm.local?

FOREST_TRANSITIVE means, SID Filtering is NOT automatically enabled for forest trusts unless explicitly configured. If SID filtering is partially enabled (sometimes referred to as SID history enabled), effectively only filtering out RID <1000, a ticket can be forged with an extra SID that contains the target domain and the RID of any group, with RID >= 1000). The ticket can then be used to conduct more attacks depending on the group's privileges.

PreviousEnumerationNextZEPHYR-ROUTER

Last updated