PrivEsc

*Evil-WinRM* PS C:\Users\Administrator\Desktop> Get-ADTrust -Filter *


Direction               : BiDirectional
DisallowTransivity      : False
DistinguishedName       : CN=zsm.local,CN=System,DC=painters,DC=htb
ForestTransitive        : True
IntraForest             : False
IsTreeParent            : False
IsTreeRoot              : False
Name                    : zsm.local
ObjectClass             : trustedDomain
ObjectGUID              : 7c5a3e64-19d9-45d1-b935-53c7ccf27c78
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source                  : DC=painters,DC=htb
Target                  : zsm.local
TGTDelegation           : False
TrustAttributes         : 8
TrustedPolicy           :
TrustingPolicy          :
TrustType               : Uplevel
UplevelOnly             : False
UsesAESKeys             : False
UsesRC4Encryption       : False

The IsTreeParent and IsTreeRoot shows that this is a forest -> forest relationship between painters.htb -> zsm.local. And the trust is bidirectional.

*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-DomainTrust -API


SourceName        : painters.htb
TargetName        : zsm.local
TargetNetbiosName : ZSM
Flags             : DIRECT_OUTBOUND, DIRECT_INBOUND
ParentIndex       : 0
TrustType         : UPLEVEL
TrustAttributes   : FOREST_TRANSITIVE
TargetSid         : S-1-5-21-2734290894-461713716-141835440
TargetGuid        : 00000000-0000-0000-0000-000000000000

SourceName        : painters.htb
TargetName        : painters.htb
TargetNetbiosName : PAINTERS
Flags             : IN_FOREST, TREE_ROOT, PRIMARY, NATIVE_MODE
ParentIndex       : 0
TrustType         : UPLEVEL
TrustAttributes   : 0
TargetSid         : S-1-5-21-1470357062-2280927533-300823338
TargetGuid        : 6991c0e0-b3c3-4ae9-8cd1-53fe69280c14

We can confirm that. And we are painters.htb

*Evil-WinRM* PS C:\Users\Administrator\Desktop> $ENV:USERDNSDOMAIN
painters.htb

Who is zsm.local?

*Evil-WinRM* PS C:\Users\Administrator\Documents> nslookup zsm.local
Server:  UnKnown
Address:  ::1
Name:    zsm.local
Address:  192.168.210.10

*Evil-WinRM* PS C:\Users\Administrator\Documents> tracert 192.168.210.10

Tracing route to 192.168.210.10 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.110.1
  2    <1 ms    <1 ms    <1 ms  192.168.210.10

Trace complete.

FOREST_TRANSITIVE means, SID Filtering is NOT automatically enabled for forest trusts unless explicitly configured. If SID filtering is partially enabled (sometimes referred to as SID history enabled), effectively only filtering out RID <1000, a ticket can be forged with an extra SID that contains the target domain and the RID of any group, with RID >= 1000). The ticket can then be used to conduct more attacks depending on the group's privileges.

PreviousEnumeration NextZEPHYR-ROUTER

Last updated 11 months ago