🦭Escalate privileges to Enterprise Admin or DA to the parent domain, using krbtgt hash
We already have the krbtgt hash from dcorp-dc. Let's create the inter-realm TGT and inject.
We can now access mcorp-dc!
Now let's try using BetterSafetyKatz ->
And now we can check if we can use this file/ ticket
And now we could run DCSync agains mcorp-dc to extract secrets from it, start by encoding "lsadump::dcsync"
PreviousUsing DA access to escalate to EA or DA to the parent domain using the domain trust keyNextWith DA privilege, get access to SharedwithDCorp share on the an other DC
Last updated