β¬οΈChild β Parent Trust Attacks
π― HTB Academy: Active Directory Enumeration & Attacks
π Overview
Child β Parent Trust Attacks exploit SID History injection to escalate privileges from a compromised child domain to the parent domain within the same forest. This technique leverages the lack of SID filtering protection within forest boundaries, allowing attackers to add Enterprise Admin privileges through Golden Ticket creation with extra SIDs.
π SID History Primer
Concept
Purpose: Migration scenarios - preserve access when users move between domains
Mechanism: Original user's SID added to new account's SID History attribute
Token inclusion: All SIDs in SID History added to user's access token
Attack vector: Inject admin SIDs into controlled account's SID History
ExtraSids Attack Requirements
KRBTGT hash
Child domain Golden Ticket creation
9d765b482771505cbe97411065964d5f
Child domain SID
Domain identification
S-1-5-21-2806153819-209893948-922872689
Target username
Account for ticket (can be fake)
hacker
Child domain FQDN
Domain specification
LOGISTICS.INLANEFREIGHT.LOCAL
Enterprise Admins SID
Parent domain privilege escalation
S-1-5-21-3842939050-3880317879-2865463114-519
π Attack Methodology
Step 1: Gather Required Data
KRBTGT Hash Extraction
Child Domain SID
Enterprise Admins SID
Step 2: ExtraSids Attack Execution
Method 1: Mimikatz Golden Ticket
Method 2: Rubeus Golden Ticket
Step 3: Parent Domain Compromise
π― HTB Academy Lab Solutions
Lab Environment Setup
π Question 1: "What is the SID of the child domain?"
Solution:
π― Answer: S-1-5-21-2806153819-209893948-922872689
ποΈ Question 2: "What is the SID of the Enterprise Admins group in the root domain?"
Solution:
π― Answer: S-1-5-21-3842939050-3880317879-2865463114-519
π« Question 3: "Perform the ExtraSids attack to compromise the parent domain. Submit the contents of the flag.txt file located in the c:\ExtraSids folder."
Complete Attack Solution:
Step 1: Gather Attack Data
Step 2: Execute ExtraSids Attack
Step 3: Access Parent Domain and Retrieve Flag
π― Answer: [Flag contents from c:\ExtraSids\flag.txt]
β οΈ Security Implications
Attack Prerequisites
Child domain compromise: Domain Admin or equivalent privileges required
Forest boundary: Attack works within same AD forest due to SID filtering absence
Trust relationship: Parent-child trust must exist (automatic in forests)
Detection Considerations
Golden Ticket indicators: Long-lived tickets, unusual user accounts
Cross-domain access: Monitor Enterprise Admin group usage
SID History modifications: Audit SID History attribute changes
KRBTGT password rotation: Regular rotation invalidates Golden Tickets
Mitigation Strategies
Privileged access management: Limit child domain admin privileges
Monitoring: Enhanced logging for cross-domain authentication
Segmentation: Consider forest boundary design for high-security environments
KRBTGT maintenance: Regular password rotation and monitoring
π Key Takeaways
Attack Flow Summary
Critical Success Factors
SID History exploitation: Forest-level trust allows SID injection
Enterprise Admins SID: Key to parent domain privilege escalation
Golden Ticket creation: Both Mimikatz and Rubeus provide capability
Cross-domain enumeration: PowerView enables target identification
Professional Impact
Forest compromise: Child domain breach leads to complete forest control
Privilege escalation: Standard user β Enterprise Admin escalation path
Persistence mechanism: Golden Tickets provide long-term access
Assessment value: Demonstrates trust relationship security implications
β¬οΈ Child β Parent trust attacks represent one of the most powerful AD privilege escalation techniques - transforming limited child domain access into complete forest control through SID History exploitation!
Last updated