This article demonstrates how a single child domain compromise in pentest.ignite.local can be escalated to full ignite.local forest control by forging a cross-domain Golden Ticket and injecting the Enterprise Admins SID through SID History. It also shows an alternative coercion-based path using PetitPotam to capture the forest root DC$ ticket and complete a full DCSync. #pentestlocal #ignitelocal #Rubeus #NetExec #PetitPotam
Keypoints
- A Domain Admin in the child domain does not automatically access the parent domain.
- The child-to-parent trust is bidirectional and within the same forest, allowing SID History abuse.
- The attacker extracts the child krbtgt hash and forges a cross-domain Golden Ticket with Rubeus.
- Passing the forged ticket enables access to the forest root, LSA secret harvesting, and full DCSync.
- A separate PetitPotam coercion path captures the DC$ ticket and achieves the same forest compromise.
Read More: https://www.hackingarticles.in/active-directory-forest-trust-abuse-child-to-root-domain-escalation/