Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

Hello everyone,

I would like to ask for some help with the last question in Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux.

The question goes “Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop.”

I cant find a way how to “Log in” into ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL. I have nmaped the machine to find that neither RDP nor SSH is open for connection. This submodule does not elaborate much further so I’ve also tried to look back to other submodules and cant say I’m much smarter. Only reasonable way to do so might be using evil-winrm but I couldn’t make that work either.

Thank you for the help.

Thanks to help from discord, I’ve managed to answer that question.
Hint:

  • psexec.py

Full hint - command

  • psexec.py FREIGHTLOGISTICS.LOCAL/sapsso@academy-ea-dc03.inlanefreight.local -target-ip 172.16.5.238
10 Likes

why did you use inlanefreight.local instead of freightlogistics.local for the machine address?

TBF, this was some time ago and looking back at the question, probably because it was in a different domain? Unfortunately, I don’t remember. If you feel like there is a mistake, feel free to correct it.

I don’t think it was a mistake because I was trying with the freightlogistics for long time and it wasn’t working, so I came here and when I tried your solution it worked. In this case freightlogistics is the foreign domain and inlanefreight is the main domain.

I still don’t get why it’s working, so I have to look more into it.

1 Like