In Active Directory forests, child-to-parent domain trusts are often treated as secure conduits. However, when misconfigurations and inherited privileges exist, they become powerful escalation paths. In this post, we’ll walk through how Pentest Copilot identifies, validates, and exploits such a trust path to escalate from a child domain to the parent — without human guidance.
Active Directory trust relationships establish authentication pathways between domains and forests, enabling users in one domain to access resources in another. These relationships are built upon Kerberos authentication protocols and create complex security boundaries that require careful configuration and monitoring.
Trust Types and Security Implications:
Parent-Child Domain Trusts: Automatically created bidirectional transitive trusts between parent and child domains within the same forest. These trusts enable authentication flow and resource access across domain boundaries while maintaining unified forest-wide administration.
Forest Trusts: Bidirectional trusts established between separate Active Directory forests, enabling cross-forest authentication and resource access. These trusts can be configured with selective authentication to limit cross-forest access scope.
External Trusts: Non-transitive trusts between domains in different forests, providing limited cross-domain authentication capabilities without full forest trust establishment.
The GOAD laboratory environment implements a comprehensive trust architecture designed to simulate realistic enterprise scenarios:
Domain Structure:
Trust Relationships:
Cross-Domain Security Groups: The laboratory incorporates strategic cross-domain group memberships that enable privilege escalation across trust boundaries:
The process begins by querying LDAP to discover all trust relationships. Pentest Copilot analyzes domain types, SID filtering status, encryption methods, and trust directions. When a child-to-parent trust is found, it creates a vulnerability entity that captures everything needed to assess its exploitability.
In our example, a trust exists between north.sevenkingdoms.local (child) and sevenkingdoms.local (parent). The AI agent marks it as exploitable and assigns metadata like trust SID, KRBTGT target, and attack method.
Once flagged, the child-to-parent escalation is launched:
The agent uses credentials or local privilege to extract the KRBTGT NT hash from the child domain.
It analyzes the domain SID and checks for SID history support or unrestricted trust conditions.
A golden ticket is forged for the sevenkingdoms.local domain, signed using the child domain’s KRBTGT key.
The forged ticket is injected into memory, granting the agent seamless access to parent domain services.
Once the TGT is accepted by the parent domain controller, Pentest Copilot marks the vulnerability as verified: true and sets trigger_success: true. The system stores the hash as a new Secret entity, linked to the exploit chain for auditability.
The NTLM hash of the krbtgt account is now in hand, confirming full domain compromise — all triggered by a simple trust path from a child to its parent.