Resource Based Constrained Delegation
Resource Based Constrained delegation (RBCD)
You can abuse RBCD when you can edit the attribute : msDS-AllowedToActOnBehalfOfOtherIdentity
Resource-Based Constrained Delegation
As an added functionality post-Windows Server 2012, Microsoft introduced a fine-tuned delegation method called “Resource-Based Constrained Delegation.” Resource-Based Constrained Delegation allows for delegation settings to be configured on the target service/resource instead of on the user account (interactive account). Resource-Based Constrained Delegation is implemented by “msDS-AllowedToActOnBehalfOfOtherIdentity” on a target computer object.
This field is available on Windows 8.1+ and Windows Server 2012+, and domain admin rights are not required to modify this field.
Exploitation Methodology
The exploitation of RBCD is quite easy if you paid attention to the theory above. The following steps are observed:
Create a fake computer account
Trigger legit machine account NYC$ via RBCD to authenticate
Fake computer account acts on behalf of Domain Controller (NYC$) account
Generate fake machine account’s hash
Obtain Service Ticket
An example of exploitation is when you got genericAll or genericWrite ACL on a Computer.
You can find this in the lab when you look at the acl on users.
We can see that diego.Montenegro got a generic Write on NYC
The RBCD exploitation append with the following commands :
Create a computer X (rbcd$)
We are using diego's password which we changed here:
Add delegation write on our target from X (rbcd$)
Now X (rbcd$) got delegation permission on our target, you can now do an s4u2self query followed by an S4u2proxy.
This will result in an administrator permission on NYC.
After the exploit a little clean up of the lab, flush the rbcd entry and delete the computer account with a domain admin:
Last updated
