👾 Overview
TLDR: GenericWrite
over a machine account allows you to impersonate other users against services on that machine.
Resource Based Constrained Delegation (RBCD) is very similar to unconstrained delegation, but it has some key differences.
Users with GenericWrite
over a machine account are able to set the msDS-AllowedToActOnBehalfOfOtherIdentity
attribute of a machine. This attribute controls which accounts are able to delegate, or impersonate other users, to a given machine. This does require an account with an SPN to succeed, so you’ll need to either compromise an account with an SPN or create a machine account.
🔍 Discovery
Requirements:
- An account with an SPN - or the ability to create a machine account, more on checking the MAQ here
GenericWrite
over a machine account - find this with BloodHound
📌 Exploitation
Here’s a general run through of the steps we’ll need to take:
- Create a machine account (or compromise an account with an SPN)
- Configure the target machine for constrained delegation
- Perform an S4U attack - requesting a TGS for the account you want to impersonate against the target system/service
- Pass the ticket to authenticate as the impersonated user against the target system
After creating a machine account, you’ll need to actually perform the RBCD.
Next, you’ll need to request a TGS for the account you want to impersonate, usually the Administrator.
At this point you can pass the ticket to authenticate as the impersonated user against whatever service you’d like on the target system.
✨ Post-Exploitation
You’ll likely want to pass the ticket to perform a DCSync Attack
📝 Resources
🔗 Hyperlink | ℹ️ Info |
---|---|
RedXORBlue | Constrained, unconstrained, and resource based delegation writeup |