DACL Abuse

The user BLAKE@PAINTERS.HTB has the constrained delegation privilege to the computer DC.PAINTERS.HTB.

The constrained delegation primitive allows a principal to authenticate as any user to specific services (found in the msds-AllowedToDelegateTo LDAP property in the source node tab) on the target computer. That is, a node with this privilege can impersonate any domain principal (including Domain Admins) to the specific service on the target host. One caveat- impersonated users can not be in the "Protected Users" security group or otherwise have delegation privileges revoked.

An issue exists in the constrained delegation where the service name (sname) of the resulting ticket is not a part of the protected ticket information, meaning that an attacker can modify the target service name to any service of their choice. For example, if msds-AllowedToDelegateTo is "HTTP/host.domain.com", tickets can be modified for LDAP/HOST/etc. service names, resulting in complete server compromise, regardless of the specific service listed.

The constrained delegation is explained nicely in this post. We can further confirm the delegation.

The userAccountControl: 16843264 means TRUSTED_FOR_DELEGATION is enabled. Which is important for the attack to work.

From Windows

From Linux

Editing krb5.conf

Requesting ticket for blake:

Requesting TGS with blake to impersonate Administrator

This will create a ccache file. To use it:

DCSync

Now we can dump the hashes from DC

We get a new pair of credentials for user Matt - matt:L1f30f4Spr1ngCh1ck3n!

I tried cracking the others in DC-Dump.ntds file but we only get back riley and web_svc user's passwords which we already cracked before.

Matt cannot winrm into other hosts including DC.

Previously we saw the user matt was in the linux host. Matt can ssh into mail and he is the root.

Username File

Hashes File

Credential Stuffing

Administrator can log in to any of the hosts using PtH.

PreviousFootholdNextHost Discovery

Last updated