At the same time, I would like to thank the qax A-Team audit team for their valuable suggestions.

This title may be a bit of "title party", but I don't think the content will let you down. Students who have read "this is a different real penetration test case analysis article" should remember the utilization of resource-based constraint delegation in the article. At that time, many details in the article were taken with one stroke, and some of them will be answered in this article.

This article is mainly from the perspective of using resource-based constraint delegation to raise local rights, which is roughly divided into three parts: in the first part, we will talk about basic knowledge, but not in-depth; in the second part, we will analyze the principle of raising rights; in the third part, we will mainly focus on the use of ideas and demonstrations.

"Rotten tomato" is a new term. At this time, you must think of "rotten potato". Yes, we can all raise rights locally under IIS. At the end of the article, we will take the privilege promotion under IIS as an example to explain.

“烂番茄” “烂土豆” “烂番茄” “烂土豆”

Resource Based Constraint delegation (RBCD) is a newly added function in Windows Server 2012. Compared with traditional constraint delegation, RBCD does not need domain administrator permission to set related properties. RBCD gives the machine itself the right to set up delegation. The machine itself can decide who can be delegated to control me. That is to say, the machine itself can directly configure the MSDS allowedtoactonbehalfofidentity property on its own account to set RBCD.

• User x logs in to the website and accesses file 1.txt. At this time, server a needs to request resources from server B

User x logs in to the website and accesses file 1.txt. At this time, server a needs to request resources from server B

• Server a first requests a TGS of user x from KDC by using s4u2self. The reason why s4u2self is used here is that if user x logs in to the website using a non Kerberos protocol, it involves protocol conversion, so s4uself needs to be used. If user x logs in with Kerberos authentication, there will be TGS of user x on server a, so it is not necessary to use s4uself to apply for TGS, but directly use TGS of user X.

Server a first requests a TGS of user x from KDC by using s4u2self. The reason why s4u2self is used here is that if user x logs in to the website using a non Kerberos protocol, it involves protocol conversion, so s4uself needs to be used. If user x logs in with Kerberos authentication, there will be TGS of user x on server a, so it is not necessary to use s4uself to apply for TGS, but directly use TGS of user X.

• We use the TGS of user x to execute s4u2proxy to obtain the TGS of access server B, and finally use the TGS of server B to access the files on file server B.

We use the TGS of user x to execute s4u2proxy to obtain the TGS of access server B, and finally use the TGS of server B to access the files on file server B.

User x logs in to the website and accesses file 1.txt. At this time, server a needs to request resources from server B

Server a first requests a TGS of user x from KDC by using s4u2self. The reason why s4u2self is used here is that if user x logs in to the website using a non Kerberos protocol, it involves protocol conversion, so s4uself needs to be used. If user x logs in with Kerberos authentication, there will be TGS of user x on server a, so it is not necessary to use s4uself to apply for TGS, but directly use TGS of user X.

We use the TGS of user x to execute s4u2proxy to obtain the TGS of access server B, and finally use the TGS of server B to access the files on file server B.

In the above description, the two Kerberos extension protocols, s4u2self and s4u2proxy, are involved.

• Through this extension, s4u2self can get a TGS identifying any user's identity (in the figure, it is the TGS to obtain the user's x identity). As explained above, its function is actually protocol conversion. When user x uses non Kerberos protocol to request site a, site a does not have TGS of user x, but site a needs TGS of user x to obtain access rights (TGs) of file server B, so s4u2self solves this problem. Site a server can use it to request a TGS of user x identity from KDC, and site a server uses this TGS to initiate s4u2proxy Ask.

S4U2Self

Through this extension, you can get a TGS identifying any user's identity (in the figure, it is the TGS to obtain the user's x identity). As explained above, its function is actually protocol conversion. When user x uses non Kerberos protocol to request site a, site a does not have TGS of user x, but site a needs TGS of user x to obtain access rights (TGs) of file server B, so s4u2self solves this problem. Site a server can use it to request a TGS of user x identity from KDC, and site a server uses this TGS to initiate s4u2proxy Ask.

• S4u2proxy is to use a TGS with the identity of user x to request a TGS with the identity of user x from KDC to access the file server B. the identity of this TGS is still user x, so that the website a can access the file on the file server B with the permission of user X.

S4U2proxy

The expansion function is to use a TGS with user x identity to request a TGS for accessing file server B from KDC. This TGS identity is still user x, so that website a can access files on file server B with user X's permission.

S4U2Self

Through this extension, you can get a TGS identifying any user's identity (in the figure, it is the TGS to obtain the user's x identity). As explained above, its function is actually protocol conversion. When user x uses non Kerberos protocol to request site a, site a does not have TGS of user x, but site a needs TGS of user x to obtain access rights (TGs) of file server B, so s4u2self solves this problem. Site a server can use it to request a TGS of user x identity from KDC, and site a server uses this TGS to initiate s4u2proxy Ask.

S4U2proxy

The expansion function is to use a TGS with user x identity to request a TGS for accessing file server B from KDC. This TGS identity is still user x, so that website a can access files on file server B with user X's permission.

I believe that you should understand the authentication process of resource based constraint delegation (RBCD). How to set up resource-based constraint delegation? MSDS allowedtoactonbehalfofotheridentity is the key.

• MSDS allowedtoact on behalfof other identity. The purpose of this attribute is to control which users can impersonate any user in the domain and then authenticate to the computer. In short, if we can modify this property, we can get a domain administrator's bill, but the bill only works for this machine, and then take this bill to authenticate the computer. That is to say, when any domain control and domain functional level in the domain is server 2012 or above, you can set RBCD by configuring the "MSDS allowedtoactonbehalfotheridentity" attribute for the machine you are working on, and then apply for high permission bills through s4u protocol for utilization.

MSDS allowedtoact on behalfof other identity. The purpose of this attribute is to control which users can impersonate any user in the domain and then authenticate to the computer. In short, if we can modify this property, we can get a domain administrator's bill, but the bill only works for this machine, and then take this bill to authenticate the computer. That is to say, when any domain control and domain functional level in the domain is server 2012 or above, you can set RBCD by configuring the "MSDS allowedtoactonbehalfofotheridentity" attribute for the machine you are working on, and then apply for high permission bills through s4u protocol for utilization.

MSDS allowedtoact on behalfof other identity. The purpose of this attribute is to control which users can impersonate any user in the domain and then authenticate to the computer. In short, if we can modify this property, we can get a domain administrator's bill, but the bill only works for this machine, and then take this bill to authenticate the computer. That is to say, when any domain control and domain functional level in the domain is server 2012 or above, you can set RBCD by configuring the "MSDS allowedtoactonbehalfofotheridentity" attribute for the machine you are working on, and then apply for high permission bills through s4u protocol for utilization.

In this article, we will change our thinking to consider the utilization of RBCD. First, we will consider a question: "who has the right to modify the value of MSDs allowedtoactonbehalfofotheridentity attribute?"

Querying the "MSDS allowedtoactonbehalfofotheridentity" attribute of Web3 found that it does not exist by default.

So who has the right to modify the value of MSDs allowedtoactonbehalfofidentity attribute? The question becomes who has the right to add MSDS allowedtoactonbehalfofidentity attribute?

谁权限能修改msDS-AllowedToActOnBehalfOfOtherIdentity属性的值呢? 谁有权限添加msDS-AllowedToActOnBehalfOfOtherIdentity属性？ 谁权限能修改msDS-AllowedToActOnBehalfOfOtherIdentity属性的值呢? 谁有权限添加msDS-AllowedToActOnBehalfOfOtherIdentity属性？

After compiling and running, I will output which objects have which permissions, and these two ACLS have attracted my attention

REDTEAM\web3user

Let's take a look at this ACL

REDTEAM\web3user - WriteProperty

Writeproperty refers to the permission to write the property of an object. When you see it, you can't help smiling. Isn't that what we want:)

WriteProperty WriteProperty

Reference: activedirectoryrights enum

Use adexplorer to test whether MSDS allowedtoactonbehalfofotheridentity can be added and log in with web3user

msDS-AllowedToActOnBehalfOfOtherIdentity msDS-AllowedToActOnBehalfOfOtherIdentity

Then add the attribute. Value is composed of O: Bad: (a;; ccdclcswrpdtlocrsdrcwdwo;;; Sid of servera). The SID in value is used for access check to determine whether the SID object has permission to authenticate on behalf of other identities.

O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;serverA的sid) O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;serverA的sid)

As expected, it's easy to add.

Why does redteam \ web3user have writeproperty permission? When the Web3 computer joins the domain through the domain user web3user, a computer object named web3.redteam.com will be created in the domain, and the creator is web3user, so the domain user has the writeproperty permission to web3.redteam.com.

web3.redteam.com web3user web3.redteam.com web3.redteam.com web3user web3.redteam.com

You can see in the "ms-ds-creatorsid" attribute that who created this computer and the SID corresponds to the domain user

Then we analyze another ACL

msDS-AllowedToActOnBehalfOfOtherIdentity

Now let's answer who has permission to add MSDS allowedtoactonbehalfofotheridentity attribute?

谁有权限添加msDS-AllowedToActOnBehalfOfOtherIdentity属性？ 谁有权限添加msDS-AllowedToActOnBehalfOfOtherIdentity属性？

Redteam \ web3user - writeproperty

Let's review another knowledge point. The MS DS machineaccountquota property setting of default domain control allows all domain users to add up to 10 computer accounts to a domain, that is, as long as there is a domain credential, you can add any machine account in the domain. The credentials can be user accounts, service accounts, and machine accounts in the domain.

So both web3user and machine account can create a new machine account. Now we have met two conditions for using resource-based constraint delegation:

• Can modify MSDS allowedtoactonbehalfofetheridentity attribute;

Can modify MSDS allowedtoactonbehalfofetheridentity attribute;

• There is a machine account (the statement here is not very accurate, it should be an account with SPN, more specifically, it needs an account's TGT, and the machine account meets the above conditions).

There is a machine account (the statement here is not very accurate, it should be an account with SPN, more specifically, it needs an account's TGT, and the machine account meets the above conditions).

Can modify MSDS allowedtoactonbehalfofetheridentity attribute;

There is a machine account (the statement here is not very accurate, it should be an account with SPN, more specifically, it needs an account's TGT, and the machine account meets the above conditions).

Knowing the above conditions, the next step is to use a complete s4u2 protocol.

Utilization process of s4u2 protocol

Let's say that we now have two conditions for resource-based constraint delegation on n0thing PC (a common machine in the domain). Next, we will continue to analyze how to get a high permission ticket to access n0thing PC through s4u.

The first step is to connect to domain controlled LDAP to create a computer account, evilpc

In the previous article, "this is a" different "real penetration test case analysis article", we mentioned that "domain control does not allow the creation of computer users in unencrypted links". So why is the code given above to connect to domain control port 389 (LDAP) rather than to connect to port 636 (ldaps) for creation? The answer is: LDAP needs to configure the certificate to use, and it can't work normally in the default environment. LDAP can use SASL encryption connection as long as the sealing property is set to ture.

Step 2: set the MSDS allowed to act on behalfof otheridentity value of n0thing PC to o: Bad: (a;; ccdclcswrpwpdtlocrsdrcwdwo;; side of evilpc) on the domain control through LDAP protocol

O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;evilpc的sid) O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;evilpc的sid)

Step 3: use the evilpc credentials to get a TGT, which is the necessary authentication condition for using s4u2self in the next step

Step 4 use s4u2self to get a TGS on behalf of administrator

First, put the TGT of evilpc in tgq-req-padata-pa-data pa-tgs-req-padata-value-ap-req structure

It means to apply for a TGS as administrator

Ask for yourself

Look at tgs-rep again

This TGS is encrypted with evilpc hash

The function of s4u2self is that evilpc requests a TGS to access evilpc with its own TGT bill, and the identity of the TGS is administrator, and the TGS is encrypted with the hash of evilpc.

Step 5 this is the last step of s4u - s4u2proxy. We take the TGS obtained from s4u2self as the authentication information and then request a TGS ticket for accessing CIFS SPN of n0thing PC machine.

Sname must be SPN. Through setspn - Q * / * I don't see the existence of CIFS SPN. Why can I apply successfully?

setspn -Q */* setspn -Q */*

Because host / n0thing-pc.redteam.com is a collection of SPNs, including CIFS

Finally, take this ticket to execute the command by operating the SMB service.

The above is the utilization process of s4u2 protocol, which is also a detailed utilization process of resource-based constraint delegation. This is the end of the principle. Next is the detailed use scenario.

When a new employee joins the company domain with his / her work computer after joining the company domain, a computer account named n0thing-pc.redteam.com will be created in the domain, and the domain user n0thing has write permission to the "MSDS allowedtoactonbehalfofotheridentity" attribute of the computer account (n0thing-pc.redteam. Com)

In the past penetration scenarios, attackers often attack the employees of the enterprise by fishing, and n0thing students inadvertently recruit, but find that the user is not in the local administrator group, when the attacker wants to obtain the password of the machine with mimikatz and other tools, he will fall into a dilemma.

Let's start the journey of proposing power. We have described the utilization principle of s4u2 in detail. Here we will show you the utilization process.

Of course, this can not only be used to claim rights, but also other attack scenarios:

• A company may have an account dedicated to adding domains. Although this account usually only has the permissions of ordinary domain users, if we control this account, we can build a large number of machines.

A company may have an account dedicated to adding domains. Although this account usually only has the permissions of ordinary domain users, if we control this account, we can build a large number of machines.

A company may have an account dedicated to adding domains. Although this account usually only has the permissions of ordinary domain users, if we control this account, we can build a large number of machines.

• If we want to get the permission of machine a in the domain, if we don't have the credentials of the member of machine a Administrators group, we can also see which user machine a joined the domain through. If we control this user, we can still get the permission.

If we want to get the permission of machine a in the domain, if we don't have the credentials of the member of machine a Administrators group, we can also see which user machine a joined the domain through. If we control this user, we can still get the permission.

If we want to get the permission of machine a in the domain, if we don't have the credentials of the member of machine a Administrators group, we can also see which user machine a joined the domain through. If we control this user, we can still get the permission.

• A domain user X may create multiple machines in the domain (for example, laptops and desktops need to join the domain). When we have the permission of domain user x, we can use RBCD to continue to attack other machines whose MS DS creator sid is domain user X.

A domain user X may create multiple machines in the domain (for example, laptops and desktops need to join the domain). When we have the permission of domain user x, we can use RBCD to continue to attack other machines whose MS DS creator sid is domain user X.

A domain user X may create multiple machines in the domain (for example, laptops and desktops need to join the domain). When we have the permission of domain user x, we can use RBCD to continue to attack other machines whose MS DS creator sid is domain user X.

The following is a tool to query the "ms-ds-creatorsid" attribute of the computer in the domain with. Net

Rights raising and expansion of IIS

In the previous article, "this is a different real penetration test case analysis article", we mentioned that system requests relay through machine account, so what is the authority of IIS user IIS apppool \ defaultapppool to go out of the network?

iis apppool\defaultapppool iis apppool\defaultapppool

Yes, it is also requested by the machine account.

This design will lead to a very serious problem that can be directly connected to the domain controlled LDAP settings based on resource constraint delegation. And not only IIS can claim rights, but also all low-level services (such as network service) can request domain resources, so they are all requested as machine accounts, which will result in the elevation of rights.

低权限服务

More use methods and scenarios, interested friends can read Microsoft documents to continue mining, such as the use of SQL server.

This paper introduces the principle of RBCD and analyzes the accounts that can be attacked by RBCD by default: the account (ms-ds-creator SID) that joins the machine to the domain and the self machine account. We also analyzed the account of machine account out of the network: system, IIS apppool \ defaultapppool, network service. Combined with these conditions, we put forward the idea of IIS local right lifting and the new attack surface of ms-ds-creatorsid (from local right lifting to horizontal movement). We hope that readers can explore more ideas by themselves.

将机器加入域的那个账户（mS-DS-CreatorSID） SELF机器账户自身 SYSTEM iis apppool\defaultapppool network service 将机器加入域的那个账户（mS-DS-CreatorSID） SELF机器账户自身 SYSTEM iis apppool\defaultapppool network service

Finally, the POC in the above demonstration is attached, and the code reference is from sharpallowedtoact.