User
--- authenticates to ---> IIS server
---> authenticates on behalf of the user ---> DB server
IIS01
unrestricted kerberos delegation privilege:IIS01
with TrustedForDelegation
field set to $true
- we are good to attack:offense\administrator
(Domain Admin) just yet.IIS01
from a DC01
host from the context of offense\administrator:HTTP 200 OK
response:IIS01
for new kerberos tickets in memory:pass-the-ticket
attack and become a DA, let's try PSRemoting to the DC01
from IIS01
and check currently available kerberos tickets in a current logon session - just to make sure we currently do not have DA rights:IIS01
host:DC01
again:IIS01
system now contains a krbtgt
for offense\administrator, which enables this session to access DC01
C$ share and establish a PSSession with an interactive shell with Domain admin privileges.offense\delegate
accessing a share on IIS01
- the TGT gets cached: