So while still trying to ingest the great blog post by Elad Shamir Wagging the Dog, I discovered a section called Solving a Sensitive Problem which improves on the method I used in my Delegate 2 Thyself post. This post is about that improvement and an abuse case using it.
I highly recommend reading both of those posts before reading this if you haven't done already.
An S4U2Self service ticket can be retrieved by any machine account, without any prior configuration.
As shown below, this machine account for EIIS1 is not configured for any type of delegation:
Also, the external.admin user is marked as Account is sensitive and cannot be delegated:
Elad says that it is still possible to impersonate as that user on the requesting system (EIIS1), all that's required are the machine account credentials or TGT.
Automating the Process
In the Wagging the Dog post, Elad was using an ASN.1 editor to modify the S4U2Self ticket obtained using Rubeus. I decided to modify Rubeus so that this process was fully automated.
All this modification does is add's a /self flag to Rubeus's s4u command, when that's used and the /altservice flag is also used, the value to /altservice (in the format of the full SPN, eg. host/computer.domain.com) is subsituted into the sname field in the returned S4U2Self ticket.
Trying It Out
In the previous post I started with code execution to the IIS server EIIS1, which is the same position here:
We already know that this user can use the tgtdeleg trick to get a usable TGT:
Now it's important to understand the rest I perform from a separate non domain-joined system. I tend to see a lot of questions about performing attacks from systems that aren't domain-joined but due to the nature of most of my work, I almost always perform the attacks from my own, non domain-joined system, so I do in my blog posts too.
So next I perform the S4U2Self using the TGT we just recieved from a different system:
As you can see here, I've requested the S4U2Self ticket then rewrote the sname to http/eiis1.external.zeroday.lab as the user that cannot de delegated external.admin, the resulting ticket can be seen in the following klist output:
This ticket can then be used to execute commands over PowerShell remoting:
Obviously, the only way you can take advantage of this is if you can get access to the credentials or TGT of the target system.
But it can still be used for privilege escalation and, in the case of gaining access to a system configured for unconstrained delegation, remote code exectution (because you will be able to gather usable TGT's for remote systems).
The advantages of this over the full S4U2Proxy approach is that no configuration changes are required and you are able to impersonate protected users.
The advantages of this over a traditional silver ticket is that the resulting ticket contains a valid PAC.