ACTIVE DIRECTORY TRUST ATTACKS [Unconstrained Delegation]

Abuse Unconstrained Delegation to get the TGT of DC01$ and submit the flag located at \\DC01\UCD_flag\flag.txt.

Can someone please guide me here? I have captured the NTLM hash of the user below and tried to read the flags.txt. However, whenever I attempt to read or list the content present in the \UCD_flag` directory, it returns an access denied error message. Please help

htb-admin
gmsa_adm$

I have tried with the administrator user but receiving same error.

Probably you don’t have a Ticket stored in your session or it might be wrong.

Aren’t you trying to access the UCD directory with a GMSA user?

Provide the response to “klist” command.

Please let me know if I am missing anything.

Did you get it?

Your ‘Client’ should be DC01$

1 Like