The following actions require us to have write privileges over the target service account, and control over a user or machine account having a SPN set.
If we don’t have control over any account that has a SPN, and don’t have hash of a machine account, we need the rights to create Computer Objects in the domain.
Find out on which machines we have Admin rights over
Create a RBCD on the target service to allow delegation for the account we have control on.
Set-ADComputer -Identity <SamAccountName> -PrincipalsAllowedToDelegateToAccount <SamAccountName>
Now, dump the credentials of the account you control. The below command is run from a domain joined machine on which we have admin rights.
Invoke-Mimikatz -Command '"sekurlsa::ekeys"'
Alternatively, create a computer object and dump the credentials of it.
Use the extracted credentials to get access to the service running on the target machine as any user we want.
Rubeus.exe s4u /user:<SamAccountName> /aes:<hash> /msdsspn:<service/machine> /impersonateuser:<SamAccountName> /ptt
If the machine that we have established a RBCD to is a DC, then we can request access to the LDAP service as domain administrator, execute a DCSync attack, and get the credentials of the krbtgt account.
This attack will constrain your access exclusively on the service machine that was abused, no other machines in the domain.