1
00:00:00,760 --> 00:00:03,700
So in this video we'll be talking about the constraint variation.

2
00:00:03,700 --> 00:00:06,340
In the previous video we have seen unconstrained evolution.

3
00:00:06,550 --> 00:00:14,200
So this one will also be similar to that, except the account only has access to particular services.

4
00:00:14,470 --> 00:00:16,630
And here you can see the reason is cassava.

5
00:00:16,630 --> 00:00:23,800
And we have the, uh, expense for this server and only burger options are allowed for this server.

6
00:00:25,640 --> 00:00:28,670
So I have this shisha code.

7
00:00:28,880 --> 00:00:29,930
It's very simple.

8
00:00:29,930 --> 00:00:31,340
It's similar to the.

9
00:00:33,290 --> 00:00:34,880
Instead of finding.

10
00:00:36,190 --> 00:00:39,880
So what you're doing is you are finding accounts with this.

11
00:00:39,880 --> 00:00:41,440
There must be a central building.

12
00:00:42,280 --> 00:00:47,560
So this property, we are checking for any objects and we are printing those objects.

13
00:00:48,970 --> 00:00:54,670
So the remaining is converting this control to these corresponding plugs.

14
00:00:55,120 --> 00:00:57,010
We have already seen this here.

15
00:00:57,010 --> 00:01:04,660
We are just printing the objects with this flag, with this attribute, not as personal.

16
00:01:04,840 --> 00:01:08,680
If there is any value for this attribute of the tablet, we are going to print that object.

17
00:01:09,160 --> 00:01:10,540
So let's go and run this one.

18
00:01:13,700 --> 00:01:16,700
And here I can see there is only one computer.

19
00:01:16,940 --> 00:01:20,000
It is delegated to the CNN office.

20
00:01:20,960 --> 00:01:23,000
That is the furniture on this computer.

21
00:01:23,210 --> 00:01:27,410
And here you can also see the flag procedure to the third delegation.

22
00:01:28,280 --> 00:01:30,470
Now let's go and test.

23
00:01:30,680 --> 00:01:33,170
So this user is normal user.

24
00:01:35,660 --> 00:01:43,600
Now we need to set a change to enter service again so we can simply put service principle now.

25
00:01:45,080 --> 00:01:48,260
As constrain testing.

26
00:01:49,910 --> 00:01:57,610
If there is any substance on them, then this account will be like on Google Play and click on okay,

27
00:01:59,030 --> 00:02:03,500
now we go and run this again.

28
00:02:07,920 --> 00:02:13,570
Kirby did not find anything because we are taking a mysterious the record label.

29
00:02:14,130 --> 00:02:21,630
So we need to hear this USERRA for some certain services and here and see if there are other options.

30
00:02:21,870 --> 00:02:25,470
And we need to add the services to this object.

31
00:02:26,340 --> 00:02:27,240
No, we cannot.

32
00:02:27,270 --> 00:02:33,210
Now we need to find the user objects, our computers.

33
00:02:33,240 --> 00:02:35,820
Now that at 512016.

34
00:02:36,060 --> 00:02:40,680
That is a domain controller that will provide this.

35
00:02:41,310 --> 00:02:42,360
That is the publisher.

36
00:02:42,870 --> 00:02:48,630
Now you can see the different services offered by their domain controller now set up the CFS and click

37
00:02:48,630 --> 00:02:49,170
on okay.

38
00:02:49,470 --> 00:02:51,750
Now click on apply and click on.

39
00:02:51,900 --> 00:02:52,340
Okay.

40
00:02:54,120 --> 00:02:55,500
If you weren't on this again.

41
00:02:55,500 --> 00:02:58,950
And here we get the end of the record.

42
00:02:58,950 --> 00:03:08,070
That is that has to end this push to use delegated does the year of this on this when it's not local.

43
00:03:09,120 --> 00:03:15,510
So that means that you delegated to access the CFS service on behalf of any user.

44
00:03:19,390 --> 00:03:22,780
So after this, what we're going to do is we are going to use the reverse.

45
00:03:22,780 --> 00:03:28,090
And here we have the command prompt of Pashtu.

46
00:03:28,390 --> 00:03:29,590
If I go into who am I?

47
00:03:29,590 --> 00:03:31,000
Groups, we are normal.

48
00:03:31,000 --> 00:03:31,470
Uh.

49
00:03:33,620 --> 00:03:36,260
Normal users will not need the management's.

50
00:03:39,270 --> 00:03:43,710
First we need to generate the hash for this user con.

51
00:03:44,820 --> 00:03:47,240
We can also dump using the memory card as well.

52
00:03:49,650 --> 00:03:52,560
User testo and the password.

53
00:03:59,860 --> 00:04:01,330
And specify the domain.

54
00:04:03,830 --> 00:04:05,970
And now we get this cartoon for us.

55
00:04:06,950 --> 00:04:08,180
Now, copy this.

56
00:04:16,900 --> 00:04:18,070
And based here.

57
00:04:18,670 --> 00:04:23,530
So what we're going to do is now we're going to use a Kerberos extension card.

58
00:04:23,530 --> 00:04:25,690
As for you, that is self for a user.

59
00:04:25,960 --> 00:04:27,580
So what this means is.

60
00:04:30,340 --> 00:04:40,600
This user account can request the PDP on behalf of any other user for itself so this can impersonate

61
00:04:40,600 --> 00:04:42,580
any other user for the service.

62
00:04:47,720 --> 00:04:49,850
So we can use Ruby as.

63
00:04:53,230 --> 00:04:57,770
As for you so do this also has this as for you.

64
00:04:57,820 --> 00:05:03,310
Option to specify user that is does to and are c for hash.

65
00:05:05,170 --> 00:05:07,120
And the next one is impersonating the.

66
00:05:08,820 --> 00:05:10,980
We want to impersonate as administrator.

67
00:05:15,120 --> 00:05:18,390
And the domain is not remarkable.

68
00:05:21,280 --> 00:05:25,440
And we need to specify which service we want to ask the kids.

69
00:05:25,750 --> 00:05:32,440
So for the getting the duty on behalf of on behalf of this user, then we are using this as well.

70
00:05:32,770 --> 00:05:39,780
And after getting that, uh, uh, to get, we can, uh, request for their periods.

71
00:05:40,060 --> 00:05:44,020
And after that we can, uh, let that to get into this memory.

72
00:05:45,710 --> 00:05:46,820
So there must be yes.

73
00:05:46,970 --> 00:05:54,170
SBN that is CFS trash 2016.09.0.

74
00:05:55,160 --> 00:05:57,790
And after that we can use PDT.

75
00:05:57,880 --> 00:06:02,360
So this was the article directly leading to the section.

76
00:06:02,780 --> 00:06:09,740
Now if you hit enter and you can see to get successfully important so they can see the list of the tickets.

77
00:06:09,740 --> 00:06:17,080
And here you can see we have the administrator to get it as administrator to use it to the submission

78
00:06:17,090 --> 00:06:17,510
office.

79
00:06:17,810 --> 00:06:20,150
Now we can go ahead and.

80
00:06:23,290 --> 00:06:24,610
The contents of this.

81
00:06:27,540 --> 00:06:28,260
See Drew.

82
00:06:31,400 --> 00:06:32,450
So here you can see it.

83
00:06:32,450 --> 00:06:34,950
We got the rest of our content.

84
00:06:36,350 --> 00:06:40,400
So this is how you do the consumer delegation.

85
00:06:40,610 --> 00:06:46,610
So there are there be some services need to know that those services with this, there must be an error

86
00:06:47,540 --> 00:06:48,010
option.

87
00:06:48,980 --> 00:06:55,310
So you will get the accounts and we can dump the hacks using mimic that and using those hash, we can

88
00:06:55,310 --> 00:06:57,980
impersonate that domain administrator user.

89
00:06:59,090 --> 00:07:06,290
So this is very simple, quite similar to the finding that instead of uh, uh, users were just finding

90
00:07:06,290 --> 00:07:12,620
out from that remote, this one is not empty and if it's not empty were printing the San Miguel name

91
00:07:12,620 --> 00:07:15,570
and the contents of this were.

92
00:07:16,870 --> 00:07:19,210
This added work can also contain multiple values.

93
00:07:19,240 --> 00:07:21,910
Here you can see this kind of multiple values.

94
00:07:23,630 --> 00:07:27,200
So we are just moving our through that and we are just printing them.