Vulnlab Delegate: Exploiting Active Directory Delegation for Domain Takeover
In this detailed VulnLab walkthrough of the “Delegate” machine, we demonstrate how misconfigured Active Directory delegation settings can lead to complete domain compromise. Beginning with a null SMB session that reveals initial credentials, we leverage GenericWrite permissions to perform targeted Kerberoasting against a privileged user. The walkthrough progresses through advanced Active Directory attack techniques including machine account creation, DNS record manipulation, and unconstrained delegation exploitation to ultimately capture authentication tickets and extract domain secrets. This step-by-step pentesting guide highlights the critical security risks associated with delegation privileges in Windows domains and the importance of properly securing Active Directory configurations.
Not shown: 65510 filtered tcp ports (no-response) PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory 3269/tcp open tcpwrapped syn-ack ttl 127 3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services |_ssl-date: 2025-04-01T16:43:27+00:00; -1h59m53s from scanner time. | ssl-cert: Subject: commonName=DC1.delegate.vl | Issuer: commonName=DC1.delegate.vl 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 49664/tcp open unknown syn-ack ttl 127 49665/tcp open unknown syn-ack ttl 127 49667/tcp open unknown syn-ack ttl 127 49669/tcp open unknown syn-ack ttl 127 49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49672/tcp open unknown syn-ack ttl 127 49683/tcp open unknown syn-ack ttl 127 49685/tcp open unknown syn-ack ttl 127 64567/tcp open unknown syn-ack ttl 127 64591/tcp open unknown syn-ack ttl 127
SMB Enumeration
We can get access to the SMB server via a null session:
1
netexec smb 10.10.64.93 -u 'guest' -p '' --shares
After gaining access to the NETLOGON share, we find a users.bat file:
1
smbclient //10.10.64.93/NETLOGON
1
get users.bat
Opening that file reveals credentials for what appears to be an Administrator account, as the command will run when the username is A.Briggs:
1
strings users.bat
The password didn’t work for Administrator but worked for A.Briggs. This gave us access to LDAP, so the next step was running BloodHound:
After analyzing the domain structure, we discovered that we have GenericWrite permissions over N.Thompson, who also has PSRemote access to the Domain Controller - a promising attack path:
According to HarmJ0y’s blog, this GPO is located at \DOMAIN\sysvol\testlab.local\Policies{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf. By adding any user SID or username to the SeEnableDelegationPrivilege line of the [Privilege Rights] section, the setting will take hold whenever the user/machine’s current DC reboots or refreshes its group policy.
This means we can abuse unconstrained delegation by creating a machine account and appending a Service Principal Name (SPN) to it. First, we need to check if the machine quota isn’t set to 0: