🕵️Delegate

Enumeration

10.10.82.125

We have a Windows machine with domain delegate.vl and hostname DC01.delegate.vl LDAP anonymous bind is disabled but as a guest we have read access tho the NETLOGON share We download a users.bat file

We get a password for the user a.briggs

Now we can enumerate the domain with bloodhound

We can see that the compromised user has GenericWrite to n.thompson, so we can add a SPN to the user, kerberoast and then remove it

And we got the password

Unconstrained Delegation

This user is in the delegation admins group. we can add a new machine account to the domain and abuse Unconstrained Delegation to get a kerberos ticket for the DC machine accountDC$

We use Powermad to create a new machine account and add a SPN

Then we modify the DNS records to make the DC connect to us

To use krbrelayx.py we need the NTLM hash of the new machine account and after making the DC connect to us using printerbug.py we get a ticket for the DC$ account

PreviousBreach NextReflection

Last updated 1 year ago

Was this helpful?