Redelegate – Vulnlab | Forcechangepassword, Genericall, And Constrained Delegation
Thumbnail
In this article, the author, known as Maverick, provides a detailed walkthrough of exploiting an Active Directory machine, showcasing various techniques such as DACL abuse and constrained delegation. Maverick employs tools like Nmap to identify vulnerabilities and FTP to download sensitive files, ultimately leading to privilege escalation through clever password management and attack vectors. The tutorial serves as a comprehensive guide for penetration testers interested in mastering Active Directory exploitation. Affected: Active Directory, MSSQL, FTP

Keypoints :

  • Introduction of a new Active Directory machine challenge with vulnerabilities such as DACL abuse and SQL interactions.
  • Initial scanning of the host using Nmap to identify open ports and services.
  • Finding sensitive files through anonymous FTP access.
  • Using the `.kdbx` file to extract passwords and explore its contents.
  • Implementing password spraying techniques against Active Directory users.
  • Demonstrating NTLM relay attacks to capture user credentials.
  • Using BloodHound to analyze Active Directory relationships and permissions.
  • Exploiting user permissions to escalate privileges and exploit machine accounts for delegation configurations.
  • Final steps involving DCSync to dump hashes and a pass-the-hash attack for full access.
  • Maverick encourages continuous learning and engagement in the hacking community.

MITRE Techniques :

  • T1078 – Valid Accounts: Exploited valid user accounts for authentication.
  • T1059 – Command and Scripting Interpreter: Used command line tools for interaction with services (impacket, Nmap).
  • T1071 – Application Layer Protocol: Exploited FTP for file transfers and credential harvesting.
  • T1086 – PowerShell: Used PowerShell Remoting for access to systems after privilege escalation.
  • T1132 – Data Encoding: Encoded credentials and data for secure transfer and usage across different services.
  • T1203 – Exploitation for Client Execution: Exploited identified vulnerabilities across services determined through Nmap reconnaissance.

Indicator of Compromise :

  • [IP Address] 10.10.87.74
  • [Domain] redelegate.vl
  • [Domain] dc.redelegate.vl
  • [File] Shared.kdbx
  • [Hash] $keepass$*2*600000*0*ce7395f413946b0cd279501e510cf8a988f39baca623dd86beaee651025662e6*e4f9d51a5df3e5f9ca1019cd57e10d60f85f48228da3f3b4cf1ffee940e20e01

Full Story: https://infosecwriteups.com/redelegate-vulnlab-forcechangepassword-genericall-and-constrained-delegation-aa48b6d89931?source=rss—-7b722bfd1b8d—4 :’Fall2024!’
Impacket v0.12.0 – Copyright Fortra, LLC and its affiliated companies

[*] Impersonating ryan.cooper
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in ryan.cooper@[email protected]

Now, you can export your ticket and either log in using psexec or go straight for DCSync to dump all the hashes. Once you have the Administrator hash, just pass-the-hash and… PWNED!
Final words:
I hope this walkthrough was clear and that you learned something new along the way. This write-up was made with love by Mohamed Eletrepy aka Maverick. Keep hacking, stay curious, and never stop learning. Until next time — happy hacking! 🚀🔥
Attack Path Overview
Wanna Keep in Touch with Maverick?
Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking! 🚀
[/hidden_content]
Full Story: https://infosecwriteups.com/redelegate-vulnlab-forcechangepassword-genericall-and-constrained-delegation-aa48b6d89931?source=rss—-7b722bfd1b8d—4