KERBEROS ATTACKS - Unconstrained Delegation - Users

tigerboy · September 2, 2023, 10:31am

Anyone able to spawn the lab for this exercise successfully [KERBEROS ATTACKS - Unconstrained Delegation - Users]? Thanks!

therogue1 · September 10, 2023, 7:31pm

I was able to spawn the lab. Have you contacted tech support?

tigerboy · September 11, 2023, 4:32pm

@therogue1 What command you are using to connect to machine?

I have tried below command but receiving an error.

└─# xfreerdp /v:10.129.205.35 /u:carole.rose /p:‘jasmine’
└─# xfreerdp /v:10.129.205.35 /u:carole.rose /p:jasmine

└─# xfreerdp /v:10.129.205.35 /u:carole.rose /p:jasmine
[12:26:14:453] [4964:4965] [WARN][com.freerdp.crypto] - Certificate verification failure ‘self signed certificate (18)’ at stack position 0
[12:26:14:453] [4964:4965] [WARN][com.freerdp.crypto] - CN = DC01.INLANEFREIGHT.LOCAL
[12:26:15:762] [4964:4965] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[12:26:15:762] [4964:4965] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[12:26:17:781] [4964:4965] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[12:26:17:781] [4964:4965] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[12:26:17:782] [4964:4965] [ERROR][com.freerdp.core] - freerdp_post_connect failed

└─# ping 10.129.205.35
PING 10.129.205.35 (10.129.205.35) 56(84) bytes of data.
64 bytes from 10.129.205.35: icmp_seq=1 ttl=127 time=131 ms
64 bytes from 10.129.205.35: icmp_seq=2 ttl=127 time=131 ms
64 bytes from 10.129.205.35: icmp_seq=3 ttl=127 time=135 ms
^C
— 10.129.205.35 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 130.534/132.064/134.932/2.029 ms

Alt_F4 · September 11, 2023, 6:36pm

So you shouldn’t connect to this machine. There are restrictions on it. You must achieve a DCSync attack to reset the hashes, take the admin hash and get the flag. Based on the job, the user carole.rose has the GenericWrite privilege

therogue1 · September 12, 2023, 12:41am

This lab isn’t meant for students to connect with via RDP. Go through the steps taught in the module, beginning with using dnstool.py all the way to the end and you have dumped the hashes. Then, think about how you can use the dumped hashes to read the flag.txt file on DC01.

Alt_F4 · September 12, 2023, 2:22pm

Hello, I understand that you managed to reset the hashes. Here is my similar forum thread with all the steps. Can you please look with fresh eyes and tell me what I’m doing wrong?