KERBEROS ATTACKS - Unconstrained Delegation - Users

tigerboy · September 2, 2023, 10:31am

Anyone able to spawn the lab for this exercise successfully [KERBEROS ATTACKS - Unconstrained Delegation - Users]? Thanks!

therogue1 · September 10, 2023, 7:31pm

I was able to spawn the lab. Have you contacted tech support?

tigerboy · September 11, 2023, 4:32pm

@therogue1 What command you are using to connect to machine?

I have tried below command but receiving an error.

└─# xfreerdp /v:10.129.205.35 /u:carole.rose /p:‘jasmine’
└─# xfreerdp /v:10.129.205.35 /u:carole.rose /p:jasmine

└─# xfreerdp /v:10.129.205.35 /u:carole.rose /p:jasmine
[12:26:14:453] [4964:4965] [WARN][com.freerdp.crypto] - Certificate verification failure ‘self signed certificate (18)’ at stack position 0
[12:26:14:453] [4964:4965] [WARN][com.freerdp.crypto] - CN = DC01.INLANEFREIGHT.LOCAL
[12:26:15:762] [4964:4965] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[12:26:15:762] [4964:4965] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[12:26:17:781] [4964:4965] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[12:26:17:781] [4964:4965] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[12:26:17:782] [4964:4965] [ERROR][com.freerdp.core] - freerdp_post_connect failed

└─# ping 10.129.205.35
PING 10.129.205.35 (10.129.205.35) 56(84) bytes of data.
64 bytes from 10.129.205.35: icmp_seq=1 ttl=127 time=131 ms
64 bytes from 10.129.205.35: icmp_seq=2 ttl=127 time=131 ms
64 bytes from 10.129.205.35: icmp_seq=3 ttl=127 time=135 ms
^C
— 10.129.205.35 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 130.534/132.064/134.932/2.029 ms

Alt_F4 · September 11, 2023, 6:36pm

So you shouldn’t connect to this machine. There are restrictions on it. You must achieve a DCSync attack to reset the hashes, take the admin hash and get the flag. Based on the job, the user carole.rose has the GenericWrite privilege

therogue1 · September 12, 2023, 12:41am

This lab isn’t meant for students to connect with via RDP. Go through the steps taught in the module, beginning with using dnstool.py all the way to the end and you have dumped the hashes. Then, think about how you can use the dumped hashes to read the flag.txt file on DC01.

Alt_F4 · September 12, 2023, 2:22pm

Hello, I understand that you managed to reset the hashes. Here is my similar forum thread with all the steps. Can you please look with fresh eyes and tell me what I’m doing wrong?

nonsleepr · October 9, 2023, 10:10am

@tigerboy, You need to take the username in quotes or double-escape the backslash (-u INLANEFREIGHT.LOCAL\\carole.rose) , otherwise the username passed to the script becomes INLANEFREIGHT.LOCALcarole.rose.

jaybeeayyy · November 7, 2023, 2:56pm

I’m stuck on the lab but having a different issue.

How are yall running the PowerView command

Get-NetUser -TrustedToAuth

I ran the bypass and added the PowerView script with the two periods (blanking on what that’s called) so that’s all good.

I can run Get-NetUser without the -TrustedToAuth flag…but once I add it, it tells me it can’t be found.

Screenshot 2023-11-07 095531

Any advice?

boot2root · March 6, 2024, 4:54am

cd to the downloads folder where PowerView-main.ps1 is located then use PowerView-main.ps1 not PowerView.ps1:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Import-Module .\PowerView-main.ps1
Get-Netuser -TrustedToAuth

had the same issue