Skip to content

HTB Delegate — SYSVOL creds → Targeted Kerberoast → Unconstr... #1401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

HTB Delegate — SYSVOL creds → Targeted Kerberoast → Unconstr... #1401

wants to merge 1 commit into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://0xdf.gitlab.io/2025/09/12/htb-delegate.html
  • Blog Title: HTB: Delegate — SYSVOL creds → Targeted Kerberoast → Unconstrained Delegation → DCSync to DA
  • Suggested Section: Windows / Active Directory - Kerberos & Delegation Attacks (Targeted Kerberoast via GenericWrite, Unconstrained Delegation + Coercion/PrinterBug, DCSync)

🎯 Content Summary

This post is a complete, reproducible AD attack chain from unauthenticated network access to full Domain Admin on a Windows Server 2022 DC (DC1.delegate.vl). It preserves exact commands, tool output, and artifacts to replicate and detect the activity.


Recon → Identify the DC and key controls

nmap -p- -vvv --min-rate 10000 10.129.56.255
nmap -sCV -p 53,88,135,139,389,445,464,636,3268,3269,3389,5985,9389,47001 10.129.56.255
Findings: classic DC ports...

🔧 Technical Details

RID cycling and SYSVOL credential discovery: If Guest/anonymous SMB allows reading SYSVOL/NETLOGON, perform RID cycling to enumerate accounts, then search these shares for scripts/policies with hardcoded credentials. Test discovered passwords across domain accounts and protocols.


Targeted Kerberoast via ACL abuse (GenericWrite on a user): When you control a user object (e.g., GenericWrite), temporarily add a servicePrincipalName to that user, request a TGS-REP using RC4 (etype 23), and crack the resulting $krb5tgs$23$... with hashcat (mode 13100). Remove the SPN afterward. This yields the target user’s plaintext password and often WinRM access if they’re in Remote Management Users.


Abusing unconstrained delegation with attacker-created computers: With MachineAccountQuota > 0, create a machine account you control, register a DNS A-record to your listener, and set UAC TRUSTED_FOR_DELEGATION (requires SeEnableDeleg...

🤖 Agent Actions

I analyzed the blog content and the current HackTricks repository and found relevant places to update. The techniques in the blog are highly technical and map well to existing Windows/Active Directory sections, but several pages benefited from additional, concrete steps and tooling that were not yet present.

What I updated:

  1. Targeted Kerberoast via GenericWrite/GenericAll (temporary SPN)
  • File updated: src/windows-hardening/active-directory-methodology/kerberoast.md
  • Added a detailed sub-section under “Persistence / Abuse” explaining the targeted Kerberoast workflow when you have GenericWrite/GenericAll over a user:
    • Temporarily add SPN → request RC4 TGS-REP → crack → remove SPN
    • Windows (PowerView/Rubeus) commands and Linux one-liner with targetedKerberoast.py
    • Detection notes (Event IDs 5136/4738 and 4769)
    • Added the blog and the targetedKerberoast repo to References
  1. Unconstrained Delegation with attacker-created computer + coercion
  • File updated: src/windows-hardening/active-directory-methodology/unconstrained-delegation.md
  • Added a new section “Abusing Unconstrained Delegation with an attacker-created computer” detailing:
    • Prereqs: MachineAccountQuota > 0 and SeEnableDelegationPrivilege to set TRUSTED_FOR_DELEGATION
    • Steps:
      1. addcomputer.py to create a controlled machine account
      2. dnstool.py (krbrelayx) to add a DNS A record for the fake host
      3. BloodyAD to set UAC TRUSTED_FOR_DELEGATION on the machine
      4. krbrelayx export mode with machine account NT hash to export inbound TGTs
      5. Coercion using netexec -M coerce_plus (PrinterBug/PetitPotam/DFSCoerce/MSEven) targeting the controlled host’s FQDN
      6. DCSync using the captured DC machine TGT (with KRB5CCNAME)
    • Notes, detection, and hardening bullets (events 4741/4742/4738, unusual DNS record adds, LDAP signing, Print Spooler on DCs, etc.)
    • Added comprehensive References (blog, krbrelayx, Impacket, BloodyAD, netexec)
  1. DCSync using a captured DC machine TGT (ccache)
  • File updated: src/windows-hardening/active-directory-methodology/dcsync.md
  • Added a new section “DCSync using a captured DC machine TGT (ccache)” that shows:
    • Generating krb5.conf
    • Using netexec --use-kcache --ntds with KRB5CCNAME
    • Using Impacket secretsdump.py with Kerberos from ccache (-k -no-pass)
    • Added the blog to the References

Why I did not add more:

  • SYSVOL credential leaks and RID cycling are already covered in SMB and AD methodology pages (SMB page explicitly tips checking SYSVOL/NETLOGON for scripts with credentials). The blog’s exact commands are consistent with existing content and didn’t require additional duplication.
  • PrinterBug/Spooler abuse already has its own page; I referenced it where appropriate rather than duplicating content.

Summary of changes (files updated):

  • src/windows-hardening/active-directory-methodology/kerberoast.md
  • src/windows-hardening/active-directory-methodology/unconstrained-delegation.md
  • src/windows-hardening/active-directory-methodology/dcsync.md

All updates follow HackTricks style, preserve existing content, add new technical steps and code blocks, and include a “## References” section at the end of each updated file with the blog link and relevant tooling/documentation.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

  • MD files processed: 876
  • MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

Add content from: HTB: Delegate — SYSVOL creds → Targeted Kerberoast …
49eddb2 
…→ Unconst...

- Remove searchindex.js (auto-generated file)
@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/09/12/htb-delegate.html

Content Categories: Based on the analysis, this content was categorized under "Windows / Active Directory - Kerberos & Delegation Attacks (Targeted Kerberoast via GenericWrite, Unconstrained Delegation + Coercion/PrinterBug, DCSync)".

Repository Maintenance:

  • MD Files Formatting: 876 files processed (1 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop