Constrained Delegation

Overview Crocc Crew is an insane machine on TryHackMe, but it’s kinda like a easy box. The path starts with some clever RDP reconnaissance to find initial credentials. From there, it involves kerberoasting a service account, diving into BloodHound to find a constrained delegation path, and wrestling with a very frustrating secretsdump error that I almost rage quit and touched grass. Let’s walk through it. Target IP 10.10.208.147 + − ⌂ [https://i.ibb.co/JjzkJ3NR/user-removebg-preview.png]Nmap Scan [https://i.ibb.co/LzdxQFPv/computer-removebg-preview.png]Bypass RDP NLA → Spot Sticky Note → Visitor:GuestLogin! [https://i.ibb.co/Kckn13Nh/database-removebg-preview.png]Enumerate SMB → Home Share → Get User Flag [https://i.ibb.co/Gwv4v4g/shell-exploit-removebg-preview.png]Kerberoast password-reset → Crack with Hashcat [https://i.ibb.co/JR4shsmH/login-removebg-preview.png]Login as password-reset → Run BloodHound [https://i.ibb.co/Gwv4v4g/shell-exploit-removebg-preview.png]Find Constrained Delegation to oakley/DC [https://i.ibb.co/0ybfPw9J/password-removebg-preview.png]Use getST.py to impersonate Administrator [https://i.ibb.co/LzdxQFPv/computer-removebg-preview.png]Fix /etc/hosts → Run secretsdump [https://i.ibb.co/JR4shsmH/login-removebg-preview.png]Evil-WinRM as Administrator [https://i.ibb.co/679DN5x7/rooted-removebg-preview.png]LDAPSearch → Identify Planted 1. Initial Access (TA0001) As always, the first step is a thorough nmap scan to see what we’re working with. ...