Support
Last updated
Was this helpful?
Last updated
Was this helpful?
We scan the machine using nmap
and find that SMB and LDAP are running. We are able to list SMB shares and download all the files from the support-tools
share without providing credentials. One of the files downloaded is a ZIP file containing a .Net executable called UserInfo.exe
. We decompile the program with (which is a port of to Linux/MacOS) and find an encrypted password. The encryption is basic and the decryption logic is already present in the code, so the password is easy to decrypt. We continue looking at the code and find an LDAP connection is made through a user called ldap
and the decrypted password.
Using , we dump the LDAP user data and find the password for the support
user in its info
field. We connect using and get the user.txt
flag.
Now that we have a shell, we scan the machine using and . We figure out that the SHARED SUPPORT ACCOUNTS@SUPPORT.HTB
group has the GenericAll
permission on DC.SUPPORT.HTB
and our user, support
is part of that group.
Searching for ways to exploit the GenericAll
permission finds . Following the guide, we 1) create a fake computer object (no admin required) and 2) update the target computer object to enable the fake computer to impersonate and authenticate any domain user that can then access the target system. The second step is possible because we have the WRITE
privilege (from GenericAll
) on the target machine. Instead of following the guide to create the ticket (it uses a Window-only tool), we use 's . This gives us a Kerberos ticket with the ability to impersonate the Administrator
user. Finally, we use with the ticket to get an interactive shell on the box as Administrator
and get the root.txt
flag.
First, let's scan for open ports using nmap
. We can quickly scan for open ports and store them in a variable: ports=$(nmap -Pn -p- --min-rate=1000 -T4 10.129.227.255 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
. Then, we can scan those specific ports in depth by running nmap
's built-in scripts: nmap -Pn -p$ports -sC -sV 10.129.227.255
. We need to use -Pn
with this box since it is blocking nmap
's ping probes.
139
& 445
)Ports 139
and 445
are open so it looks like SMB is running.
We can try listing the shares (-L
) without specifying a password (-N
).
support-tools
is interesting. Let's try to view the files from that share using an interactive shell:
Alternatively, you can download one file by running get UserInfo.exe.zip
.
UserInfo.exe
We open the UserInfo.exe
binary in ILSpy and quite quickly we find the UserInfo.Services.Protected
class, which contains and encrypted password and a method to decrypt it already written for us:
UserInfo.Services.Protected
class (in text form):
Let's quickly write this in Python (since that is faster than getting C# code running):
This prints out nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
.
Additionally, in ILSpy, we see a class called UserInfo.Services.LdapQuery
.
After looking at it, we see that the constructor contains a username (ldap
) and uses the decoded password to connect to LDAP on the machine.
Now, just run cat C:\Users\support\Desktop\user.txt
to get the user.txt
flag.
Upload SharpHound.exe and run it:
Right click the DC.SUPPORT.HTB
machine and choose "Shortest Paths to Here":
The SHARED SUPPORT ACCOUNTS@SUPPORT.HTB
group has the GenericAll
permission on DC.SUPPORT.HTB
. If we right click that group, we will see that the support
user we have access to is a member of the group. So, we have the GenericAll
permission.
The first step is to create a new computer object for our fake computer, FAKE01
. This is the computer that will be trusted by our target computer dc.support.htb
later on.
Output:
Get the newly created computer SID with Get-DomainComputer fake01
:
The SID is S-1-5-21-1677581083-3380853377-188903654-5601
.
Next, create a new raw security descriptor for the FAKE01
computer principal:
After that, apply the security descriptor bytes to the target dc.support.htb
machine by running Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
:
So, let's run the following to get a shell:
Initially, I got the error [-] [Errno Connection error (dc.support.htb:445)] [Errno -3] Temporary failure in name resolution
. So, I added dc.support.htb
and support.htb
to the /etc/hosts
file. After that, the command worked!
It's a directory of different programs. We can download all these files to the current directory by running the following commands from :
Everything except looks like a normal program. When unzipping we see the following files:
Running file UserInfo.exe
tells us that this is a PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
. I am familiar with reversing using , but it is not the right tool to reverse .Net binaries. Searching for ".net debugger" finds , but the repository is archived and hasn't been updated for about 2 years. I also find which seems to be more regularly updated. compares the available decompilers. I'm going to use ILSpy since the article calls it "the de-facto .NET Decompiler." ILSpy only supports Windows, but it has been ported to Linux in the form of . Download the latest release from and run it with ./ILSpy
.
From the nmap
scan and the UserInfo.exe
, we see that LDAP is present. LDAP runs on ports 389, 636, 3268, and 3269. According to , "The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network."
According to , we can make sure our credentials work by trying to extract everything from the LDAP server by running ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
. Here are what the options in this command mean:
For our situation, this command is ldapsearch -x -H ldap://10.129.227.255 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb"
. This outputs 5824 lines of output. So, we captured it all into .
We can get only information about users by adding CN=Users
to the command like so (command from ): ldapsearch -x -H ldap://10.129.227.255 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=support,DC=htb"
. Tip: Pipe the output of that command to xclip -selection clipboard
to copy it to your clipboard automatically. Output is located at . After looking through this file, we see the support
user has the info
field set to Ironside47pleasure40Watchful
, which is weird.
The piece of information we found is the support
user's password. runs on port 5985
, which is open. We can connect using by running evil-winrm -u support -p Ironside47pleasure40Watchful -i 10.129.227.255
, which works.
Let's scan the machine using : "BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify."
BloodHound only analyzes data though. We need to use () to collect data. There are other data collectors but SharpHound is the only officially support collector.
To get BloodHound setup, you can . Then, just download the zip file () from the machine and drag and drop it onto the BloodHound interface. Then, on the Analysis tab, choose "Shortest Paths to High Value Targets":
Searching for "genericall active directory" finds , which explains that "if you have GenericAll/GenericWrite/Write on a Computer object, you can pull off.
We need the following PowerShell modules to follow the guide: () and (). Download them and then upload them to the box using evil-winrm's upload
command. Load them by running the following commands:
To get a Kerberos ticket, the guide uses , which only runs on Windows and seems difficult to set up. Searching for "impacket get kerberos ticket to impersonate user" finds 's :
Now we have the Kerberos ticket. Looking at the shows ": A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy." It also to use a Kerberos ticket through the KRB5CCNAME
environment variable. It looks like is popular and would work as well.