Support
Last updated
Was this helpful?
Last updated
Was this helpful?
We scan the machine using nmap and find that SMB and LDAP are running. We are able to list SMB shares and download all the files from the support-tools share without providing credentials. One of the files downloaded is a ZIP file containing a .Net executable called UserInfo.exe. We decompile the program with (which is a port of to Linux/MacOS) and find an encrypted password. The encryption is basic and the decryption logic is already present in the code, so the password is easy to decrypt. We continue looking at the code and find an LDAP connection is made through a user called ldap and the decrypted password.
Using , we dump the LDAP user data and find the password for the support user in its info field. We connect using and get the user.txt flag.
Now that we have a shell, we scan the machine using and . We figure out that the SHARED SUPPORT ACCOUNTS@SUPPORT.HTB group has the GenericAll permission on DC.SUPPORT.HTB and our user, support is part of that group.
Searching for ways to exploit the GenericAll permission finds . Following the guide, we 1) create a fake computer object (no admin required) and 2) update the target computer object to enable the fake computer to impersonate and authenticate any domain user that can then access the target system. The second step is possible because we have the WRITE privilege (from GenericAll) on the target machine. Instead of following the guide to create the ticket (it uses a Window-only tool), we use 's . This gives us a Kerberos ticket with the ability to impersonate the Administrator user. Finally, we use with the ticket to get an interactive shell on the box as Administrator and get the root.txt flag.
First, let's scan for open ports using nmap. We can quickly scan for open ports and store them in a variable: ports=$(nmap -Pn -p- --min-rate=1000 -T4 10.129.227.255 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running nmap's built-in scripts: nmap -Pn -p$ports -sC -sV 10.129.227.255. We need to use -Pn with this box since it is blocking nmap's ping probes.
139 & 445)Ports 139 and 445 are open so it looks like SMB is running.
We can try listing the shares (-L) without specifying a password (-N).
support-tools is interesting. Let's try to view the files from that share using an interactive shell:
Alternatively, you can download one file by running get UserInfo.exe.zip.
UserInfo.exeWe open the UserInfo.exe binary in ILSpy and quite quickly we find the UserInfo.Services.Protected class, which contains and encrypted password and a method to decrypt it already written for us:
UserInfo.Services.Protected class (in text form):
Let's quickly write this in Python (since that is faster than getting C# code running):
This prints out nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz.
Additionally, in ILSpy, we see a class called UserInfo.Services.LdapQuery.
After looking at it, we see that the constructor contains a username (ldap) and uses the decoded password to connect to LDAP on the machine.
Now, just run cat C:\Users\support\Desktop\user.txt to get the user.txt flag.
Upload SharpHound.exe and run it:
Right click the DC.SUPPORT.HTB machine and choose "Shortest Paths to Here":
The SHARED SUPPORT ACCOUNTS@SUPPORT.HTB group has the GenericAll permission on DC.SUPPORT.HTB. If we right click that group, we will see that the support user we have access to is a member of the group. So, we have the GenericAll permission.
The first step is to create a new computer object for our fake computer, FAKE01. This is the computer that will be trusted by our target computer dc.support.htb later on.
Output:
Get the newly created computer SID with Get-DomainComputer fake01:
The SID is S-1-5-21-1677581083-3380853377-188903654-5601.
Next, create a new raw security descriptor for the FAKE01 computer principal:
After that, apply the security descriptor bytes to the target dc.support.htb machine by running Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose:
So, let's run the following to get a shell:
Initially, I got the error [-] [Errno Connection error (dc.support.htb:445)] [Errno -3] Temporary failure in name resolution. So, I added dc.support.htb and support.htb to the /etc/hosts file. After that, the command worked!
It's a directory of different programs. We can download all these files to the current directory by running the following commands from :
Everything except looks like a normal program. When unzipping we see the following files:
Running file UserInfo.exe tells us that this is a PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows. I am familiar with reversing using , but it is not the right tool to reverse .Net binaries. Searching for ".net debugger" finds , but the repository is archived and hasn't been updated for about 2 years. I also find which seems to be more regularly updated. compares the available decompilers. I'm going to use ILSpy since the article calls it "the de-facto .NET Decompiler." ILSpy only supports Windows, but it has been ported to Linux in the form of . Download the latest release from and run it with ./ILSpy.
From the nmap scan and the UserInfo.exe, we see that LDAP is present. LDAP runs on ports 389, 636, 3268, and 3269. According to , "The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network."
According to , we can make sure our credentials work by trying to extract everything from the LDAP server by running ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>". Here are what the options in this command mean:
For our situation, this command is ldapsearch -x -H ldap://10.129.227.255 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb". This outputs 5824 lines of output. So, we captured it all into .
We can get only information about users by adding CN=Users to the command like so (command from ): ldapsearch -x -H ldap://10.129.227.255 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=support,DC=htb". Tip: Pipe the output of that command to xclip -selection clipboard to copy it to your clipboard automatically. Output is located at . After looking through this file, we see the support user has the info field set to Ironside47pleasure40Watchful, which is weird.
The piece of information we found is the support user's password. runs on port 5985, which is open. We can connect using by running evil-winrm -u support -p Ironside47pleasure40Watchful -i 10.129.227.255, which works.
Let's scan the machine using : "BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify."
BloodHound only analyzes data though. We need to use () to collect data. There are other data collectors but SharpHound is the only officially support collector.
To get BloodHound setup, you can . Then, just download the zip file () from the machine and drag and drop it onto the BloodHound interface. Then, on the Analysis tab, choose "Shortest Paths to High Value Targets":
Searching for "genericall active directory" finds , which explains that "if you have GenericAll/GenericWrite/Write on a Computer object, you can pull off.
We need the following PowerShell modules to follow the guide: () and (). Download them and then upload them to the box using evil-winrm's upload command. Load them by running the following commands:
To get a Kerberos ticket, the guide uses , which only runs on Windows and seems difficult to set up. Searching for "impacket get kerberos ticket to impersonate user" finds 's :
Now we have the Kerberos ticket. Looking at the shows ": A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy." It also to use a Kerberos ticket through the KRB5CCNAME environment variable. It looks like is popular and would work as well.
