HackTheBox — Support Writeup
So this is my write-up on one of the HackTheBox machines called Support. Let’s go!
Initial
As usual first we start with an NMAP scan.
We can see that there is a bunch of ports, and we can see that this is a Windows machine.
Let’s enumerate the services one by one. For a Windows machine, I always ran enum4linux in the background to fasten my enumeration process.
First, let’s enumerate the SMB service to look for some shares we can perhaps access. We can do this with the smbclient tool. I ran smbclient -L //[target] to list shares available on the system.
We can see that there are several shares available. Let’s see if we can access them using anonymous login. We can do this using this command smbclient -N //[target]/[sharename] .
After trying each one of the shares, I managed to access the support-tools share, and inside it, we can see a bunch of tools.
Maybe we can upload a backdoor to the share and execute it from somewhere to gain access to the system. I tried to upload a file into the share, but it was denied.
Maybe we can use the “Support Tools” already available there later. But for now, let’s download all of the tools inside.
I tried to enumerate the domain using rpcclient null authentication. I can’t get anything because of a lack of privilege.
Using dig (specify the global-server IP and set the query type to any to query all the available DNS record types associated with a domain) we are able to see the domain controller name. It was dc.support.htb . We can add it to our hosts file.
Foothold
Since I didn’t find anything interesting, I decided to analyze the tools given to us in the support-tools share. One of the tools is UserInfo.exe, I analyze it with Ghidra and found something interesting.
There’s a user called support that can use LDAP, and it’s using some type of password.
After searching for a bit, I found an encrypted password for the supportuser and a key in the Protected segment of the binary.
static Protected()
{
Protected.enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
Protected.key = Encoding.ASCII.GetBytes("armando");
}And I think we can use the getPassword function to decrypt it.
public static string getPassword()
{
byte[] array = Convert.FromBase64String(Protected.enc_password);
byte[] array2 = array;
for (int i = 0; i < array.Length; i++)
{
array2[i] = (array[i] ^ Protected.key[i % Protected.key.Length] ^ 223);
}
return Encoding.Default.GetString(array2);
}I used C# online compiler and rewrite the getPassword function to get the decrypted password.
Decrypted password: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmzI tried to log in as the support the user using the decrypted password using evil-winrm but it didn't work.
Since we already got the user and password for the LDAP, we can now try to enumerate it. We can use tools like ldapsearch to do it.
Source: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap
ldapsearch -x -H ldap://support.htb -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'CN=Users,DC=support,DC=htb' | tee ldapsearch.logWe got a lot of users from it like smith.rosario, hernandez.stanley , and so much more, but the most interesting part is, there’s an info segment in the support user part, and it looks like a password. Perhaps we can try to use it to log in.
Ironside47pleasure40Watchful
Again using evil-winrm I tried to log in as support user with the new password, and this time, we are in.
We can grab the flag for the user in C:\Users\support\Desktop\user.txt.
Getting the NT AUTHORITY/SYSTEM user
Now that we are inside, we can try to use Bloodhound for further enumeration. Bloodhound will make our life so much easier because it can give us visualization of relationships within an Active Directory environment.
To get data inside Bloodhound, we can use a lot of tools. I will just use Sharphound.
We can upload SharpHound.exe to the target machine using evil-winrm upload feature.
Run it. SharpHound will start collecting data from the machine.
We can download it using evil-winrm download feature and add it to our Bloodhound instance.
Since we are the support user, we are inside the SHARED SUPPORT ACCOUNT@support.htb . We can also see it by running Get-ADPrincipalGroupMembership support on Powershell.
We now know that we got GenericAll permission to the dc.support.htb Domain Controller which means we have full rights to the dc.support.htb object.
Since we have full rights, that means we can write stuff to the dc.support.htb . Based on https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution, it's possible to gain code execution with elevated privileges on a remote computer if you have WRITE privilege on that computer’s AD object. We have that, and now, we can try to exploit it. Just follow the steps, and you will get the Administratoraccount :D (you can use impacket if you use linux).
Thoughts
It was a great machine for learning Active Directory. I still got so much to learn about exploiting Windows Machine and this machine teaches me a lot.
Thank you for reading this write-up, stay safe everyone!
